Kelechi Kalu, Software Signing in Practice: Lessons from Adoption and Usability Toward Broader Supply Chain Trust

 Software signing is a foundational mechanism for improving software supply-chain security because it helps establish artifact provenance, integrity, and authenticity across organizational boundaries. Yet the security value of software signing depends not only on cryptographic design, but also on whether signing is adopted, integrated, and used correctly in practice. This research examines these questions across multiple empirical settings, from industry deployment to modern open-source signing tools (ecosystems).In this talk, I synthesize findings from a set of studies on software signing in practice. I first discuss how organizations adopt and operationalize signing, then turn to identity-based signing using Sigstore as a case study of next-generation signing usability. I next present longitudinal evidence across five identity-based signing ecosystems showing that newer designs reduce some historical burdens, especially around key management, but do not eliminate usability challenges. Instead, friction shifts toward verification workflows, policy and configuration surfaces, and deployment integration boundaries. These lessons point beyond artifact signing alone: building trustworthy software supply chains will require broader trust mechanisms, including actor-centred approaches such as ARMS as envisioned. About the speaker: Kelechi Kalu is a fourth-year Ph.D. student in Electrical and Computer Engineering at Purdue University and a member of the Duality Lab, where he is advised by Prof. James C. Davis. His research focuses on software and AI security, especially software supply-chain security, usability, and trust in open-source ecosystems. His recent work examines software signing adoption in practice, the usability of identity-based signing tools such as Sigstore, and broader actor-centered trust mechanisms for software ecosystems. His work has appeared at USENIX Security, IEEE S&P, and ESEC/FSE. He previously interned at Microsoft Research in 2024 and received the Best Poster Award at the 2025 CERIAS Annual Security Symposium.