We sign our SAG-PM SBOM using GPG and distributes the public key to verify signed SBOM’s:
https://github.com/rjb4standards/REA-Products/blob/master/Dick%20Brooks%20(SBOM)_0xB8A6A3AB_public.asc Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of [email protected] Sent: Friday, July 14, 2023 4:28 PM To: [email protected] Subject: [spdx] SBOM Signing Hi, Is there any standard around signing SPDX JSON SBOM, or do we need to sign the SBOM file using OpenSSL or gpg? Although we can sign the SPDX SBOM using cosign, for that, we have to attach that SBOM into a container (cosign/specs/SBOM_SPEC.md at main · sigstore/cosign · GitHub <https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md> ), but if the application is not based on the container, then in such case what process we have to follow to sign and validate the SPDX JSON SBOM. Thanks Sahil -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1708): https://lists.spdx.org/g/spdx/message/1708 Mute This Topic: https://lists.spdx.org/mt/100149475/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
