Sigstore points to a newer trust model for software releases: identity-backed signing, a public tamper-evident log, and less dependence on a long-lived secret.