An Industry Interview Study of Software Signing for Supply Chain Security
Kelechi G. Kalu
34th USENIX Security Symposium (USENIX Security '25) · Day 1 · Social Issues and Usable Security and Privacy
Kelechi G. Kalu, a third-year PhD student at Purdue University, presented a seminal industry interview study on the practical implementation of software signing for supply chain security. This research, supported by the NSF, Cisco, and Google, marks the first in-depth interview study on software signing practices within the industry, offering critical insights into its current state, challenges, and perceived importance. The talk unveils a refined software supply chain factory model, illustrating optimal points for signature creation and verification, and provides empirical data on the prevalent organizational, technical, and human challenges hindering effective signing.
AI review
Solid academic work that quantifies a real problem — signing without verification is widespread and the study's refined factory model gives practitioners a cleaner mental map of where the gaps live. It's a competent conference paper presentation, not a practitioner talk, and the findings won't shock anyone who's spent time in CI/CD pipelines or watched Sigstore adoption metrics.