The practice of maintaining a Secure Software Supply Chain (S3C) helps provide actionable insight for developers consuming upstream packages. However, in the industry’s efforts to shift security left, the Software Supply Chain often ignores the “final mile” of the manufacturing and delivery of applications to consumers’ devices. In this talk, we will talk about the history, current status and future of code signing and how it can be leveraged to ship secure applications at massive scale.