As a customer, I am signing my images using BYOPKI Cosign, one of the options supported by Cosign. 

Use case as described by the customer: Customer signs the artifact using unique pair of keys in their own PKI, and use cosign to attach the generated signature and certificate, certificate chain in Registry. OpenShift must be able to verify the artifact by passing trusted root certificate at runtime.