OpenPubKey is a new scheme introduced by Docker and BastionZero as a Linux Foundation project. It is similar to Sigstore but eliminates the centralized components of Transparency Log and Certificate Authority. OpenPubKey simplifies the process of signing and verifying artifacts but introduces certain tradeoffs. One tradeoff is that relying directly on OIDC signing keys for verification adds complexity and increases the attack surface for clients. Another tradeoff is that by using the raw JWT OIDC token as the certificate, privacy concerns and potential security risks may arise. While OpenPubKey offers some advantages, Sigstore remains a preferred choice for most supply chain security use-cases.
https://blog.sigstore.dev/openpubkey-and-sigstore/