Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md
(Different from the attestation i just sent) On Mon, Aug 8, 2022 at 10:33 AM Brandon Lum via lists.spdx.org <lumb= [email protected]> wrote: > I've been signing and uploading them with sigstore as an intoto predicate, > but not using the intoto specified spdx schema but instead pointing to a > URI. Since sigstore has a limit on attestation size and this (point to a > URI) also allows one to defer authorization of the blob to a storage server > and point to a collection of documents. > > Still in draft, but this is a approximation of what we're using > > { > "_type": "https://in-toto.io/Statement/v0.1";, > "predicateType": "http://google.com/sbom";, > "subject": [ > { > "name": "binary-linux-amd64", > "digest": { > "sha256": > "f2e59e0e82c6a1b2c18ceea1dcb739f680f50ad588759217fc564b6aa5234791" > } > } > ], > "predicate": { > "sboms": [ > { > "format": "SPDX", > "digest": { > "sha256": > "02948ad50464ee57fe237b09054c45b1bff6c7d18729eea1eb740d89d9563209" > }, > "uri": " > https://github.com/lumjjb/sample-golang-prov/releases/download/v1.3/binary.spdx > " > } > ], > // BuildMetadata is optional, but is used for provenance verification > in the event SLSA > // provenance is not available. Specific to github actions workflow. > "build-metadata": { > "artifact-source-repo": " > https://github.com/lumjjb/sample-golang-prov";, > "artifact-source-repo-commit": > "c8cb5f292c77064aeabb488ea4f5e483a5073076", > "attestation-generator-repo": " > https://github.com/lumjjb/slsa-github-generator-go";, > "attestation-generator-repo-commit": > "6948f4c67f6bca55657fe1fb3630b55b1714ef2d" > } > } > } > > > > On Mon, Aug 8, 2022 at 7:51 AM Steve Kilbane <[email protected]> > wrote: > >> May as well throw out a plug for https://openssf.org/, and for >> https://www.sigstore.dev/ in particular, here. >> >> >> >> A recent* Open Source Summit session gave an example of signing SBOMs >> using sigstore, if I recall correctly, though I don’t recall the details. >> >> >> >> steve >> >> >> >> * I say “recent” – could have been SupplyChainSecurityCon back in >> October. My sense of Time is out of whack since the pandemic. >> >> >> >> *From:* [email protected] <[email protected]> *On Behalf Of *Dick >> Brooks >> *Sent:* 08 August 2022 12:42 >> *To:* [email protected] >> *Subject:* Re: [spdx] SPDX Signing #spdx >> >> >> >> *[External]* >> >> >> >> Sandeep, >> >> >> >> I’m not aware of any specific guidelines for signing SBOM’s (SPDX and >> CycloneDX). >> >> >> >> REA’s signs SBOM’s using PGP as this seems to be the easiest method to >> sign stand-alone text files, including SBOM’s. >> >> We simply have to make our public key available for verification of >> signed SBOM’s. >> >> >> >> The IETF is working on a new supply chain integrity, transparency and >> trust initiative (SCITT) that aims to produce a method for signing and >> verifying attestations, including SBOM’s. >> >> https://github.com/ietf-scitt >> <https://urldefense.com/v3/__https:/github.com/ietf-scitt__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8Jgzuw-gYbw$> >> >> >> >> Thanks, >> >> >> >> Dick Brooks >> >> >> >> *Active Member of the CISA Critical Manufacturing Sector, * >> >> *Sector Coordinating Council – A Public-Private Partnership* >> >> >> >> *Never trust software, always verify and report! >> <https://urldefense.com/v3/__https:/reliableenergyanalytics.com/products__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8JgxR-WKtyQ$>* >> ™ >> >> http://www.reliableenergyanalytics.com >> <https://urldefense.com/v3/__http:/www.reliableenergyanalytics.com/__;!!A3Ni8CS0y2Y!4N9uapTCXw9gUs-kVzTBgUrjudnlPjyWrYWtbfex3pjTQ0nXeeMY7iQm6hoX1mC5Ynsxux3AmkB2j4A-lkH8JgzVvd9jEw$> >> >> Email: [email protected] >> >> Tel: +1 978-696-1788 <(978)%20696-1788> >> >> >> >> *From:* [email protected] <[email protected]> *On Behalf Of *Patil, >> Sandeep via lists.spdx.org >> *Sent:* Monday, August 8, 2022 7:08 AM >> *To:* [email protected] >> *Subject:* [spdx] SPDX Signing #spdx >> >> >> >> Hi All, >> Is there any guidelines to sign SPDX file ? >> >> Regards >> Sandeep >> >> > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1583): https://lists.spdx.org/g/spdx/message/1583 Mute This Topic: https://lists.spdx.org/mt/92889362/21656 Mute #spdx:https://lists.spdx.org/g/spdx/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
