Software Signing in Practice: Lessons from Adoption and Usability Toward Broader Supply Chain Trust

Mar 25, 2026

Download: MP4 Video Size: 317.1MB  
Watch on YouTube

Abstract

 Software signing is a foundational mechanism for improving software supply-chain security because it helps establish artifact provenance, integrity, and authenticity across organizational boundaries. Yet the security value of software signing depends not only on cryptographic design, but also on whether signing is adopted, integrated, and used correctly in practice. This research examines these questions across multiple empirical settings, from industry deployment to modern open-source signing tools (ecosystems).

In this talk, I synthesize findings from a set of studies on software signing in practice. I first discuss how organizations adopt and operationalize signing, then turn to identity-based signing using Sigstore as a case study of next-generation signing usability. I next present longitudinal evidence across five identity-based signing ecosystems showing that newer designs reduce some historical burdens, especially around key management, but do not eliminate usability challenges. Instead, friction shifts toward verification workflows, policy and configuration surfaces, and deployment integration boundaries. These lessons point beyond artifact signing alone: building trustworthy software supply chains will require broader trust mechanisms, including actor-centred approaches such as ARMS as envisioned.