Add support for sigstore as signing method for NuGet packages

[InfoSec812]

NuGet Product(s) Involved

Other/NA

The Elevator Pitch

sigstore is gaining traction as a method of enabling validation of development artifacts across many different language/framework ecosystems (Java, Python, JS, etc...) and it would be very useful to have sigstore signature/validation support in NuGet. The upside is that it validates identity using OpenID instead of requiring that individuals/organizations get a code signing certificate from an approved certificate authority. This would make it easier for both project maintainers and consumers of NuGet artifacts to validate that they are getting the software they expect.

Additional Context and Details

The sigstore cosign makes it relatively simple to sign and validate artifacts. There are well documented protocols which could be integrated into artifact repositories and it is already being integrated into many of the most popular offerings (Sonatype Nexus, JFrog Artifactory, etc...)

[AlanRynne]

Yes please! I'd like to sign my packages but lack the patience or wealth to deal with DigiCert and the likes 😅

[ZarehD]

Making code signing easier (and free) is a big step forward, and sigstore as a solution has picked up quite a lot of steam in just two years. GitHub is already onboard (late 2022), as are package mangers for JavaScript, Rust, Go, and Java. Nuget.org and the .NET community appear to be lagging and need to catch up quickly.

[moh-hassan]

Is there any progress for signing nuget packages by sigstore ( using Cosign tool)

Cosign primarily uses the ECDSA-P256 algorithm for signing, which is not one of the algorithms supported by NuGet (sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption).

It is nice if nuget add feature to support ECDSA-P256 algorithm.