Hi Vivek,
Thanks for posting the question. We have discussed this topic in the SPDX technical team meetings. I think you will find many of us believe signing SPDX document is key to preserving the integrity of the software supply chain. We came to the conclusion that signing should be done with an external standard and facility – such as sigstore <https://www.sigstore.dev/> . There are two reasons I recall from the discussions: * The SBOM cannot store the digest for itself in itself so storing a signature within the SPDX serialized document can be challenging * There several already existing standards outside of SPDX which specify not only the digital signature formats, but also how to handle certificate authoring, self-signing, and other related processes If you’d like to continue the discussion, I would suggest posting to the SPDX tech mailing list (added to the cc) or attending one of our weekly meetings. Best regards, From: [email protected] <[email protected]> On Behalf Of [email protected] Sent: Tuesday, July 30, 2024 1:02 AM To: [email protected] Subject: [spdx] Does SPDX support attachment of signature ? Digital signatures are essential for ensuring document integrity. Given the critical role of Software Bill of Materials (SBOMs) in providing software component information, signing SBOMs with tools like GPG or Cosign is crucial. To facilitate verification, we need to determine the appropriate location within the SPDX format to incorporate these signatures. Does SPDX formatted SBOM supports fields for storing these signatures ? -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5683): https://lists.spdx.org/g/Spdx-tech/message/5683 Mute This Topic: https://lists.spdx.org/mt/107638408/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
