We currently have a golang implementation of DSSE in https://github.com/sigstore/sigstore here: https://github.com/sigstore/sigstore/tree/main/pkg/signature/dsse

This supports a bunch of key management patterns:

• yubikeys/hardware tokens
• cloud KMS systems (AWS, GCP, Azure)
• ed25519/ecdsa/rsa keys

Should we document that library here? Or at least point to it?

That sounds great!

I think we should! Perhaps we can expand "Who uses it?" in the README to point to a full document that discusses projects using it + implementations?

Curious, is it possible to submit this code to https://github.com/secure-systems-lab/go-securesystemslib/? I see it's relying on the version of that library still in in-toto-golang. If not, we can list it independently via #47 I suppose?