+1 on Sigstore/Cosign. There's support for signing and verifying blobs as well as containers, which should work great for your use case as I understand it.
+Hayden Blauzvern <[email protected]> from the Sigstore team will likely be able to point you at useful existing examples of folks doing exactly this. Isaac On Fri, Jul 14, 2023 at 4:04 PM Gary O'Neall <[email protected]> wrote: > Hi Sahil, > > > > To date, we have not standardized on the signing of SBOM documents within > the SPDX specification itself. > > > > I would suggest looking into Sigstore <https://www.sigstore.dev/> as a > possible standard and set of tools which can be leveraged for this purpose. > > > > Best regards, > > Gary > > > > *From:* [email protected] <[email protected]> *On Behalf Of * > [email protected] > *Sent:* Friday, July 14, 2023 1:28 PM > *To:* [email protected] > *Subject:* [spdx] SBOM Signing > > > > Hi, > > Is there any standard around signing SPDX JSON SBOM, or do we need to sign > the SBOM file using OpenSSL or gpg? Although we can sign the SPDX SBOM > using cosign, for that, we have to attach that SBOM into a container > (cosign/specs/SBOM_SPEC.md > at main · sigstore/cosign · GitHub > <https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md>), but > if the application is not based on the container, then in such case what > process we have to follow to sign and validate the SPDX JSON SBOM. > > Thanks > Sahil > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1709): https://lists.spdx.org/g/spdx/message/1709 Mute This Topic: https://lists.spdx.org/mt/100149475/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
