[RandomBK]

This looks quite interesting, and is sponsored by the Linux Foundation and several other orgs. Code signing is definitely a mess in the Linux world.

One thing I'm less happy about is how these sort of projects always tend to build up a whole parallel universe, dragging along a whole suite of dependencies and related projects (Cosign, Rekor, Fulcio, etc.)

I understand why we might want to fill gaps in existing open source tools, but it makes adopting these platforms a massive migration effort, where I need to go to several project's documentation to learn how everything works. Naming wise, I would also much prefer boring, descriptive names over the modern fancy project names.

[koalaman]

I only started digging into this space last week, but I think cosign, rekor, and fulcio are not related projects but rather critical components of sigstore. Cosign is the cli for signing and verifying artifacts, Rekor is the transparency log, and Fulcio is the certificate authority.

[klabb3]

As an outsider it's not super appealing to look into a project and immediately be overwhelmed with 3 other projects I've never heard of. Maybe I'm just not the target demographic, or maybe the project is fragmented?

[armchairhacker]

but why not just call it sigstore-cli, sigstore-log, and sigstore-ca?