Analysis of Commit Signing on Github

Computer Science > Software Engineering [Submitted on 15 Apr 2026] Analysis of Commit Signing on Github Abubakar Sadiq Shittu, John Sadik, Farzin Gholamrezae, Scott Ruoti Commit signing is widely promoted as a foundation of software supply-chain security, yet prior work has studied it through the lens of individual repositories or curated project samples, missing the broader picture of how developers behave across an entire platform. Grounded in replicability theory, we vary the sampling unit from repositories to individual developers, following 71,694 active GitHub users, defined as accounts that have authored at least one commit, across all their repositories and their entire commit history, spanning 16 million commits and 874,198 repositories. This platform-wide, user-centric view reveals a fundamental gap that repository sampling cannot detect. The ecosystem's apparent high signing adoption rate is an illusion. Once platform-generated signatures are excluded, fewer than 6% of developers have ever signed a commit themselves, and the vast majority of apparent signers have never signed outside a web browser. Among the minority who do sign locally, signing rarely persists over time or across repositories, and roughly one in eight developer-managed signatures fails verification because signing keys are never uploaded to GitHub. Examining the key registry, we find that expired keys are almost never revoked and more than a quarter of users carry at least one dead key. Together, these findings reveal that commit signing as practiced today cannot serve as a dependable provenance signal at ecosystem scale, and we offer concrete recommendations for closing that gap. Comments: 22 pages, 11 figures, 11 tables. Dataset covers 16,112,439 commits across 874,198 repositories from 71,694 active GitHub users. Preprint Subjects: Software Engineering (cs.SE); Cryptography and Security (cs.CR) Cite as: arXiv:2604.14014 [cs.SE]   (or arXiv:2604.14014v1 [cs.SE] for this version)   https://doi.org/10.48550/arXiv.2604.14014 Focus to learn more Submission history From: Abubakar Sadiq Shittu [view email] [v1] Wed, 15 Apr 2026 15:57:07 UTC (1,229 KB) Access Paper: HTML (experimental) view license Current browse context: cs.SE < prev   |   next > new | recent | 2026-04 Change to browse by: cs cs.CR References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)