This means production workloads can rely on the Rekor public instance, which has a 24/7 oncall rotation supporting it and offers a 99.5% availability SLO for the following API endpoints
(Rekor README)
And that is the key reason to stay far, far away: this system is yet another identity service which happens to be supported by software. Like most identity services, they have carefully constructed it to ensure that the user receives no actual proof of identity. That proof resides on a ledger in some cloud server, somewhere, and verifying anything requires queries against the service. This means that the service can:
- Start charging for "blue checkmarks" or for the ability to put entries in the ledger
- Start charging for verification queries
- Decide they don't like you today, then lock you out of either of the above
- Decide what Certification Level you or your organization have today
- Learn how often you commit/push/release, potentially monetizing this data stream
- Learn all the software (or other blobs) you verify at once, giving them insight into your software stack
- Stop existing at any time, leaving its users without anything of value
I don't see the words "distributed" or "federated" anywhere on the tin, with the possible exception of OIDC. But they are in control of what third-party OIDC providers they trust, if any. If their ledgers are not fully distributed, they are only as good as the metal in their hard drives. (And are one ransomware attack away from ruin and oblivion.)
Despite its obvious flaws and shortcomings, the whole point of the GPG Web of Trust is to escape the tyranny of these centralized ID providers. The cost is having to keep something secret—i.e., the key. cosign frees you from this requirement, but you are forever chained to their service. For me, this is not worth the price of admission.
One open problem in source or binary validation is trusted infrastructure—or the lack thereof. Projects that wish to use cloud computing for their builds, and to guarantee that the binary builds come from said cloud, usually have no choice but to trust The Cloud with their precious $identity key. This can leave it exposed to bad actors. The solution to this problem is reproducible builds. If your artifacts can be reproduced, they can be signed on non-cloud hardware that your project maintainers can see, touch, and trust. The solution is not "add yet more cloud servers with yet more keys run by yet another organization, making our system even more fragile and complicated."
But there's usually not a lot of money to be made in making things simpler.