Vivek,
I can offer a glimpse of how Business Cyber Guardian delivers signed SBOM’s.
We provide parties with a “Vendor Response Form” (VRF) containing links to
attestation materials and other artifacts needed to perform a software product
risk assessment following US Government requirements specified in the CISA
“CISA Secure Software Attestation Form”, a/k/a the “Common Form”.
Here is how we communicate information about digitally signed SBOM’s in the VRF:
"Products": [
{
"LicensorName": "BUSINESS CYBER GUARDIAN
(Reliable Energy Analytics LLC)",
"ProductName": "SAG-PM (TM)",
"DescriptionURL":
"https://reliableenergyanalytics.com/products";,
"Version": "2.1.0",
"SBOM": {
"type": "spdx",
"version": "2.3",
"format": "JSON",
"DigitalSignatureURL":
"https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json.sig";,
"URL":
"https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json";
},
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
<https://reliableenergyanalytics.com/products> Never trust software, always
verify and report! ™
https://businesscyberguardian.com/
Email: [email protected]
Tel: +1 978-696-1788
From: [email protected] <[email protected]> On Behalf Of Olle E Johansson
Sent: Wednesday, July 31, 2024 3:34 AM
To: [email protected]
Cc: [email protected]
Subject: Re: [spdx] Does SPDX support attachment of signature ?
On 31 Jul 2024, at 02:24, Gary O'Neall <[email protected]
<mailto:[email protected]> > wrote:
Hi Vivek,
Thanks for posting the question.
We have discussed this topic in the SPDX technical team meetings.
I think you will find many of us believe signing SPDX document is key to
preserving the integrity of the software supply chain.
We came to the conclusion that signing should be done with an external standard
and facility – such as sigstore <https://www.sigstore.dev/> . There are two
reasons I recall from the discussions:
* The SBOM cannot store the digest for itself in itself so storing a
signature within the SPDX serialized document can be challenging
* There several already existing standards outside of SPDX which specify
not only the digital signature formats, but also how to handle certificate
authoring, self-signing, and other related processes
If you’d like to continue the discussion, I would suggest posting to the SPDX
tech mailing list (added to the cc) or attending one of our weekly meetings.
I think this is an important discussion. I have been trying to sort out a
couple of thoughts around this while working with the TEA solution. There’s
also some work on third party trust and attestations happening in the iETF
SCITT working group.
I’ll join the tech mailing list to follow the discussion.
/O
Best regards,
From: [email protected] <mailto:[email protected]> <[email protected]
<mailto:[email protected]> > On Behalf Of [email protected]
<mailto:[email protected]>
Sent: Tuesday, July 30, 2024 1:02 AM
To: [email protected] <mailto:[email protected]>
Subject: [spdx] Does SPDX support attachment of signature ?
Digital signatures are essential for ensuring document integrity. Given the
critical role of Software Bill of Materials (SBOMs) in providing software
component information, signing SBOMs with tools like GPG or Cosign is crucial.
To facilitate verification, we need to determine the appropriate location
within the SPDX format to incorporate these signatures. Does SPDX formatted
SBOM supports fields for storing these signatures ?
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5684): https://lists.spdx.org/g/Spdx-tech/message/5684
Mute This Topic: https://lists.spdx.org/mt/107638408/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
