I'd proceed with using cosign in "keyless" mode, otherwise we'll also need to deal with key management. The root cause of cosign step failures was in rotated TUF root certs:
What about adding verification how-to to README.md: I'd suggest to postpone it until next release, otherwise users might try to verify existing images which will lead to an error:
IMG=ghcr.io/aenix-io/etcd-operator:v0.2.0
cosign verify ${IMG} --certificate-identity-regexp '.*' --certificate-oidc-issuer=https://token.actions.githubusercontent.com
Error: no signatures found
main.go:69: error during command execution: no signatures found
I'd proceed with using cosign in "keyless" mode, otherwise we'll also need to deal with key management. The root cause of cosign step failures was in rotated TUF root certs:
What about adding verification how-to to README.md: I'd suggest to postpone it until next release, otherwise users might try to verify existing images which will lead to an error:
Fixes: #60