 |
CERIAS Weekly Security Seminar - Purdue UniversityThe weekly CERIAS security seminar has been held every semester since spring of 1992. We invite personnel at Purdue and visitors from outside to present on topics of particular interest to them in the areas of computer and network security, computer crime Author: CERIAS
CERIAS -- the Nation's top-ranked interdisciplinary academic education and research institute -- hosts a weekly cyber security, privacy, resiliency or autonomy speaker, highlighting technical discovery, a case studies or exploring cyber operational approaches; they are not product demonstrations, service sales pitches, or company recruitment presentations. Join us weekly...or explore 25 years of archives for the who's-who in cybersecurity. Language: en-us Genres: Courses, Education, Technology Contact email: Get it Feed URL: Get it iTunes ID: Get it |
Listen Now...
Kelechi Kalu, Software Signing in Practice: Lessons from Adoption and Usability Toward Broader Supply Chain Trust
Episode 912
Wednesday, 25 March, 2026
Software signing is a foundational mechanism for improving software supply-chain security because it helps establish artifact provenance, integrity, and authenticity across organizational boundaries. Yet the security value of software signing depends not only on cryptographic design, but also on whether signing is adopted, integrated, and used correctly in practice. This research examines these questions across multiple empirical settings, from industry deployment to modern open-source signing tools (ecosystems).In this talk, I synthesize findings from a set of studies on software signing in practice. I first discuss how organizations adopt and operationalize signing, then turn to identity-based signing using Sigstore as a case study of next-generation signing usability. I next present longitudinal evidence across five identity-based signing ecosystems showing that newer designs reduce some historical burdens, especially around key management, but do not eliminate usability challenges. Instead, friction shifts toward verification workflows, policy and configuration surfaces, and deployment integration boundaries. These lessons point beyond artifact signing alone: building trustworthy software supply chains will require broader trust mechanisms, including actor-centred approaches such as ARMS as envisioned. About the speaker: Kelechi Kalu is a fourth-year Ph.D. student in Electrical and Computer Engineering at Purdue University and a member of the Duality Lab, where he is advised by Prof. James C. Davis. His research focuses on software and AI security, especially software supply-chain security, usability, and trust in open-source ecosystems. His recent work examines software signing adoption in practice, the usability of identity-based signing tools such as Sigstore, and broader actor-centered trust mechanisms for software ecosystems. His work has appeared at USENIX Security, IEEE S&P, and ESEC/FSE. He previously interned at Microsoft Research in 2024 and received the Best Poster Award at the 2025 CERIAS Annual Security Symposium.
