We'd like to use CoSign to sign our docker image builds. CoSign supports Keyless Signing with Fulcio through OIDC identities (Documentation). However it is required that the `aud` claim is set to "sigstore". Currently it's not possible to configure any of the claims in the JWT which is a blocker.
GitLab and GitHub already support configurable audience claims in their tokens, see:
- https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#id-tokens
- https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token
I hope Bitbucket will put configurable JWT claims on their roadmap.
