The Linux Foundation's "sigstore" project

So SolarWinds would have been prevented by trusting a non-signed package? I doubt it. Additionally, I don't think analyzing that unsigned package bit for bit is realistic, either, nobody has time for that and most organizations out there lack the required skill set. It happened despite the signature, not because of it.

Like everything we do, security-related work is iterative in nature and this is but a single building stone to secure the supply chain. Further steps are required and might include many things, from reviewed packages (signed by the reviewers, too), automatic content analyses (so packages are signed by those systems, too), etc., but there'd be no point in all of that if you can't even guarantee that the sources package arrives on your disk without having been tampered with somewhere between you and the maintainer/reviewer. So something like sigstore is a first and necessary, but in itself still insufficient step.

I think this is more for clueless projects like yarn that when the repository key expires just make a new one.

No thought about making a keyring package and use it to introduce the new key before the old one expires.

https://github.com/yarnpkg/yarn/issues/7866