The global software supply chain is protected by a security 'best practice' that almost nobody actually uses.
April 16, 2026
Original Paper
Analysis of Commit Signing on Github
arXiv · 2604.14014
The Takeaway
We are constantly told that 'commit signing' is the gold standard for ensuring that software hasn't been tampered with by hackers. However, a platform-wide analysis of GitHub reveals that fewer than 6% of developers actually sign their work locally. The vast majority of the code running your bank, your car, and your phone is being pushed through a system where identity verification is largely an illusion. This reveals a massive gap between the security industry's high-level advice and the reality of how software is actually built. It means that the 'secure' foundations of our digital world are far more fragile than we’ve been led to believe, relying on trust rather than technical proof.
From the abstract
Commit signing is widely promoted as a foundation of software supply-chain security, yet prior work has studied it through the lens of individual repositories or curated project samples, missing the broader picture of how developers behave across an entire platform. Grounded in replicability theory, we vary the sampling unit from repositories to individual developers, following 71,694 active GitHub users, defined as accounts that have authored at least one commit, across all their repositories a