Identity-based software signing tools aim to make software artifact provenance verifiable while reducing the operational burden of long-lived key management. However, there is limited cross-tool longitudinal evidence about which usability problems arise in practice and how those problems evolve as tools mature. This gap matters because unusable signing and verification workflows can lead to incomplete adoption, misconfiguration, or skipped verification, undermining intended integrity guarantees. We conducted the first mining-software-repositories study of five open-source identity-based signing ecosystems: Sigstore, OpenPubKey, HashiCorp Vault, Keyfactor, and Notary v2. We analyzed approximately 3,900 GitHub issues from Nov. 2021 to Nov. 2025. We coded each issue for the reported usability concern and the implicated architectural component, and compared patterns across tools and over time. Across ecosystems, reported concerns concentrate in verification workflows, policy and configuration surfaces, and integration boundaries. Longitudinal Poisson trend analysis shows substantial declines in reported issues for most ecosystems. However, across usability themes, workflow- and documentation-related concerns decline unevenly across tools and concern types, and verification workflows and configuration surfaces remain persistent friction points. These results indicate that identity-based signing reduces some usability burdens while relocating complexity to verification semantics, policy configuration, and deployment integration. Designing future signing ecosystems therefore requires treating verification semantics and release workflows as first-class usability targets rather than peripheral integration concerns.

翻译：基于身份的软件签名工具旨在使软件制品来源可验证，同时减轻长期密钥管理的运维负担。然而，关于实践中出现哪些可用性问题以及这些问题如何随工具成熟而演变的跨工具纵向证据仍然有限。这一空白至关重要，因为不可用的签名与验证工作流程可能导致采用不完整、配置错误或跳过验证，从而削弱预期的完整性保障。我们首次对五个开源基于身份的签名生态系统开展了软件仓库挖掘研究：Sigstore、OpenPubKey、HashiCorp Vault、Keyfactor 和 Notary v2。我们分析了2021年11月至2025年11月期间约3900个GitHub问题。我们对每个问题报告的可用性关注点及涉及的架构组件进行编码，并比较跨工具及随时间变化的模式。各生态系统中，报告的关注点集中在验证工作流程、策略与配置界面以及集成边界。纵向泊松趋势分析显示，大多数生态系统报告的问题数量显著下降。然而，在可用性主题方面，与工作流程和文档相关的关注点在不同工具和问题类型中下降不均，且验证工作流程与配置界面仍是持续的摩擦点。这些结果表明，基于身份的签名在减轻部分可用性负担的同时，将复杂性转移至验证语义、策略配置和部署集成。因此，设计未来的签名生态系统需要将验证语义和发布工作流程视为首要的可用性目标，而非次要的集成问题。