any upside to email verification for signature?

sigstore fulcio which uses oauth oidc to verify an email for a signature as a replacement for private keys seems worse than possible alternative designs. Can anyone find any upside of it? That is, besides, if you want more centralization.

fulcio does not reduce the amount of secrets you need to keep as you also need to type in a password for your email provider. If that were the goal you could derive the signature private key and a password for your email from the same passphrase. However I think storing a regularly rotated secret per device in addition to your passphrase (that you'd use for both secret unlocking and login) is still preferable.

Instead consider 1) transparency log of fetched git branch heads (no signature to establish authority, as you need to establish which code to trust in another layer anyway) or 2) transparency log of signatures with transparency logged automated regularly rotated public-keys where the previous key signs the next one with tricks for recovery, like designating other keys as authorized notary for replacement for lost keys, storing an only replacement-authorised-key in your email, per device keys, etc. The UI for (2) can look the same as for fulcio, so that is not an argument to not have private keys in a design.