Hi Sahil,
To date, we have not standardized on the signing of SBOM documents within the SPDX specification itself. I would suggest looking into Sigstore <https://www.sigstore.dev/> as a possible standard and set of tools which can be leveraged for this purpose. Best regards, Gary From: [email protected] <[email protected]> On Behalf Of [email protected] Sent: Friday, July 14, 2023 1:28 PM To: [email protected] Subject: [spdx] SBOM Signing Hi, Is there any standard around signing SPDX JSON SBOM, or do we need to sign the SBOM file using OpenSSL or gpg? Although we can sign the SPDX SBOM using cosign, for that, we have to attach that SBOM into a container (cosign/specs/SBOM_SPEC.md at main · sigstore/cosign · GitHub <https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md> ), but if the application is not based on the container, then in such case what process we have to follow to sign and validate the SPDX JSON SBOM. Thanks Sahil -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1707): https://lists.spdx.org/g/spdx/message/1707 Mute This Topic: https://lists.spdx.org/mt/100149475/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
