Research
Large-Scale Analysis of Commit Signing on GitHub Reveals Gap Between Promotion and Practice
First study of commit signing behavior across the full GitHub ecosystem (not just curated samples) finds significant gaps between how widely commit signing is promoted for supply-chain security and how developers actually use it. The analysis reveals patterns of inconsistent adoption, misconfigured keys, and verification gaps that undermine the security guarantees signing is supposed to provide. Relevant to any team relying on signed commits as a supply-chain security control — the assumed baseline may not hold.
Source
↳ Follow the thread