The software supply chain security problem arises from integrating software components from several sources. The integrity of these components is ensured by the use of provenance tools, of which software signing is the strongest guarantee. While software signing has been recommended by regulation and industry consortia, practical adoption of software signing has been generally limited. While tooling has been recognized as a key factor influencing software signing adoption and quality by previous studies, most research has focused primarily on its user interface aspects, with little research on other usability considerations like tool selection, user challenges, software engineering process integration intricacies, etc.To understand how software tools influence the practice and adoption of software signing, we study the formative usability of Sigstore, a modern and widely adopted software signing tool. We interviewed thirteen (13) experienced security practitioners to study the factors that influence the selection of a tool, the problems associated with the use of such tools, how practitioners' software signing tools have evolved, and what drives this migration. To summarize our findings: (1) We highlight the various factors practitioners consider before adopting a software signing tool; (2) We highlight the problems and advantages associated with the current tooling choices of practitioners; and (3) We describe the evolution of tooling adoption of our sample population. Our findings provide the software signing tool development community with valuable insights to improve their design of software signing tools.
View on arXiv@article{kalu2025_2503.00271,
title={ Why Johnny Signs with Sigstore: Examining Tooling as a Factor in Software Signing Adoption in the Sigstore Ecosystem },
author={ Kelechi G. Kalu and Sofia Okorafor and Tanmay Singla and Santiago Torres-Arias and James C. Davis },
journal={arXiv preprint arXiv:2503.00271},
year={ 2025 }
}