I've been looking for an alternative to GPG for git signing because key rotation and revocation is painful and there's no agreed upon flow for handling that situation. This looks promising as it eliminates the need to fumble around with the GPG command line, key pairs, revocation certificates, offline backups, and Yubikeys every year or so.
One caveat is that GitHub currently shows commits signed with Sigstore as "unverified." Relatively minor, but it'd be nice if it received more attention.
I've been looking for an alternative to GPG for git signing because key rotation and revocation is painful and there's no agreed upon flow for handling that situation. This looks promising as it eliminates the need to fumble around with the GPG command line, key pairs, revocation certificates, offline backups, and Yubikeys every year or so.
One caveat is that GitHub currently shows commits signed with Sigstore as "unverified." Relatively minor, but it'd be nice if it received more attention.
https://github.com/orgs/community/discussions/37703