Jerrad Dahlager
@nineliveszerotrust.com
Cloud Security Architect | Adjunct Instructor | Writing about cloud security for the curious 🐱 | CISSP | CCSP | MN Sports ⚾ | nineliveszerotrust.com
I’m with you. I think the biggest win is shifting trust from a central signing key to verifiable workload identity. The build proves which repo and workflow produced the artifact, and a transparency log keeps it auditable. Less attack surface than PKI, especially in CI without key custody headaches.
January 10, 2026 at 8:43 PM
I’m with you. I think the biggest win is shifting trust from a central signing key to verifiable workload identity. The build proves which repo and workflow produced the artifact, and a transparency log keeps it auditable. Less attack surface than PKI, especially in CI without key custody headaches.