Deep-Dive into sigstore stack, go-sigstore and cosign as sigstore ref implementation

[morri-son]

Description
Gather all information around

• Sigstore infrastructure stack (especially with regartds to Rekor v1/v2) and potential local setup in CI
• go-sigstore library
• How Cosign implements go-sigstore for signing and verification as reference implementation

to be able to start with the sigstore handler implementation.

Also check the existing ADR for the desired state and how to implement the new credential plugin for sigstore OIDC.

Goal
Present the topic to the team.

Timebox: ~ 1 day(s)

[morri-son]

Deep-Dive doc with comparison of the two options for a possible implementation can be found in the attached file.

sigstore-ocm-comparison.md