The Linux Foundation's "sigstore" project

The Linux Foundation has announceda project called sigstore; its purpose isto protect against supply-chain attacks by signing (and verifying) releaseartifacts. "Very few open source projects cryptographically signsoftware release artifacts. This is largely due to the challenges softwaremaintainers face on key management, key compromise / revocation and thedistribution of public keys and artifact digests. In turn, users are leftto seek out which keys to trust and learn steps needed to validatesigning. Further problems exist in how digests and public keys aredistributed, often stored on websites susceptible to hacks or a README filesituated on a public git repository. sigstore seeks to solve these issuesby utilization of short lived ephemeral keys with a trust root leveragedfrom an open and auditable public transparency logs."