The Linux Foundation, Red Hat, Google, and Purdue have unveiled the free’sigstore’ service that lets developers code-sign and verify open source software to prevent supply-chain attacks. The service will be a free-to-use non-profit software signing service that allows developers to sign open-source software and verify their authenticity. It is built around short-lived certificates based on OpenID Connect grants, public Transparency Logs, and a special Root CA allocated for just code signing.
Source: https://www.bleepingcomputer.com/news/software/linux-foundation-unveils-sigstore-a-lets-encrypt-for-code-signing/