For future improvements these are the things I think we should address:
appending signature to transparency log is the default in v2 (where it was only done for keyless in v1) and we can opt out. We should provide that option.
verify image using keyless verification with the given certificate chain and identity parameters, without Fulcio roots (for BYO PKI): cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity foo@example.com <IMAGE>
k8s-keychain, whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
rekor-url, for private rekor instances
signature-digest-algorithm, the default is sha-256
There is also the topic of sbom attachement but there is different discussion for that.
Originally posted by @souleb in https://github.com/fluxcd/source-controller/issues/1096#issuecomment-1556769007