I've been signing and uploading them with sigstore as an intoto predicate,
but not using the intoto specified spdx schema but instead pointing to a
URI. Since sigstore has a limit on attestation size and this (point to a
URI) also allows one to defer authorization of the blob to a storage server
and point to a collection of documents.
Still in draft, but this is a approximation of what we're using
{
"_type": "https://in-toto.io/Statement/v0.1";,
"predicateType": "http://google.com/sbom";,
"subject": [
{
"name": "binary-linux-amd64",
"digest": {
"sha256":
"f2e59e0e82c6a1b2c18ceea1dcb739f680f50ad588759217fc564b6aa5234791"
}
}
],
"predicate": {
"sboms": [
{
"format": "SPDX",
"digest": {
"sha256":
"02948ad50464ee57fe237b09054c45b1bff6c7d18729eea1eb740d89d9563209"
},
"uri": "
https://github.com/lumjjb/sample-golang-prov/releases/download/v1.3/binary.spdx
"
}
],
// BuildMetadata is optional, but is used for provenance verification
in the event SLSA
// provenance is not available. Specific to github actions workflow.
"build-metadata": {
"artifact-source-repo": "https://github.com/lumjjb/sample-golang-prov
",
"artifact-source-repo-commit":
"c8cb5f292c77064aeabb488ea4f5e483a5073076",
"attestation-generator-repo": "
https://github.com/lumjjb/slsa-github-generator-go";,
"attestation-generator-repo-commit":
"6948f4c67f6bca55657fe1fb3630b55b1714ef2d"
}
}
}
On Mon, Aug 8, 2022 at 7:51 AM Steve Kilbane <[email protected]>
wrote:
> May as well throw out a plug for https://openssf.org/, and for
> https://www.sigstore.dev/ in particular, here.
>
>
>
> A recent* Open Source Summit session gave an example of signing SBOMs
> using sigstore, if I recall correctly, though I don’t recall the details.
>
>
>
> steve
>
>
>
> * I say “recent” – could have been SupplyChainSecurityCon back in October.
> My sense of Time is out of whack since the pandemic.
>
>
>
> *From:* [email protected] <[email protected]> *On Behalf Of *Dick
> Brooks
> *Sent:* 08 August 2022 12:42
> *To:* [email protected]
> *Subject:* Re: [spdx] SPDX Signing #spdx
>
>
>
> *[External]*
>
>
>
> Sandeep,
>
>
>
> I’m not aware of any specific guidelines for signing SBOM’s (SPDX and
> CycloneDX).
>
>
>
> REA’s signs SBOM’s using PGP as this seems to be the easiest method to
> sign stand-alone text files, including SBOM’s.
>
> We simply have to make our public key available for verification of signed
> SBOM’s.
>
>
>
> The IETF is working on a new supply chain integrity, transparency and
> trust initiative (SCITT) that aims to produce a method for signing and
> verifying attestations, including SBOM’s.
>
> https://github.com/ietf-scitt
> <https://urldefense.com/v3/__https:/github.com/ietf-scitt__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8Jgzuw-gYbw$>
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://urldefense.com/v3/__https:/reliableenergyanalytics.com/products__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8JgxR-WKtyQ$>*
> ™
>
> http://www.reliableenergyanalytics.com
> <https://urldefense.com/v3/__http:/www.reliableenergyanalytics.com/__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8JgzVvd9jEw$>
>
> Email: [email protected]
>
> Tel: +1 978-696-1788 <(978)%20696-1788>
>
>
>
> *From:* [email protected] <[email protected]> *On Behalf Of *Patil,
> Sandeep via lists.spdx.org
> *Sent:* Monday, August 8, 2022 7:08 AM
> *To:* [email protected]
> *Subject:* [spdx] SPDX Signing #spdx
>
>
>
> Hi All,
> Is there any guidelines to sign SPDX file ?
>
> Regards
> Sandeep
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1582): https://lists.spdx.org/g/spdx/message/1582
Mute This Topic: https://lists.spdx.org/mt/92889362/21656
Mute #spdx:https://lists.spdx.org/g/spdx/mutehashtag/spdx
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
