You may want to check out https://github.com/sigstore/gitsign! You can generate ephemeral x509 code signing certs for free using Sigstore.

(disclosure: I'm a maintainer for gitsign)

Wow! This looks like an incredible ecosystem for managing signatures and for verifying the software artifact supply chain.

+1 to this!

https://docs.sigstore.dev/fulcio/certificate-issuing-overvie... has a good overview of how the certificate issuing works.

With Gitsign, by default a new keypair is generated per signing event (i.e. per commit) and never hits disk. The cert in the commit signature holds the public key, which we can check against Rekor (https://docs.sigstore.dev/rekor/overview) to verify it was valid at the time of signing.

If you have the time, https://www.youtube.com/watch?v=PVhRQFS9Njg is a great deep dive into how Sigstore works in general!

Worth calling out that gitsign works with any Git host for the commit signatures / verification!

The main piece that's platform specific is the Verified badges that you see in the UI + any CI checks.

I think github support came out a year and half after the feature was available in git (nov 2021), so that may going to be a while :(

You can find the feature request for supporting keyless sigstore/gitsign at https://gitlab.com/gitlab-org/gitlab/-/issues/364428

Balancing privacy vs transparency is definitely something that's tricky! You may be interested in https://blog.sigstore.dev/privacy-in-sigstore-57cac15af0d0 which goes into some of the background of why email addresses are used and some of the things we're thinking about in this area for Sigstore.

Disclosure: I'm the creator of gitsign and wrote this blog post.

See https://cloud.google.com/cloud-build/docs/securing-builds/us...