Hi, Is there any standard around signing SPDX JSON SBOM, or do we need to sign the SBOM file using OpenSSL or gpg? Although we can sign the SPDX SBOM using cosign, for that, we have to attach that SBOM into a container ( cosign/specs/SBOM_SPEC.md at main · sigstore/cosign · GitHub ( https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md ) ), but if the application is not based on the container, then in such case what process we have to follow to sign and validate the SPDX JSON SBOM.
Thanks Sahil -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1706): https://lists.spdx.org/g/spdx/message/1706 Mute This Topic: https://lists.spdx.org/mt/100149475/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
