[wlynch]

+1 to this!

https://docs.sigstore.dev/fulcio/certificate-issuing-overvie... has a good overview of how the certificate issuing works.

With Gitsign, by default a new keypair is generated per signing event (i.e. per commit) and never hits disk. The cert in the commit signature holds the public key, which we can check against Rekor (https://docs.sigstore.dev/rekor/overview) to verify it was valid at the time of signing.

If you have the time, https://www.youtube.com/watch?v=PVhRQFS9Njg is a great deep dive into how Sigstore works in general!