Investigate in-toto signing and verifying using sigstore-rs #4
Description
Currently, we use Sigstore to generate ephemeral keys which are then used with in-toto for signing (and the public key is stored and used for verification later). We probably should store the certificate from Sigstore in addition/instead of the public key and use that for verification.
This issue should take a closer look what would be possible with regards to using SIgstore for verification, perhaps using Sigstore bundle feature for offline verification.