it's not much more difficult (maybe even easier) than the gpg signing / checking that distros generally like to do.

with gpg, you get a root set of public keys that you want to trust. with sigstore, depending on the signing method, you either trust public keys, or identities (some oauth2 identity provider, like email, or your ci system).