In tekton chains you must define a secret called signing-secrets to hold the key used for signing tasks and images. However whenever the pipeline operator is updated this secret is reset (or overwritten) back to the default and the key is lost. This stops chains from continuing to work until the key is updated with the key.

Tekton chains does not allow an alternate key to be specified and creates this secret by default which leads to other issues other then overwriting the key on upgrades. Using tools like Vault or Sealed Secrets to manage secrets can be challenging with an existing secret already in play since you have to do extra effort to remove it or annotate it to enable the tool to work with it. 

Ideally this secret needs to be configurable with multiple secrets suported. Ideally the signing secret should be optionally co-located with the pipeline that is running to support different teams in the same cluster using different keys. 

Finally the other challenge is when this problem occurs there is no annotation or status created in the taskruns to indicate there is a problem. The annotation "chains.tekton.dev/signed: 'true'" is added but not other information is added. If signing fails there should be an annotation or status message indicating the problem rather then having someone try to go through the controller logs.