There is almost no debate that source code signing is an important best practice for securing the software supply chain. But managing keys is cumbersome, associating keys with actual human or workload identities is cumbersome, rotating and revoking keys is just annoying. Sigstore - an open-source project under the Open Source Security Foundation (OpenSSF) provides a robust solution to these problems.
In this talk, we explore the history of git signing, the challenges and demo a viable solution based on Open Source technology.