Jason Hall

> I still don't have a good answer to this. I might have an okay answer to this. `ko build` and `ko resolve` should have a `--sign`/`-s` flag, but `ko...

OIDC signing for cosign is no longer experimental, after the recent Sigstore GA. I still think I'd like to focus on keyless signing in `ko`, since that's going to end...

> I love the keyless signing but then wondering how we can configure keyless signing w/o browser, typically to have integration with CI/automation. I see lots of `--odic*` options to...

When you run `cosign sign` inside GitHub Actions with [OIDC enabled](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) (`id-token: write`), `cosign` will automatically pick up the credentials from the environment and not require a browser. For example:...

I think the suggestion in https://github.com/google/ko/pull/571#discussion_r792132067 is still useful, we could add a symlink in the repo and exercise this new path in an e2e test

Does `go build` work with CGO disabled? (`CGO_ENABLED=0`) ko assumes that it won't be using cgo, since this can make base image selection and multiarch harder. It sounds like this...

I'd like to have some docs about how to make cgo work if you need it, and to document the limitations, but ultimately yeah it's not really something ko is...

I'm going to close this as done, but I should mention I recently added an [example](https://github.com/distroless/ko#usage) of using a `ko` image that includes musl libc to build an app that...

I still want this.

+1 to log-and-continue if pushing the SBOM fails. This will also affect signatures, etc.