The Linux Foundation has launched a free service that allows software developers to digitally sign their releases. The project aims to strengthen the security and auditability of the open-source software supply chain. The new service, called sigstore, was developed in partnership with Google, Red Hat and Purdue University. All signatures and signing events will be stored in a tamper-resistant public log that can be monitored to discover potential abuse. It’s up to the community to build tools that use this information to create policies and enforcement mechanisms.”]