Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
The reviewing aspect sounds a lot like cargo-crev. [1]
[1] https://github.com/crev-dev/cargo-crev
This is pretty cool and i think one of the good application areas of distributed ledger technology.
Signing is still a hard problem, even for established projects like Rust. Right now, rustup does not verify signatures in any way or form. The security is solely thanks to https and the S3 bucket not being compromised.
https://github.com/rust-lang/rustup/issues/2028
https://github.com/rust-lang/rustup/issues/2027
Did you follow the link to the project list on Github? The actual tool for doing the signing, cosign, is just a binary you can install on your device and generate signatures and keys yourself. The "service" part of it seems to just be having your public certificate vouched for by a trusted code signing CA. I don't see anything in the tooling that requires your users to only trust that CA. If you want to sign your cert with your own CA and tell your users to trust that instead, they seemingly can do that, just as you can do that today in browsers. That you can't do it with Firefox extensions and mobile app stores is a limitation intentionally built into the distribution channel. It's not a limitation of PKI itself. iOS, Android, and Mozilla could have chosen to let users install arbitrary trusted CAs. You shouldn't dismiss all PKI based on the fact that a few vendors have chosen to implement it in a crappy way to make walled gardens.
It doesn't say this on the announcement, but looking at the actual PKI service (https://github.com/sigstore/fulcio), it seems to be entirely possible to self-host the service and roll your own CA.