Process is simple if you create key in cosign... but becomes very tedious and complicated if you want to use your GPG key pair you may be using elsewhere in your pipelines. At least until cosign can import GPG keys directly, it's easy when utilising KMSes for everything...
That’s pretty cool … is there any API to verify after deployment as the verify is within the agent. Also the co-sign software should be installed in prod env to verify ? I am asking from audit point if they want to verify what’s deployed in prod