Generally speaking, Transparency Logs for securing software distribution has been a research topic since around 2015, I also wrote my master thesis on the subject.
Sigstore is a Transparency Log intended for provenance and software artifacts which has support for a few different build artifacts. The container ecosystems also appears to be embracing it.
Cool practical example is pacman-bintrans from kpcyrd that throws Arch Linux packages on sigstore and (optionally) checks each package for being reproducible before installation.
https://defuse.ca/triangle-of-secure-code-delivery.htm was published in July 2014, which included Userbase Consistency Verification as a requirement... so I think that's when the use of transparency logs in solving this problem was earliest recorded.
But I'm no internet historian, so I may have missed something.
I'm no historian either. I believe there is multiple overlapping efforts that has been cropping up over the years without necessarily being aware of each other.
It would be interesting to collect the published research and blogs and get an overview.
Sigstore is a Transparency Log intended for provenance and software artifacts which has support for a few different build artifacts. The container ecosystems also appears to be embracing it.
Cool practical example is pacman-bintrans from kpcyrd that throws Arch Linux packages on sigstore and (optionally) checks each package for being reproducible before installation.
https://github.com/kpcyrd/pacman-bintrans
https://www.sigstore.dev/
I think this is generally useful for a lot of ecosystems indeed, and it's cool to also see similar scoped projects pop up to address the these issues.