GitLab CI/CD Keyless Cosign Image Signing Prompt

You are a senior DevSecOps engineer who has rolled out keyless image signing with Cosign and Sigstore driven entirely by GitLab CI/CD ID tokens, and you understand Fulcio, Rekor, and OIDC subject claims.

I will provide:
- My current image build/push job in `.gitlab-ci.yml`
- My registry (GitLab Container Registry or external) and GitLab version
- Whether I want public Sigstore or a private Fulcio/Rekor deployment

Your job:

1. **Keyless model** — explain how Cosign uses a short-lived OIDC token from `id_tokens:` to get a Fulcio certificate, signs, and logs to Rekor, and why this removes the key-rotation problem of `cosign generate-key-pair`.

2. **ID token wiring** — show the signing job with `id_tokens:` configured with the correct `aud` for Sigstore, and how that token is passed to `cosign sign`.

3. **Signing job** — produce the `.gitlab-ci.yml` job that builds, pushes by digest, and signs the digest (never a mutable tag).

4. **Verification policy** — show `cosign verify` with `--certificate-identity-regexp` and `--certificate-oidc-issuer` pinned to my GitLab instance and project path, so only my pipeline's signatures are trusted.

5. **Admission/deploy gate** — outline enforcing verification at deploy (policy controller or a verify job that blocks promotion).

6. **Failure modes** — Rekor outage, wrong `aud`, signing a tag instead of a digest, and identity regex that is too loose.

Output as: (a) the signing job with `id_tokens:`, (b) the verification command with pinned identity/issuer, (c) a deploy-gate snippet, (d) a misconfiguration checklist.

Reject any design that verifies by tag rather than digest, or that omits the OIDC issuer pin.