I'm going to move this conversation to the SPDX tech mailing list since much of the discussion is tech related. Please reply to the [email protected] email for further conversation.
Thanks, Gary > -----Original Message----- > From: [email protected] <[email protected]> On Behalf > Of Henk Birkholz > Sent: Thursday, August 1, 2024 3:59 AM > To: [email protected] > Subject: Re: [spdx] Does SPDX support attachment of > signature ? > > Hi all, > > fwiw, in IETF SCITT [1] we wrap the to-be-signed bytes (an un- > tampered payload that is a statement about artifacts in the > software supply chain & some crypto/identity metadata) in a > standardized signing envelope that scales well with > constraint devices (i.e., COSE_Sign1 as defined in IETF STD 96 > => RFC9052 & RFC 9338). > > It is of course possible to use XML DSig'esque approaches, > but I think today we are trying to avoid that. > > > Viele Grüße, > > Henk > > [1] > https://www.ietf.org/archive/id/draft-ietf-scitt-architecture- > 08.html#name-signed-statement-examples > > On 31.07.24 20:15, Martin, Robert A wrote: > > +1 > > > > Get Outlook for iOS <https://aka.ms/o0ukef> > > ------------------------------------------------------------------------ > > *From:* [email protected] <[email protected]> on > behalf of Michael > > Lieberman <[email protected]> > > *Sent:* Wednesday, July 31, 2024 2:02:36 PM > > *To:* [email protected] <[email protected]> > > *Subject:* [EXT] Re: [spdx] Does SPDX support attachment > of signature ? > > I really think the option of having the signature live outside > the SBOM > > is a good idea. I think it's good if SBOMs are shipped as a > bundle of > > the signature and SBOM but including the signature in the > SBOM itself > > really does hit those issues > > I really think the option of having the signature live outside > the SBOM > > is a good idea. I think it's good if SBOMs are shipped as a > bundle of > > the signature and SBOM but including the signature in the > SBOM itself > > really does hit those issues Gary raised. It also makes it > easy to > > support existing signature ecosystems without having to > support those > > ecosystems directly in the SBOM. > > > > On Wed, Jul 31, 2024 at 1:01 PM Jeffrey Otterson via > lists.spdx.org > > <http://lists.spdx.org> > <[email protected] > > <mailto:[email protected]>> wrote: > > > > FWIW, I kluged a digital signature into a spdx file by > abusing > > the "creator comment" field for a project I worked on. > > > > essentially, the entire spdx doc, _/except the creator > comment/_ is > > serialized and a digital signature generated, which is > placed into > > the creation info->creator comment, tagged with > "Signature". > > Validation works the same way, more or less. > > > > "It works." It would be nice if there was a dedicated field > for a > > digital signature, but I think the approach generally > works. > > > > spdx_doc.creation_info.creator_comment = > f'Signature: {signature}' > > > > > > python code, that works with 'tools-python' SPDX library > here: > > > > https://github.com/jotterson/sbom- > validator/blob/master/spdx_utilities.py#L456 > <https://github.com/jotterson/sbom- > validator/blob/master/spdx_utilities.py#L456> > > and > > https://github.com/jotterson/sbom- > validator/blob/master/signature_utilities.py#L40 > <https://github.com/jotterson/sbom- > validator/blob/master/signature_utilities.py#L40> > > > > The approach uses a RSA keypair created with ssh-keygen > for signing > > and validation. > > > > Perhaps this will be useful to somebody. > > > > Jeff > > > > On Wed, Jul 31, 2024 at 8:35 AM Dick Brooks via > lists.spdx.org > > <http://lists.spdx.org> > > <[email protected] > > <mailto:[email protected]>> > wrote: > > > > Vivek,____ > > > > __ __ > > > > I can offer a glimpse of how Business Cyber Guardian > delivers > > signed SBOM’s.____ > > > > __ __ > > > > We provide parties with a “Vendor Response Form” > (VRF) > > containing links to attestation materials and other > artifacts > > needed to perform a software product risk assessment > following > > US Government requirements specified in the CISA > “CISA Secure > > Software Attestation Form”, a/k/a the “Common > Form”.____ > > > > __ __ > > > > Here is how we communicate information about > digitally signed > > SBOM’s in the VRF:____ > > > > __ __ > > > > "Products": [____ > > > > __ __ > > > > {____ > > > > __ __ > > > > "LicensorName": "BUSINESS CYBER > > GUARDIAN (Reliable Energy Analytics LLC)",____ > > > > __ __ > > > > "ProductName": "SAG-PM (TM)",____ > > > > __ __ > > > > "DescriptionURL": > > "https://reliableenergyanalytics.com/products > > <https://reliableenergyanalytics.com/products>",____ > > > > __ __ > > > > "Version": "2.1.0",____ > > > > __ __ > > > > "SBOM": {____ > > > > __ __ > > > > "type": "spdx",____ > > > > __ __ > > > > "version": "2.3",____ > > > > __ __ > > > > "format": "JSON",____ > > > > __ __ > > > > "DigitalSignatureURL": > > "https://softwareassuranceguardian.com/SAG- > PM_SBOM_V2_1_0.json.sig > <https://softwareassuranceguardian.com/SAG- > PM_SBOM_V2_1_0.json.sig>",____ > > > > __ __ > > > > "URL": > > "https://softwareassuranceguardian.com/SAG- > PM_SBOM_V2_1_0.json > > <https://softwareassuranceguardian.com/SAG- > PM_SBOM_V2_1_0.json>"____ > > > > __ __ > > > > },____ > > > > __ __ > > > > __ __ > > > > __ __ > > > > Thanks,____ > > > > __ __ > > > > Dick Brooks____ > > > > ____ > > > > /Active Member of the CISA Critical Manufacturing > Sector, /____ > > > > /Sector Coordinating Council – A Public-Private > Partnership/____ > > > > __ __ > > > > */Never trust software, always verify and report! > > > <https://reliableenergyanalytics.com/products>/*™____ > > > > https://businesscyberguardian.com/ > > <https://businesscyberguardian.com/> ____ > > > > Email: [email protected] > > <mailto:[email protected]>____ > > > > Tel: +1 978-696-1788____ > > > > __ __ > > > > __ __ > > > > *From:* [email protected] > <mailto:[email protected]> > > <[email protected] <mailto:[email protected]>> > *On Behalf Of > > *Olle E Johansson > > *Sent:* Wednesday, July 31, 2024 3:34 AM > > *To:* [email protected] > <mailto:[email protected]> > > *Cc:* [email protected] <mailto:spdx- > [email protected]> > > *Subject:* Re: [spdx] Does SPDX support attachment of > signature > > ?____ > > > > __ __ > > > > __ __ > > > > > > > > ____ > > > > On 31 Jul 2024, at 02:24, Gary O'Neall > > <[email protected] > <mailto:[email protected]>> > > wrote:____ > > > > __ __ > > > > Hi Vivek,____ > > > > ____ > > > > Thanks for posting the question.____ > > > > ____ > > > > We have discussed this topic in the SPDX technical > team > > meetings.____ > > > > ____ > > > > I think you will find many of us believe signing SPDX > > document is key to preserving the integrity of the > software > > supply chain.____ > > > > ____ > > > > We came to the conclusion that signing should be > done with > > an external standard and facility – such assigstore > > <https://www.sigstore.dev/>. There are two reasons > I recall > > from the discussions:____ > > > > * The SBOM cannot store the digest for itself in > itself so > > storing a signature within the SPDX serialized > document > > can be challenging____ > > * There several already existing standards outside > of SPDX > > which specify not only the digital signature > formats, > > but also how to handle certificate authoring, > > self-signing, and other related processes____ > > > > ____ > > > > If you’d like to continue the discussion, I would > suggest > > posting to the SPDX tech mailing list (added to the cc) > or > > attending one of our weekly meetings.____ > > > > __ __ > > > > I think this is an important discussion. I have been > trying to > > sort out a couple of thoughts around this while working > with the > > TEA solution. There’s also some work on third party > trust and > > attestations happening in the iETF SCITT working > group.____ > > > > __ __ > > > > I’ll join the tech mailing list to follow the > discussion.____ > > > > __ __ > > > > /O > > > > ____ > > > > Best regards,____ > > > > ____ > > > > *From:*[email protected] > > <mailto:[email protected]><[email protected] > > <mailto:[email protected]>>*On Behalf > > Of*[email protected] > > <mailto:[email protected]> > > *Sent:*Tuesday, July 30, 2024 1:02 AM > > *To:*[email protected] > <mailto:[email protected]> > > *Subject:*[spdx] Does SPDX support attachment of > signature ?____ > > > > ____ > > > > Digital signatures are essential for ensuring > document > > integrity. Given the critical role of Software Bill of > > Materials (SBOMs) in providing software component > > information, signing SBOMs with tools like GPG or > Cosign is > > crucial. To facilitate verification, we need to > determine > > the appropriate location within the SPDX format to > > incorporate these signatures. Does SPDX formatted > SBOM > > supports fields for storing these signatures ?____ > > > > __ __ > > > > __ > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5685): https://lists.spdx.org/g/Spdx-tech/message/5685 Mute This Topic: https://lists.spdx.org/mt/107638408/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
