📝 SummarXiv

Abstract

Software signing is the most robust method for ensuring the integrity and authenticity of components in a software supply chain. Traditional signing tools burdened practitioners with key management and signer identification, creating both usability challenges and security risks. A new class of next-generation signing tools has automated many of these concerns, but little is known about their usability and its effect on adoption and effectiveness in practice. A usability evaluation can clarify the extent to which next-generation designs succeed and highlight priorities for improvement. To fill this gap, we conducted a usability study of Sigstore, a pioneering and widely adopted exemplar of next-generation signing. Through interviews with 17 industry experts, we examined (1) the problems and advantages associated with practitioners' tooling choices, (2) how and why their signing-tool usage has evolved over time, and (3) the contexts that cause usability concerns. Our findings illuminate the usability factors of next-generation signing tools and yield recommendations for toolmakers, adopting organizations, and the research community. Notably, components of next-generation tooling exhibit different levels of maturity and readiness for adoption, and integration flexibility is a common pain point, but potentially mitigable through plugins and APIs. Our results will help next-generation signing toolmakers further strengthen software supply chain security.