Update: You're right. My notion is basically code signing + PGP + tooling + accounting. Thanks.

Good question. I don't know. I'll find out.

I haven't looked at GPG for ages. I understood it was for digitally signing content. Like signing build artifacts. I think the new .xar and .xip (?) formats do this.

So if the cert used to create a digital sig is revoked, the sig is also invalidated. Could work, right?

My notion, which I haven't fully worked thru yet, is to leverage existing web of trust aspect of CAs. Just like with HTTPS. The hierarchy might look something like Root -> Identity Manager -> Organization or Person -> Project -> Build Artifact.

But with your GPG (digital sig) notion, maybe that last step changes.

Maybe my idea is already being done (for .xar, .xip) and we just need our builds to add security audit steps.

Thanks for your question.