I don't see how that solves this problem as long as the attacker can delete and recreate a repository

sigstore's main design goal seems to be to increase the lock-in of of "trusted" providers

(the idea that Microsoft should be trusted for anything requiring any level of security is entirely ludicrous)