Signing is for the bad days
The article argues that software supply chain security tools like TUF, in-toto, and Sigstore only seem unnecessary until a major incident occurs, emphasizing their value during crises.
Related stories
The article discusses how code signing should be integrated into development workflows early, not just as a last-minute step before release. It emphasizes that signing is most valuable during debugging and testing on "bad days"—when things break—because it helps maintain security and traceability throughout the development process.