Omar Shibli

We would like to get to a process where our software where applicable will be published with PGP + public attestation using OTS. as an another layer of validation.

both, could be source or binaries

Thank you so much, that's a good start indeed.

good idea, let me prepare a PR and let me know what do you think.

but then would probably need another utility to reconcile the non-timestamped commits, otherwise you might introduce inconsistencies in the expected signatures structure.

By that I mean fix the inconsistencies if they occur, for example, if I have git stamping enabled, and for somehow the command failed to stamp it several times, let's...

makes sense, thanks for the input.

Any update on this?