Sign OCI containers & other artifacts using Sigstore Cosign & CircleCI OIDC tokens

Sigstore's Fulcio certificate authority now supports CircleCI's OIDC tokens, enabling developers to sign container images and other artifacts directly from CircleCI pipelines without the need to manage long-lived signing keys. Sigstore, comprising Cosign, Fulcio, and Rekor, facilitates "keyless" signing by issuing short-lived certificates based on OIDC identity, which are used to sign artifacts while the signing events are recorded in Rekor for auditability. This approach eliminates the complexities associated with traditional cryptographic key management, as CircleCI jobs can authenticate using OIDC tokens that attest to their identity, enabling secure signing within build pipelines. The integration underscores the importance of reducing the overhead of key management, providing cryptographic proof of provenance, and enhancing security for CI/CD workflows. A sample repository is available to help users configure this setup in their pipelines, and developers are encouraged to join discussions on CircleCI forums to explore and share their experiences with artifact signing.