i used OPA in one org, and kyverno in another for verifying (reused whichever was already in place for other purposes).

our teams always chose to go with cloud kms services for the signing keys, we thought they offered stronger access controls, and less need to revoke / rotate keys when access changes (team member leaves).