Working on Asfaload, a multisig sign-off solution applied to release artifacts authentication.

It is:

- open source

- accountless(keys are identity)

- using a public git backend making it easily auditable

- easy to self host, meaning you can easily deploy it internally

- multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected

- validating a download transparantly to the user, which only requires the download url, contrary to sigstore

Nearing Alpha release stage.

Code at https://github.com/asfaload/asfaload Info at https://asfaload.com/