The releases are signed with long lived PGP keys.
PGP has problems PGP Problem
The sigstore's goal is to provide signing artifacts similar to LetsEncrypt for SSL
The sigstore provides KEYLESS/OIDC option short lived keys for signing with provenance with a public ledger based on trillian . The Golang team uses trillian as the transparency log https://go.googlesource.com/proposal/+/master/design/25530-sumdb.md
https://github.com/sigstore/cosign/blob/main/FUN.md signing using OIDC for releases/any artifact.
More on Sigstore myths https://chainguard.dev/posts/2021-11-19-sigstore-myths
The releases are signed with long lived PGP keys.
PGP has problems PGP Problem
The sigstore's goal is to provide signing artifacts similar to LetsEncrypt for SSL
The sigstore provides KEYLESS/OIDC option short lived keys for signing with provenance with a public ledger based on trillian . The
Golangteam usestrillianas the transparency log https://go.googlesource.com/proposal/+/master/design/25530-sumdb.mdhttps://github.com/sigstore/cosign/blob/main/FUN.md signing using OIDC for releases/any artifact.
More on Sigstore myths https://chainguard.dev/posts/2021-11-19-sigstore-myths