What ecosystems are out there where I can flick a switch and say 1. "automatically install signed releases" or 2. "automatically install releases signed by multiple identities"?
Are any of the big language-specific ecosystems capable of that? (npm, crates.io, composer, PyPI, CPAN, Maven, rubygems, etc.)
It's not quite flick a switch, but with maven you can specify which keys you trust to sign which of your dependencies (anything published to maven central is required to be signed). E.g. here's one of my libraries: https://github.com/m50d/tierney/blob/master/free/keys.proper...
Nothing really yet. Containers got relatively close with Notary V1, I'm focused on fixing that here in sigstore right now. I think Python, Ruby, and NPM would be great targets to go after next!
Gossamer is a 2017 design of an idea that was first published in 2015. However, it was exclusively focused on the PHP community from its inception, so it's unsurprising that nobody's heard of it.
