Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors. (arXiv:2401.14635v1 [cs.CR])

Many software applications incorporate open-source third-party packages
distributed by third-party package registries. Guaranteeing authorship along
this supply chain is a challenge. Package maintainers can guarantee package
authorship through software signing. However, it is unclear how common this
practice is, and whether the resulting signatures are created properly. Prior
work has provided raw data on signing practices, but measured single platforms,
did not consider time, and did not provide insight on factors that may
influence signing. We lack a comprehensive, multi-platform …

applications arxiv can challenge distributed guarantee maintainers package packages party practice public quality signatures signing software software applications supply supply chain third third-party