Analysis of Commit Signing on Github

TL;DR

This study provides an ecosystem-scale analysis of commit signing on GitHub, revealing that current assumptions about signing practices and their security implications are largely invalid in practice.

Contribution

It is the first large-scale, developer-centric measurement of commit signing on GitHub, highlighting gaps between security assumptions and actual developer behaviors.

Findings

Most signed commits are automatically signed by the platform, not by developers.

Developers rarely maintain consistent signing practices across repositories or over time.

Signing lapse rates increase with account age, indicating poor key management.

Abstract

Commit signing is a principal mechanism for verifying the origin of code in software supply chains. Security frameworks treat it as a core trust signal, assuming developers sign their commits consistently with keys they control and keep those keys in good standing over time. Whether this assumption holds in practice has not been evaluated at ecosystem scale. This study addresses this gap. We present the first developer-centric, ecosystem-scale measurement of commit signing on GitHub, covering the platform's full history, spanning 71,694 active developers, 16.1 million commits, and 874,198 repositories. To summarize our findings: (1) overall signing adoption rates are misleading, as most signed commits come from automatic platform signing rather than deliberate developer action; (2) developers who do sign locally rarely keep it up consistently across repositories or over time; (3) signing lapse rates rise alongside account age rather than falling, making sustained coverage structurally unlikely; and (4) developers manage their signing keys poorly, leaving expired keys unrevoked and letting credential debt grow over time. Our findings show that the assumptions underlying supply-chain security frameworks do not hold in practice, establishing that progress requires either signing credentials redesigned to travel with developer identity while remaining outside platform control, or frameworks built on defenses that do not depend on every developer managing their own keys.