Increasing complexity in software supply chains is compounded by low adoption rates and inconsistent implementation of software signing practices, undermining trust in software provenance and integrity. Method: We conducted semi-structured interviews with 18 security practitioners across 13 organizations and applied thematic coding alongside cross-organizational comparative analysis. Contribution/Results: We systematically identify technical, organizational, and human barriers to signing adoption; propose the first practice-oriented “Software Supply Chain Factory Signing Model”; reveal industry-wide divergences in perceived necessity of signing; and demonstrate how internal/external security incidents and evolving compliance requirements dynamically shape adoption decisions. Our four core findings provide empirical grounding for optimizing standards, guiding tool development, and strengthening enterprise governance—advancing software signing from superficial compliance toward substantively effective assurance.

Many software products are composed of components integrated from other teams or external parties. Each additional link in a software product's supply chain increases the risk of the injection of malicious behavior. To improve supply chain provenance, many cybersecurity frameworks, standards, and regulations recommend the use of software signing. However, recent surveys and measurement studies have found that the adoption rate and quality of software signatures are low. We lack in-depth industry perspectives on the challenges and practices of software signing. To understand software signing in practice, we interviewed 18 experienced security practitioners across 13 organizations. We study the challenges that affect the effective implementation of software signing in practice. We also provide possible impacts of experienced software supply chain failures, security standards, and regulations on software signing adoption. To summarize our findings: (1) We present a refined model of the software supply chain factory model highlighting practitioner's signing practices; (2) We highlight the different challenges-technical, organizational, and human-that hamper software signing implementation; (3) We report that experts disagree on the importance of signing; and (4) We describe how internal and external events affect the adoption of software signing. Our work describes the considerations for adopting software signing as one aspect of the broader goal of improved software supply chain security.