Keyless image signing: Sigstore and cosign in CI
Keyless container image signing with Sigstore: cosign, Fulcio and Rekor sign artifacts against your CI's OIDC identity with no long-lived keys. We walk the flow, the pitfalls, and a minimal GitLab CI pipeline with admission-time verification.