A Longitudinal Study of Usability in Identity-Based Software Signing

A team of researchers from Purdue University and Red Hat has published the first longitudinal study analyzing the usability of identity-based software signing tools. The study, titled "A Longitudinal Study of Usability in Identity-Based Software Signing," mined approximately 3,900 GitHub issues from November 2021 to November 2025 across five major open-source ecosystems: Sigstore, OpenPubKey, HashiCorp Vault, Keyfactor, and Notary v2. Identity-based signing aims to replace complex, long-lived cryptographic key management with verifiable provenance tied to developer identities, but its success hinges on adoption, which is blocked by usability problems.

Using a Poisson trend analysis, the researchers found that while the rate of reported usability issues has substantially declined for most ecosystems over the four-year period, significant friction points persist. The analysis revealed that reported concerns are heavily concentrated in three areas: verification workflows (ensuring a signature is valid), policy and configuration surfaces (setting up rules), and integration boundaries (connecting the tool to existing systems). Notably, problems related to verification semantics and deployment integration have not declined as evenly as other issue types.

The core finding is that identity-based signing successfully reduces the traditional burden of key management but inadvertently relocates complexity. The complexity is now centered on understanding verification semantics, configuring policies correctly, and integrating the tools into existing CI/CD release workflows. The study concludes that for future signing ecosystems to be widely adopted, designers must treat verification and release workflow usability as primary design goals, not secondary integration concerns.