Consult existing practice to make sure argocd does a sane thing.

Design the configuration and impl performing the verification.

Explore (not a complete list):

• https://helm.sh/docs/topics/provenance/
• OCI signing (upstream SME is Blake Pettersson (akuity.​io))