Pontiff Fractal TiamI don't suppose that trusting #sigstore to run a centralized CA and transparency logs just to issue short-lived certs for me to generate signatures is much more secure than #PGP signing using my own keys. I'm just increasing the attack surface...
The whole Googlesque philosophy of "trust us; don't be evil" is contrary to my take on information security.
But I'm also open to anyone convincing me otherwise.