May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here.
A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details. steve * I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic. From: [email protected] <[email protected]> On Behalf Of Dick Brooks Sent: 08 August 2022 12:42 To: [email protected] Subject: Re: [spdx] SPDX Signing #spdx [External] Sandeep, I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX). REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s. We simply have to make our public key available for verification of signed SBOM’s. The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s. https://github.com/ietf-scitt<https://urldefense.com/v3/__https:/github.com/ietf-scitt__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8Jgzuw-gYbw$> Thanks, Dick Brooks [cid:[email protected]] [cid:[email protected]] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report!<https://urldefense.com/v3/__https:/reliableenergyanalytics.com/products__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8JgxR-WKtyQ$> ™ http://www.reliableenergyanalytics.com<https://urldefense.com/v3/__http:/www.reliableenergyanalytics.com/__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8JgzVvd9jEw$> Email: [email protected]<mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Patil, Sandeep via lists.spdx.org Sent: Monday, August 8, 2022 7:08 AM To: [email protected]<mailto:[email protected]> Subject: [spdx] SPDX Signing #spdx Hi All, Is there any guidelines to sign SPDX file ? Regards Sandeep -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1581): https://lists.spdx.org/g/spdx/message/1581 Mute This Topic: https://lists.spdx.org/mt/92889362/21656 Mute #spdx:https://lists.spdx.org/g/spdx/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
