Despite growing adoption of software signing tools like Sigstore, barriers to their integration in real-world engineering environments remain poorly understood. Method: We conducted semi-structured interviews with 13 senior security practitioners and applied thematic coding and practice modeling to analyze tool selection logic, CI/CD integration challenges, organizational process adaptation, and evolutionary trajectories—framed through the lens of formative usability. Contribution/Results: Our study moves beyond interface-centric usability to identify three core adoption mechanisms: (1) a multi-dimensional pre-adoption evaluation framework encompassing security guarantees, operational overhead, and ecosystem compatibility; (2) critical limitations (e.g., complex key management, weak policy expressiveness) and strengths (e.g., zero-trust alignment, open-source transparency) of current toolchains; and (3) a staged evolution of signing practices—from manual verification toward automated, policy-driven enforcement. These findings provide empirically grounded design principles and architectural guidance for next-generation software signing infrastructure.

The software supply chain security problem arises from integrating software components from several sources. The integrity of these components is ensured by the use of provenance tools, of which software signing is the strongest guarantee. While software signing has been recommended by regulation and industry consortia, practical adoption of software signing has been generally limited. While tooling has been recognized as a key factor influencing software signing adoption and quality by previous studies, most research has focused primarily on its user interface aspects, with little research on other usability considerations like tool selection, user challenges, software engineering process integration intricacies, etc. To understand how software tools influence the practice and adoption of software signing, we study the formative usability of Sigstore, a modern and widely adopted software signing tool. We interviewed thirteen (13) experienced security practitioners to study the factors that influence the selection of a tool, the problems associated with the use of such tools, how practitioners' software signing tools have evolved, and what drives this migration. To summarize our findings: (1) We highlight the various factors practitioners consider before adopting a software signing tool; (2) We highlight the problems and advantages associated with the current tooling choices of practitioners; and (3) We describe the evolution of tooling adoption of our sample population. Our findings provide the software signing tool development community with valuable insights to improve their design of software signing tools.