Primary Investigator:
Jamie Davis

Project Members
Kelechi G. Kalu, Santiago Torres-Arias, and James C. Davis

Software signing is a critical mechanism for ensuring the integrity and authenticity of software components in the supply chain. Despite its importance and regulatory recommendations, adoption remains low, and the quality of software signatures is often inadequate. While prior research has examined technical aspects, there is a lack of in-depth industry perspectives on the challenges and drivers of software signing adoption. Additionally, little research has explored the usability of signing tools and its role in influencing adoption. To address these gaps, we conducted interviews with 18 experienced security practitioners across multiple organizations to understand how software signing is practiced, the usability and adoption challenges of signing tools, and the factors influencing tool evolution. Our findings reveal that: (1) Tool usability significantly impacts adoption, with integration complexity, automation, and compliance requirements shaping practitioners’ choices; (2) Technical, organizational, and human factors create barriers to effective implementation; (3) Practitioners hold diverse perspectives on the importance of signing, with some viewing it as crucial for provenance, while others see it as a secondary or compliance-driven measure; and (4) Internal and external events, such as security incidents and regulatory mandates, play a key role in shaping signing practices. Our study provides insights into the evolving landscape of software signing adoption and offers recommendations to improve tool usability, standardization, and policy alignment to enhance software supply chain security.