Matt Moore

@damienmg is it possible to add this to Bazel CI?

This is similar to: https://github.com/knative/serving/issues/9039

We should dedup this with #9039 to consolidate.

@damienmg assigning to you to redirect appropriately.

Was talking to @puerco about having "layer" packages, and while it is probably overkill for what we have right now, it may make sense when we do this to note...

Do it, it doesn't work well enough on macOS, so I haven't used it since I left Google, and I'm not sure I ever tested it after some of Jon's...

+1 to native integration here. Generally my preference would be to bias towards the ephemeral key route and use the same ephemeral key to sign all of the images produced...

This PR includes a technique I have been using to incorporate keyless signing into some ko-like tools: https://github.com/sigstore/cosign/pull/647 Basically it only kicks in when `COSIGN_EXPERIMENTAL=true` for now, which is similar...

I think the first order of business will be to get the distroless images signed against Fulcio. For configuring things, I think trying to standardize on env vars in cosign...

Ok, full keyboard so here's sort of what I'm thinking in terms of phasing this in. 1. No change unless TBD `*EXPERIMENT*` env var is set, at which point base...