I performed a similar analysis on RubyGems and found that of the top 10k most-downloaded gems, less than one percent had valid signatures. That plus the general hassle of managing key material means that this was a dead-end for large scale adoption.
I'm still hopeful that sigstore will see wide adoption and bring authorial attestation (code signing) to the masses.
I agree, where is the LetsEncrypt for signing? Something you could download and get running in literally a minute.
I don't think Sigstore is a good example. I just spent half an hour trying to understand it, and I am still left with basic questions like "Does it require me to authenticate with Github & friends, or can I use my own OIDC backend?": it seems like you can, but there are cases where you need to use a blessed OIDC provider, but you can override that while self-hosting, and there are config options for the end user to specify any IODC provider? But the entire trust model also relies on the OIDC backend being trustworthy?
The quickstart guide looks easy enough to follow, but it seems nobody bothered to document what exactly is happening in the background, and why. There's literally a dozen moving pieces and obscure protocols involved. As an end user, Sigstore looks like a Rube Goldberg trust machine to me. It might just as well be a black box.
PGP is easy to understand. LetsEncrypt is easy to understand. I'm not an expert on either, but I am reasonably certain I can explain them properly to the average highschooler. But Sigstore? Not a chance - and in my opinion that alone makes it unsuitable for its intended use.
loading story #41876486
Specifically, the CA signing the code certificates (that are valid for 10 minutes) is https://github.com/sigstore/fulcio.