I’ve heard some general interest for Pulp to have sigstore integration, and I’m +1 to that. It’s unclear to me if sigstore has one set of APIs to perform asset signing with or if the are content type specific. For example, here’s a sigstore python client that performs signing and verification but only for Python assets. Given those tools are type specific, and the link to SLSA 3 article from OP is for Go specifically, I think it’s type specifically. If that’s the case I think one of the plugins should try doing an integration.