diff --git a/README.md b/README.md
index 4ccb2da5a2..e6fdf5a0ed 100644
--- a/README.md
+++ b/README.md
@@ -115,6 +115,11 @@ e.g.:
 - `KO_DOCKER_REPO=gcr.io/my-project`, or
 - `KO_DOCKER_REPO=my-dockerhub-user`
 
+`ko` will default to storing sboms in the same repo as the image it is building. But there is an environment variable
+named `COSIGN_REPOSITORY` that enables you to specify a different repository for storing sboms.
+
+`KO_DOCKER_REPO=my-dockerhub-user COSIGN_REPOSITORY=gcr.io/my-project/sboms`
+
 # Build an Image
 
 `ko build ./cmd/app` builds and pushes a container image, and prints the
diff --git a/pkg/publish/default.go b/pkg/publish/default.go
index b0f58cc994..3d100dd07f 100644
--- a/pkg/publish/default.go
+++ b/pkg/publish/default.go
@@ -40,8 +40,8 @@ type defalt struct {
 	base      string
 	t         http.RoundTripper
 	userAgent string
-	auth      authn.Authenticator
 	namer     Namer
+	keychain  authn.Keychain
 	tags      []string
 	tagOnly   bool
 	insecure  bool
@@ -54,7 +54,7 @@ type defaultOpener struct {
 	base      string
 	t         http.RoundTripper
 	userAgent string
-	auth      authn.Authenticator
+	keychain  authn.Keychain
 	namer     Namer
 	tags      []string
 	tagOnly   bool
@@ -67,8 +67,9 @@ type Namer func(string, string) string
 
 // identity is the default namer, so import paths are affixed as-is under the repository
 // name for maximum clarity, e.g.
-//   gcr.io/foo/github.com/bar/baz/cmd/blah
-//   ^--base--^ ^-------import path-------^
+//
+//	gcr.io/foo/github.com/bar/baz/cmd/blah
+//	^--base--^ ^-------import path-------^
 func identity(base, in string) string { return path.Join(base, in) }
 
 // As some registries do not support pushing an image by digest, the default tag for pushing
@@ -89,7 +90,7 @@ func (do *defaultOpener) Open() (Interface, error) {
 		base:      do.base,
 		t:         do.t,
 		userAgent: do.userAgent,
-		auth:      do.auth,
+		keychain:  do.keychain,
 		namer:     do.namer,
 		tags:      do.tags,
 		tagOnly:   do.tagOnly,
@@ -104,7 +105,7 @@ func NewDefault(base string, options ...Option) (Interface, error) {
 		base:      base,
 		t:         http.DefaultTransport,
 		userAgent: "ko",
-		auth:      authn.Anonymous,
+		keychain:  authn.DefaultKeychain,
 		namer:     identity,
 		tags:      defaultTags,
 	}
@@ -203,7 +204,8 @@ func (d *defalt) Publish(ctx context.Context, br build.Result, s string) (name.R
 	// https://github.com/google/go-containerregistry/issues/212
 	s = strings.ToLower(s)
 
-	ro := []remote.Option{remote.WithAuth(d.auth), remote.WithTransport(d.t), remote.WithContext(ctx), remote.WithUserAgent(d.userAgent)}
+	ro := []remote.Option{remote.WithAuthFromKeychain(d.keychain), remote.WithTransport(d.t), remote.WithContext(ctx), remote.WithUserAgent(d.userAgent)}
+
 	no := []name.Option{}
 	if d.insecure {
 		no = append(no, name.Insecure)
diff --git a/pkg/publish/options.go b/pkg/publish/options.go
index ead9fd4050..ac9f5161fb 100644
--- a/pkg/publish/options.go
+++ b/pkg/publish/options.go
@@ -16,14 +16,19 @@ package publish
 
 import (
 	"crypto/tls"
-	"log"
 	"net/http"
-	"path"
 
 	"github.com/google/go-containerregistry/pkg/authn"
-	"github.com/google/go-containerregistry/pkg/name"
 )
 
+type staticKeychain struct {
+	auth authn.Authenticator
+}
+
+func (s staticKeychain) Resolve(resource authn.Resource) (authn.Authenticator, error) {
+	return s.auth, nil
+}
+
 // WithTransport is a functional option for overriding the default transport
 // on a default publisher.
 func WithTransport(t http.RoundTripper) Option {
@@ -44,9 +49,9 @@ func WithUserAgent(ua string) Option {
 
 // WithAuth is a functional option for overriding the default authenticator
 // on a default publisher.
-func WithAuth(auth authn.Authenticator) Option {
+func WithAuth(a authn.Authenticator) Option {
 	return func(i *defaultOpener) error {
-		i.auth = auth
+		i.keychain = staticKeychain{a}
 		return nil
 	}
 }
@@ -55,25 +60,7 @@ func WithAuth(auth authn.Authenticator) Option {
 // authenticator on a default publisher using an authn.Keychain
 func WithAuthFromKeychain(keys authn.Keychain) Option {
 	return func(i *defaultOpener) error {
-		// We parse this lazily because it is a repository prefix, which
-		// means that docker.io/mattmoor actually gets interpreted as
-		// docker.io/library/mattmoor, which gets tricky when we start
-		// appending things to it in the publisher.
-		//
-		// We append a fake path "ko" to KO_DOCKER_REPO in order to
-		// make parsing out the registry easier.
-		repo, err := name.NewRepository(path.Join(i.base, "ko"))
-		if err != nil {
-			return err
-		}
-		auth, err := keys.Resolve(repo.Registry)
-		if err != nil {
-			return err
-		}
-		if auth == authn.Anonymous {
-			log.Println("No matching credentials were found, falling back on anonymous")
-		}
-		i.auth = auth
+		i.keychain = keys
 		return nil
 	}
 }