Hi all, shibumi has been writing a few blog posts[1][2][3] on `cosign` recentely and its "Keyless Signatures"[4] feature. This motivated me to look into it for artifact signing from our CI[5], in particular for arch-boxes (our VM images). After discussing it on IRC (-devops), I'm sending this mail to get some inputs. I have opened a MR with a few solutions sketched[6] (with great help from @shibumi). [1] https://shibumi.dev/posts/first-look-into-cosign/ [2] https://shibumi.dev/posts/what-are-ephemeral-certificates/ [3] https://shibumi.dev/posts/keyless-signatures-with-github-actions/ [4] https://github.com/sigstore/cosign/blob/main/KEYLESS.md [5] https://gitlab.archlinux.org/archlinux/infrastructure/-/issues/280 [6] https://gitlab.archlinux.org/archlinux/infrastructure/-/merge_requests/508 Best regards, Kristian Klausen