Currently, we use Sigstore to generate ephemeral keys which are then used with in-toto for signing (and the public key is stored and used for verification later). We probably should store the certificate from Sigstore in addition/instead of the public key and use that for verification.
This issue should take a closer look what would be possible with regards to using SIgstore for verification, perhaps using Sigstore bundle feature for offline verification.
Currently, we use Sigstore to generate ephemeral keys which are then used with in-toto for signing (and the public key is stored and used for verification later). We probably should store the certificate from Sigstore in addition/instead of the public key and use that for verification.
This issue should take a closer look what would be possible with regards to using SIgstore for verification, perhaps using Sigstore bundle feature for offline verification.