Hey all, excited to see interest in using Sigstore to sign SBOMs! As Isaac noted, Cosign supports signing and verifying blobs, which should be a good fit for what you want to sign. See https://docs.sigstore.dev/cosign/signing_with_blobs/ and https://docs.sigstore.dev/cosign/verify/ for more information.
By default, Cosign supports identity-based signing with ephemeral signing keys, which is what the Sigstore project recommends as this removes the need for developer-managed keys. There is also support for signing with existing keys from KMS or HSMs. Sigstore also supports signing identities from CI workflows, such as GitHub Actions and GitLab, which works well if CI automation is generating SBOMs as part of the build process. In all cases, you'll have signature transparency since signing events are written to an auditable, append-only transparency log. Happy to chat more, Sigstore's Slack <https://join.slack.com/t/sigstore/shared_invite/zt-1z7jzpemb-xEKSUtpgDFXpIEMwMYZQKQ> is quite active also. On Fri, Jul 14, 2023 at 4:12 PM Isaac Hepworth <[email protected]> wrote: > +1 on Sigstore/Cosign. There's support for signing and verifying blobs as > well as containers, which should work great for your use case as I > understand it. > > +Hayden Blauzvern <[email protected]> from the Sigstore team will > likely be able to point you at useful existing examples of folks doing > exactly this. > > Isaac > > On Fri, Jul 14, 2023 at 4:04 PM Gary O'Neall <[email protected]> > wrote: > >> Hi Sahil, >> >> >> >> To date, we have not standardized on the signing of SBOM documents within >> the SPDX specification itself. >> >> >> >> I would suggest looking into Sigstore <https://www.sigstore.dev/> as a >> possible standard and set of tools which can be leveraged for this purpose. >> >> >> >> Best regards, >> >> Gary >> >> >> >> *From:* [email protected] <[email protected]> *On Behalf Of * >> [email protected] >> *Sent:* Friday, July 14, 2023 1:28 PM >> *To:* [email protected] >> *Subject:* [spdx] SBOM Signing >> >> >> >> Hi, >> >> Is there any standard around signing SPDX JSON SBOM, or do we need to >> sign the SBOM file using OpenSSL or gpg? Although we can sign the SPDX SBOM >> using cosign, for that, we have to attach that SBOM into a container >> (cosign/specs/SBOM_SPEC.md >> at main · sigstore/cosign · GitHub >> <https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md>), but >> if the application is not based on the container, then in such case what >> process we have to follow to sign and validate the SPDX JSON SBOM. >> >> Thanks >> Sahil >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1710): https://lists.spdx.org/g/spdx/message/1710 Mute This Topic: https://lists.spdx.org/mt/100149475/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
