I completely agree with your comment. We might be doing a poor job at explaining what Chainloop is compared to Sigstore.
Chainloop is built on top of Sigstore's (among from others) great OSS building blocks. We use cosign, in-toto and DSSE for generation or OCI for storing the attestations. It's true that today the signing is done using a asymmetric cosign key at the moment of the attestation crafting but we have plans on implementing keyless/identity signing and verifying using Sigstore fulcio+rekor.
I am afraid I don't have a formed opinion on the sigsum project yet.
Thanks for the pointer though, it indeed looks interesting, it might come handy once we start the effort of adding a transparent log (i.e rekor) to Chainloop.
I completely agree with your comment. We might be doing a poor job at explaining what Chainloop is compared to Sigstore.
Chainloop is built on top of Sigstore's (among from others) great OSS building blocks. We use cosign, in-toto and DSSE for generation or OCI for storing the attestations. It's true that today the signing is done using a asymmetric cosign key at the moment of the attestation crafting but we have plans on implementing keyless/identity signing and verifying using Sigstore fulcio+rekor.