pith. sign in

arxiv: 2503.00271 · v6 · submitted 2025-03-01 · 💻 cs.SE · cs.CR

Why Johnny Adopts Identity-Based Software Signing: A Usability Case Study of Sigstore

Kelechi G. Kalu , Sofia Okorafor , Tanmay Singla , Sophie Chen , Santiago Torres-Arias , James C. Davis This is my paper

Pith reviewed 2026-05-23 01:50 UTC · model grok-4.3

classification 💻 cs.SE cs.CR
keywords software signingusability studySigstoreidentity-based signingsoftware supply chainexpert interviewsadoption factors
0
0 comments X

The pith

Interviews with 17 experts show identity-based signing tools ease key management but vary in component maturity and integration ease.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper reports the first usability study of Sigstore, an identity-based signing tool, through interviews examining why practitioners choose it over legacy key-managed tools. It identifies advantages in automation of signer identification and key handling alongside persistent pain points in component readiness and integration flexibility. The work aims to clarify which design elements succeed in practice and to produce targeted recommendations for toolmakers, organizations, and researchers seeking stronger software supply chain security.

Core claim

The study finds that identity-based tooling components exhibit different levels of maturity and readiness for adoption, with integration flexibility emerging as a common pain point that plugins and APIs can potentially mitigate.

What carries the argument

Semi-structured interviews with 17 industry experts that probe tooling choice problems, usage evolution over time, and specific usability concern contexts.

If this is right

  • Toolmakers should prioritize plugin and API support to address the most frequent adoption friction.
  • Organizations can expect reduced signer identification effort once identity-based components reach higher maturity.
  • The research community gains concrete priorities for evaluating other identity-based signing systems.
  • Adoption decisions will likely hinge on matching an organization's integration needs to the current state of each tooling component.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Improved integration layers could accelerate replacement of legacy signing tools across more development environments.
  • The maturity differences noted here may recur in other identity-based security tools, suggesting a general pattern worth testing.
  • Quantitative metrics on signing error rates before and after adoption would complement the qualitative interview data.

Load-bearing premise

The views expressed by these 17 experts sufficiently represent the range of industry experiences with signing-tool adoption decisions.

What would settle it

A follow-up study sampling practitioners from additional sectors or company sizes that reports materially different maturity rankings or integration barriers would undermine the reported patterns.

Figures

Figures reproduced from arXiv: 2503.00271 by James C. Davis, Kelechi G. Kalu, Santiago Torres-Arias, Sofia Okorafor, Sophie Chen, Tanmay Singla.

Figure 1
Figure 1. Figure 1: Study Methodology and Usability Framework. We developed our interview protocol by reviewing academic and grey [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Sigstore Signing Workflow. The software author [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Practitioners’ Changes in Software Signing Tools. [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Tools vs. Evaluation Criteria. Reported usability issues across organizational contexts. Heatmaps show the number [PITH_FULL_IMAGE:figures/full_fig_p010_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Push-pull-barrier heatmap. and current signing tools reveals several patterns. We summa￾rize these in the Push-pull-Barrier heatmap ( [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Typical workflow for software signing and verifying [PITH_FULL_IMAGE:figures/full_fig_p019_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Saturation curve. Interviews are plotted in the order [PITH_FULL_IMAGE:figures/full_fig_p020_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Heatmap showing the organizational usability con [PITH_FULL_IMAGE:figures/full_fig_p022_9.png] view at source ↗
read the original abstract

Software signing is the most robust method for ensuring the integrity and authenticity of components in a software supply chain. Legacy key-managed signing tools (e.g., OpenPGP) burdened practitioners with key management and signer identification, creating both usability challenges and security risks. A new class of identity-based signing tools automate many of these concerns, but little is known about their usability and its effect on their adoption and effectiveness in practice. A usability evaluation can clarify the extent to which identity-based designs succeed and highlight priorities for improvement. To fill this gap, we conducted the first usability study of Sigstore, a pioneering and widely adopted exemplar of identity-based signing. Through interviews with 17 industry experts, we examined (1) the problems and advantages associated with practitioners' tooling choices, (2) how and why their signing-tool usage has evolved over time, and (3) the contexts that cause usability concerns. Our findings illuminate the usability factors of identity-based signing tools and yield recommendations for toolmakers, adopting organizations, and the research community. Notably, components of identity-based tooling exhibit different levels of maturity and readiness for adoption, and integration flexibility is a common pain point but potentially mitigable through plugins and APIs. Our results will help identity-based signing toolmakers further strengthen software supply chain security.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper presents the first usability study of Sigstore, an identity-based software signing tool. Based on interviews with 17 industry experts, it examines problems and advantages of signing-tool choices, the evolution of practitioners' usage over time, and contexts that trigger usability concerns. The authors derive recommendations for toolmakers, adopting organizations, and researchers, noting that components of identity-based tooling show different maturity levels and that integration flexibility is a common pain point potentially addressable via plugins and APIs.

Significance. If the findings hold, the work supplies timely empirical evidence on adoption barriers for identity-based signing, directly relevant to software supply chain security. It fills a documented gap between legacy key-management tools and newer automated approaches. The study is strengthened by its practitioner focus and explicit recommendations, though its value is limited by the absence of methodological transparency.

major comments (2)
  1. [Methods] Methods section (and abstract): the description of the interview study provides no information on recruitment strategy, interview protocol, coding process, inter-rater procedures, or saturation criteria. Because the central claims about usability factors, maturity differences, and recommendations rest entirely on the 17-expert sample, this omission is load-bearing and prevents assessment of selection bias or generalizability.
  2. [Findings and Recommendations] §5 (Findings) and §6 (Recommendations): the claims that 'components exhibit different levels of maturity' and that 'integration flexibility is a common pain point' are presented as generalizable without evidence that the sample includes non-adopters, smaller organizations, or diverse roles sufficient to support those generalizations.
minor comments (2)
  1. [Abstract] Abstract: the phrase 'the first usability study' appears without a supporting citation or explicit scope limitation; a brief qualifier would improve precision.
  2. [Results] Table or figure captions (if present): ensure all participant demographics or role distributions are summarized so readers can evaluate sample composition without returning to the text.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive feedback, which highlights important areas for improving methodological transparency and the framing of our findings. We address each major comment below and commit to revisions that strengthen the manuscript without altering its core contributions.

read point-by-point responses

  1. Referee: [Methods] Methods section (and abstract): the description of the interview study provides no information on recruitment strategy, interview protocol, coding process, inter-rater procedures, or saturation criteria. Because the central claims about usability factors, maturity differences, and recommendations rest entirely on the 17-expert sample, this omission is load-bearing and prevents assessment of selection bias or generalizability.

    Authors: We agree that the Methods section in the submitted version lacks the necessary detail on these elements. This was an oversight during preparation. In the revised manuscript, we will expand the Methods section (and update the abstract) to describe the recruitment strategy (targeted outreach via professional networks, industry conferences, and direct invitations to experts with signing experience), the semi-structured interview protocol, the thematic analysis coding process (including codebook development and iteration), inter-rater reliability procedures (independent coding of a subset by two researchers with discrepancy resolution), and saturation criteria (continued interviewing until no new themes emerged). These additions will enable readers to assess potential biases and the study's scope. revision: yes

  2. Referee: [Findings and Recommendations] §5 (Findings) and §6 (Recommendations): the claims that 'components exhibit different levels of maturity' and that 'integration flexibility is a common pain point' are presented as generalizable without evidence that the sample includes non-adopters, smaller organizations, or diverse roles sufficient to support those generalizations.

    Authors: The sample comprises 17 industry experts with direct experience in software signing decisions, including both adopters of identity-based tools and practitioners who evaluated but did not adopt them. We recognize that the sample skews toward medium-to-large organizations and may not capture the full range of smaller organizations or role diversity. In the revision, we will qualify the language in §5 and §6 to explicitly frame these observations as patterns identified within this expert sample, note the limitation regarding organizational scale and non-adopter breadth, and avoid language that implies broader generalizability. The core empirical patterns and recommendations will remain but will be presented with appropriate scope limitations. revision: partial

Circularity Check

0 steps flagged

No significant circularity: empirical qualitative study self-contained in interview data

full rationale

This is a qualitative usability case study whose central claims derive from thematic analysis of 17 expert interviews. No equations, fitted parameters, self-citations, or uniqueness theorems appear in the derivation chain. The findings on usability factors, tool evolution, and recommendations rest directly on the collected interview evidence rather than reducing to any input by construction or prior self-referential work.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim depends on the assumption that interview self-reports accurately reflect real-world usability and adoption drivers; no free parameters or invented entities are introduced.

axioms (1)
  • domain assumption Self-reported experiences from a convenience sample of 17 experts accurately capture the usability factors and adoption contexts of identity-based signing tools across the industry.
    The study design and generalization of findings rest on this premise about interview validity and representativeness.

pith-pipeline@v0.9.0 · 5781 in / 1307 out tokens · 44771 ms · 2026-05-23T01:50:07.039280+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Analysis of Commit Signing on Github

    cs.SE 2026-04 unverdicted novelty 8.0

    Ecosystem-scale measurement shows commit signing on GitHub is rarely deliberate or sustained by developers, with rising lapse rates and unrevoked expired keys, so supply-chain security frameworks relying on it do not ...

  2. Human-Certified Module Repositories for the AI Age

    cs.ET 2026-03 unverdicted novelty 4.0

    Human-Certified Module Repositories (HCMRs) are proposed as a new architectural model blending human oversight with automated analysis to certify reusable software modules for safe assembly by humans and AI agents.

Reference graph

Works this paper leans on

106 extracted references · 106 canonical work pages · cited by 2 Pith papers · 1 internal anchor

  1. [1]

    Usable security: Why do we need it? how do we get it? O’Reilly, 2005

    work page 2005

  2. [2]

    The gnu privacy guard, December 2024

    work page 2024

  3. [3]

    Ferraiuolo et al

    A. Ferraiuolo et al. Policy transparency: Authoriza- tion logic meets general transparency to prove software supply chain integrity. In ACM Workshop on Software Supply Chain Offensive Research and Ecosystem De- fenses, 2022

    work page 2022

  4. [4]

    A. R. Lyon et al. The cognitive walkthrough for im- plementation strategies (cwis): a pragmatic method for assessing implementation strategy usability. 2, 2021

    work page 2021

  5. [5]

    Reuter et al

    A. Reuter et al. Secure Email - A Usability Study. In Matthew Bernhard, Andrea Bracciali, L. Jean Camp, Shin’ichiro Matsuo, Alana Maurushat, Peter B. Rønne, and Massimiliano Sala, editors, Financial Cryptogra- phy and Data Security , Lecture Notes in Computer Science, pages 36–46, Cham, 2020. Springer Interna- tional Publishing

    work page 2020

  6. [6]

    A systematic review of organizational fac- tors impacting cloud-based technology adoption using technology-organization-environment framework

    Ali Al Hadwer, Madjid Tavana, Dan Gillis, and Davar Rezania. A systematic review of organizational fac- tors impacting cloud-based technology adoption using technology-organization-environment framework. In- ternet of Things, 15:100407, 2021

    work page 2021

  7. [7]

    Aws signer developer guide

    Amazon Web Services. Aws signer developer guide. https://docs.aws.amazon.com/signer/latest/ developerguide/Welcome.html, 2024. Accessed: 2025-05-30

    work page 2024

  8. [8]

    Leading Johnny to water: designing for usability and trust

    Erinn Atwater, Cecylia Bocovich, Urs Hengartner, Ed Lank, and Ian Goldberg. Leading Johnny to water: designing for usability and trust. In Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security, SOUPS ’15, pages 69–88, USA, July 2015. USENIX Association

    work page 2015

  9. [9]

    Sampling in software engineering research: a critical review and guidelines

    Sebastian Baltes and Paul Ralph. Sampling in software engineering research: a critical review and guidelines. Empirical Software Engineering, 2022

    work page 2022

  10. [10]

    migrating

    Harvir S Bansal, Shirley F Taylor, and Yannik St. James. “migrating” to new service providers: To- ward a unifying framework of consumers’ switching behaviors. Journal of the Academy of Marketing Sci- ence, 33(1):96–115, 2005

    work page 2005

  11. [11]

    Assessing software supply chain risk using public data

    Sebastian Benthall. Assessing software supply chain risk using public data. In 2017 IEEE 28th Annual Software Technology Conference (STC), 2017

    work page 2017

  12. [12]

    How sigstore quickly patched an upstream vulnerability, October 2022

    Hayden Blauzvern. How sigstore quickly patched an upstream vulnerability, October 2022

    work page 2022

  13. [13]

    Using thematic analysis in psychology

    Virginia Braun and Victoria Clarke. Using thematic analysis in psychology. Qualitative Research in Psy- chology, 2006

    work page 2006

  14. [14]

    Security and usability: the case of the user authentication methods

    Christina Braz and Jean-Marc Robert. Security and usability: the case of the user authentication methods. In Proceedings of the 18th Conference on l’Interaction Homme-Machine, IHM ’06, pages 199–203, New York, NY , USA, April 2006. Association for Computing Ma- chinery

    work page 2006

  15. [15]

    Okafor et al

    C. Okafor et al. Sok: Analysis of software supply chain security by establishing secure design properties. In ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses . Association for Computing Machinery, 2022

    work page 2022

  16. [16]

    Rusu et al

    C. Rusu et al. User experience evaluations: Challenges for newcomers. In Aaron Marcus, editor, Design, User Experience, and Usability: Design Discourse. Springer, Cham, 2015

    work page 2015

  17. [17]

    The update framework (tuf)

    Justin Cappos, Samuel Thomas, Joey J., Thomas De- Cleene, Adam Atkins, and Duggan David. The update framework (tuf). https://theupdateframework. io, 2021. Accessed: 2025-05-30

    work page 2021

  18. [18]

    Best fit

    Christopher Carroll, Andrew Booth, Joanne Leaviss, and Jo Rick. “Best fit” framework synthesis: Refining the method. BMC Medical Research Methodology , 13(1):37, 2013

    work page 2013

  19. [19]

    Strategies for the integration of software supply chain security in DevSecOps CI/CD pipelines

    Ramaswamy Chandramouli, Ramaswamy Chan- dramouli, Frederick Kautz, and Santiago Torres-Arias. Strategies for the integration of software supply chain security in DevSecOps CI/CD pipelines . US Department of Commerce, National Institute of Standards and Technology, 2024. 15

    work page 2024

  20. [20]

    Interviewing the investigator: Strate- gies for addressing instrumentation and researcher bias concerns in qualitative research

    Ronald J Chenail. Interviewing the investigator: Strate- gies for addressing instrumentation and researcher bias concerns in qualitative research. Qualitative report, 16(1):255–262, 2011

    work page 2011

  21. [21]

    Soft- ware supply chain best practices, May 2021

    Cloud Native Computing Foundation. Soft- ware supply chain best practices, May 2021. https://github.com/cncf/tag-security/blob/ main/supply-chain-security/supply-chain- security-paper/CNCF_SSCP_v1.pdf

    work page 2021

  22. [22]

    Protecting Software Integrity Through Code Signing

    David Cooper, Larry Feldman, and Gregory Witte. Protecting Software Integrity Through Code Signing. Technical Report ITL Bulletin, National Institute of Standards and Technology, May 2018

    work page 2018

  23. [23]

    The case study approach

    Sarah Crowe, Kathrin Cresswell, Ann Robertson, Guro Huby, Anthony Avery, and Aziz Sheikh. The case study approach. BMC Medical Research Methodology, 11:100, June 2011

    work page 2011

  24. [24]

    Cooper et al

    D. Cooper et al. Security Considerations for Code Signing. NIST Cybersecurity White Paper , January 2018

    work page 2018

  25. [25]

    A guide to stakeholder analysis for cybersecurity researchers

    James C Davis, Sophie Chen, Huiyun Peng, Paschal C Amusuo, and Kelechi G Kalu. A guide to stakeholder analysis for cybersecurity researchers. arXiv preprint arXiv:2508.14796, 2025

    work page arXiv 2025

  26. [26]

    Heilman et al

    E. Heilman et al. OpenPubkey: Augmenting OpenID Connect with User held Signing Keys, 2023. Publica- tion info: Preprint

    work page 2023

  27. [27]

    Springer, London, 2008

    Steve Easterbrook, Janice Singer, Margaret-Anne Storey, and Daniela Damian.Selecting Empirical Meth- ods for Software Engineering Research, page 285–311. Springer, London, 2008

    work page 2008

  28. [28]

    Helping Johnny 2.0 to encrypt his Facebook conversations

    Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, and Uwe Sander. Helping Johnny 2.0 to encrypt his Facebook conversations. In Proceedings of the Eighth Symposium on Usable Privacy and Se- curity, SOUPS ’12, pages 1–17, New York, NY , USA, July 2012. Association for Computing Machinery

    work page 2012

  29. [29]

    Intercoder reliability indices: disuse, misuse, and abuse

    Guangchao Charles Feng. Intercoder reliability indices: disuse, misuse, and abuse. Quality & Quantity, 2014

    work page 2014

  30. [30]

    Demon- strating rigor using thematic analysis: A hybrid ap- proach of inductive and deductive coding and theme development

    Jennifer Fereday and Eimear Muir-Cochrane. Demon- strating rigor using thematic analysis: A hybrid ap- proach of inductive and deductive coding and theme development. International Journal of Qualitative Methods, 2006

    work page 2006

  31. [31]

    Fernández and Jan-Hendrik Passoth

    Daniel M. Fernández and Jan-Hendrik Passoth. Empir- ical software engineering: From discipline to interdisci- pline. Journal of Systems and Software, 148:170–179, 2019

    work page 2019

  32. [32]

    Guest et al

    G. Guest et al. How many interviews are enough? an experiment with data saturation and variability. Field methods, 2006

    work page 2006

  33. [33]

    Gale, Gemma Heath, Elaine Cameron, Sabina Rashid, and Sabi Redwood

    Nicola K. Gale, Gemma Heath, Elaine Cameron, Sabina Rashid, and Sabi Redwood. Using the frame- work method for the analysis of qualitative data in multi-disciplinary health research. BMC Medical Re- search Methodology, 13:117, 2013

    work page 2013

  34. [34]

    What is a case study and what is it good for? American Political Science Review , 98(2):341–354, May 2004

    John Gerring. What is a case study and what is it good for? American Political Science Review , 98(2):341–354, May 2004

    work page 2004

  35. [35]

    SoK: Log Based Transparency En- hancing Technologies, 2023

    Alexander Hicks. SoK: Log Based Transparency En- hancing Technologies, 2023

    work page 2023

  36. [36]

    Sigstore: Simplify- ing code signing for open source ecosystems, Novem- ber 2023

    Luke Hinds and Hayden Blauzvern. Sigstore: Simplify- ing code signing for open source ecosystems, Novem- ber 2023

    work page 2023

  37. [37]

    Safeguard your containers with new container signing capability in github actions, Decem- ber 2021

    Justin Hutchings. Safeguard your containers with new container signing capability in github actions, Decem- ber 2021

    work page 2021

  38. [38]

    in-toto: A frame- work to secure the integrity of software supply chains

    in toto and The Linux Foundation. in-toto: A frame- work to secure the integrity of software supply chains. https://in-toto.io/, 2023

    work page 2023

  39. [39]

    ISO 9241-11: Ergonomic requirements for office work with visual display terminals (VDTs) — Part 11: Guidance on usability specification and measures, 1997

    International Organization for Standardization. ISO 9241-11: Ergonomic requirements for office work with visual display terminals (VDTs) — Part 11: Guidance on usability specification and measures, 1997

    work page 1997

  40. [40]

    J. L. Campbell et al. Coding in-depth semistructured interviews: Problems of unitization and intercoder re- liability and agreement. Sociological methods & re- search, 42(3):294–320, 2013

    work page 2013

  41. [41]

    Cresswell et al

    K. Cresswell et al. Developing and applying a for- mative evaluation framework for health information technology implementations: Qualitative investigation. J Med Internet Res, 22(6), 2020

    work page 2020

  42. [42]

    Kalu et al

    K. Kalu et al. An industry interview study of software signing for supply chain security. In 34th USENIX Security Symposium (USENIX Security 25) , Seattle, W A, USA, aug 2025. USENIX Association

    work page 2025

  43. [43]

    MacDorman et al

    K. MacDorman et al. An improved usability measure based on novice and expert performance. International Journal of Human–Computer Interaction, 27(3), 2011

    work page 2011

  44. [44]

    Merrill et al

    K. Merrill et al. Speranza: Usable, privacy-friendly software signing, 2023. arXiv:2305.06463

    work page arXiv 2023

  45. [45]

    Signing and securing confidential kubernetes clusters in the cloud with sigstore, August 2022

    Fabian Kammel. Signing and securing confidential kubernetes clusters in the cloud with sigstore, August 2022. 16

    work page 2022

  46. [46]

    Kjeldskov, M

    J. Kjeldskov, M. B. Skov, and J. Stage. Does time heal? a longitudinal study of usability. In Proceedings of the Australian Computer-Human Interaction Con- ference 2005 (OzCHI’05). Association for Computing Machinery (ACM), 2005

    work page 2005

  47. [47]

    Strifler et al

    L. Strifler et al. Development and usability testing of an online support tool to identify models and frameworks to inform implementation. BMC Medical Informatics and Decision Making, 24(1):182, 2024

    work page 2024

  48. [48]

    SoK: Taxonomy of Attacks on Open- Source Software Supply Chains

    Piergiorgio Ladisa, Henrik Plate, Matias Martinez, and Olivier Barais. SoK: Taxonomy of Attacks on Open- Source Software Supply Chains. In 2023 IEEE Sym- posium on Security and Privacy (SP), 2023

    work page 2023

  49. [49]

    Seth M. Larson. Python and sigstore. https: //sethmlarson.dev/python-and-sigstore, 2024. Accessed: 2025-05-30

    work page 2024

  50. [50]

    Exploring the meaning of usable security–a literature review

    Markus Lennartsson, Joakim Kävrestad, and Marcus Nohlberg. Exploring the meaning of usable security–a literature review. Information & Computer Security, 29(4):647–663, 2021

    work page 2021

  51. [51]

    J. R. Lewis. Usability: Lessons learned...and yet to be learned. International Journal of Human-Computer Interaction, 30(9), 2014

    work page 2014

  52. [52]

    So- cial science theories in software engineering research

    Tobias Lorey, Paul Ralph, and Michael Felderer. So- cial science theories in software engineering research. In Proceedings of the 44th International Conference on Software Engineering, ICSE ’22, pages 1994–2005, New York, NY , USA, July 2022. Association for Com- puting Machinery

    work page 1994

  53. [53]

    Technology readiness assessments: A retrospective

    John C Mankins. Technology readiness assessments: A retrospective. Acta Astronautica, 65(9-10):1216–1223, 2009

    work page 2009

  54. [54]

    An interview study on third-party cyber threat hunting processes in the us department of homeland security

    William P Maxam III and James C Davis. An interview study on third-party cyber threat hunting processes in the us department of homeland security. USENIX Security, 2024

    work page 2024

  55. [55]

    Speranza: Usable, privacy- friendly software signing

    Kelsey Merrill, Zachary Newman, Santiago Torres- Arias, and Karen R Sollins. Speranza: Usable, privacy- friendly software signing. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Commu- nications Security, pages 3388–3402, 2023

    work page 2023

  56. [56]

    National Institute of Standards and Technology. Air gap. https://csrc.nist.gov/glossary/term/ air_gap, 2025. Accessed: 2025-05-30

    work page 2025

  57. [57]

    Diverify: Diversifying identity verifi- cation in next-generation software signing

    Chinenye L Okafor, James C Davis, and Santiago Torres-Arias. Diverify: Diversifying identity verifi- cation in next-generation software signing. arXiv preprint arXiv:2406.15596, 2024

    work page arXiv 2024

  58. [58]

    Openpubkey: Issues

    OpenPubKey. Openpubkey: Issues. https: //github.com/openpubkey/openpubkey/issues,

    work page

  59. [59]

    Intercoder Reli- ability in Qualitative Research: Debates and Practical Guidelines

    Cliodhna O’Connor and Helene Joffe. Intercoder Reli- ability in Qualitative Research: Debates and Practical Guidelines. International Journal of Qualitative Meth- ods, 2020

    work page 2020

  60. [60]

    ACM SIGSOFT Empirical Standards Re- leased

    Paul Ralph. ACM SIGSOFT Empirical Standards Re- leased. ACM SIGSOFT Software Engineering Notes, 2021

    work page 2021

  61. [61]

    What is skopeo? https://www.redhat

    Red Hat. What is skopeo? https://www.redhat. com/en/topics/containers/what-is-skopeo, July 2022. Published July 18, 2022

    work page 2022

  62. [62]

    Grounded in practice: Using inter- pretive research to build theory

    Bruce H Rowlands. Grounded in practice: Using inter- pretive research to build theory. Electronic Journal of Business Research Methods, 3(1):pp81–92, 2005

    work page 2005

  63. [63]

    Guidelines for con- ducting and reporting case study research in soft- ware engineering

    Per Runeson and Martin Höst. Guidelines for con- ducting and reporting case study research in soft- ware engineering. Empirical Software Engineering, 14(2):131–164, April 2009

    work page 2009

  64. [64]

    Private Webmail 2.0: Simple and Easy-to-Use Secure Email

    Scott Ruoti, Jeff Andersen, Travis Hendershot, Daniel Zappala, and Kent Seamons. Private Webmail 2.0: Simple and Easy-to-Use Secure Email, October 2015. arXiv:1510.08435 [cs]

    work page internal anchor Pith review Pith/arXiv arXiv 2015

  65. [65]

    Ruoti et al

    S. Ruoti et al. Confused Johnny: when automatic encryption leads to confusion and mistakes. In Pro- ceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS ’13, pages 1–12, New York, NY , USA, July 2013. Association for Computing Machin- ery

    work page 2013

  66. [66]

    Ruoti et al

    S. Ruoti et al. Why johnny still, still can’t en- crypt: Evaluating the usability of a modern pgp client,

    work page

  67. [67]

    https://cups.cs.cmu.edu/soups/2006/ posters/sheng-poster_abstract.pdf

    work page 2006

  68. [68]

    Sheng et al

    S. Sheng et al. Why johnny still can’t encrypt: evaluat- ing the usability of email encryption software. In Sym- posium on usable privacy and security. ACM, 2006

    work page 2006

  69. [69]

    Fundamentals of qualitative research

    Johnny Saldana. Fundamentals of qualitative research. Oxford university press, 2011

    work page 2011

  70. [70]

    Schorlemmer, Ethan H

    Taylor R. Schorlemmer, Ethan H. Burmane, Kelechi G. Kalu, Santiago Torres-Arias, and James C. Davis. Es- tablishing Provenance Before Coding: Traditional and Next-Gen Signing, July 2024. arXiv:2407.03949 [cs]

    work page arXiv 2024

  71. [71]

    Schorlemmer, T. R. et al. Signing in four public soft- ware package registries: Quantity, quality, and influ- encing factors. In 2024 IEEE Symposium on Security and Privacy (SP), May 2024. 17

    work page 2024

  72. [72]

    Schorlemmer, T. R. et al. Establishing provenance be- fore coding: Traditional and next-generation software signing. IEEE Security & Privacy, (01), 2025

    work page 2025

  73. [73]

    Sharp, H

    H. Sharp, H. Robinson, and M. Woodman. Software engineering: community and culture. IEEE Software, 2000

    work page 2000

  74. [74]

    About SignServer: Open-Source Signing Software

    SignServer Project. About SignServer: Open-Source Signing Software. https://www.signserver.org/ about/, 2025. Accessed 26 May, 2025

    work page 2025

  75. [75]

    Sigstore: A new standard for signing, verifying, and protecting software

    Sigstore. Sigstore: A new standard for signing, verifying, and protecting software. https://www. sigstore.dev/

    work page

  76. [76]

    Securing your software supply chain without changing your devops workflow, December 2022

    Sigstore. Securing your software supply chain without changing your devops workflow, December 2022

    work page 2022

  77. [77]

    Security by default: How verizon new busi- ness incubation uses sigstore to demonstrate prove- nance, November 2022

    Sigstore. Security by default: How verizon new busi- ness incubation uses sigstore to demonstrate prove- nance, November 2022

    work page 2022

  78. [78]

    Using sigstore to meet fedramp compliance at autodesk, November 2022

    Sigstore. Using sigstore to meet fedramp compliance at autodesk, November 2022

    work page 2022

  79. [79]

    Announcing npm support: Public beta

    Sigstore Blog. Announcing npm support: Public beta. https://blog.sigstore.dev/npm-public- beta/, 2024. Accessed: 2025-05-30

    work page 2024

  80. [80]

    Dag I. K. Sjoberg, Tore Dybå, and Magne Jørgensen. The future of empirical methods in software engineer- ing research. In 2007 Future of Software Engineering (FOSE ’07), pages 358–378, Minneapolis, MN, USA,

    work page 2007

Showing first 80 references.