Kelechi G. Kalu, Sofia Okorafor, and Tanmay Singla, Purdue University; Sophie Chen, Carnegie Mellon University; Santiago Torres-Arias and James C. Davis, Purdue University
Software signing is the most robust method for ensuring the integrity and authenticity of components in a software supply chain. Traditional signing tools burdened practitioners with key management and signer identification, creating both usability challenges and security risks. A new class of next-generation signing tools has automated many of these concerns, but little is known about their usability and its effect on adoption and effectiveness in practice. A usability evaluation can clarify the extent to which next-generation designs succeed and highlight priorities for improvement.
To fill this gap, we conducted the first usability study of Sigstore, a pioneering and widely adopted exemplar of next-generation signing. Through interviews with 17 industry experts, we examined (1) the problems and advantages associated with practitioners' tooling choices, (2) how and why their signing-tool usage has evolved over time, and (3) the contexts that cause usability concerns. Our findings illuminate the usability factors of next-generation signing tools and yield recommendations for toolmakers, adopting organizations, and the research community. Notably, components of next-generation tooling exhibit different levels of maturity and readiness for adoption, and integration flexibility is a common pain point, but potentially mitigable through plugins and APIs. Our results will help next-generation signing toolmakers further strengthen software supply chain security.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
