The Linux Foundation is developing a free signature service for open source software as part of its sigstore project. Developers should be able to easily sign archives, containers and compiled binaries as they are used for the distribution of open source software. With the signature, the developer confirms that he actually created the software from his source code.
This cryptographic confirmation is intended to prevent unauthorized persons from taking and manipulating the source code and thus circulating falsified versions of the software, for example with deliberately built-in security gaps and malicious functions.
sigstore is currently under development. It is supported by Red Hat, Google, and Purdue University in the United States. When the service is finished, it should be free and easy to use. A public transparency log called rekor allows signatures to be verified.