Jason Hall

It sounds like we should have some kind of `pkg/cosign.Copy` method that looks and acts like [`pkg/crane.Copy`](https://pkg.go.dev/github.com/google/go-containerregistry/pkg/crane#Copy), with a method signature like: ``` func Copy(ctx context.Context, src, dst string, opt...

> I don't think this will really help, but I might be misunderstanding the exact issue. The k8s libraries shouldn't show up in a downstream binary or dependency tree unless...

> I don't think moving the cosigned webhook somewhere else helps with any of these, it just shifts the problem around and means there's a separate repo and go.mod file...

For KMSes it might be as simple as moving KMS provider registration out of `pkg/signature/kms`, into each impl's package, so you can selectively depend on only those KMSes you actually...

I 👍 ed this but I realize it doesn't notify anybody when you do that. 🤦‍♂️ So, 👍, we should meet some day next week (I'm out Mon+Tues) to map...

That works for me!

> Just finding this issue from twitter. Quick comment for https://github.com/defenseunicorns/zarf as we include both cosign and syft as sdks, the dependency tree is large—but I’d be more concerned with...

We could also have this expressed in Fulcio as "extract useful stuff from the cert" (emails, etc) and have it return those for cosign, policy-controller, etc., to verify against whatever...

Is this good to merge? 🙏

> Will SIGSTORE_ROOT_FILE stay in Cosign? I don't know enough about the use case to comment. I don't think I'd mind as a prospective consumer of the package that its...