Re: [spdx] SBOM Signing

[Eliot Lear]

Has anyone looked at using JOSE/JWS?  It’s a standard and there’s lots of OSS SDK for it. Eliot On 15 Jul 2023, at 08:57, Hayden Blauzvern via lists.spdx.org <hblauzvern=google....@lists.spdx.org> wrote:  Hey all, excited to see interest in using Sigstore to sign SBOMs! As Isaac noted, Cosign supports signing and verifying blobs, which should be a good fit for what you want to sign. See https://docs.sigstore.dev/cosign/signing_with_blobs/ and https://docs.sigstore.dev/cosign/verify/ for more information. By default, Cosign supports identity-based signing with ephemeral signing keys, which is what the Sigstore project recommends as this removes the need for developer-managed keys. There is also support for signing with existing keys from KMS or HSMs. Sigstore also supports signing identities from CI workflows, such as GitHub Actions and GitLab, which works well if CI automation is generating SBOMs as part of the build process. In all cases, you'll have signature transparency since signing events are written to an auditable, append-only transparency log. Happy to chat more, Sigstore's Slack is quite active also.  On Fri, Jul 14, 2023 at 4:12 PM Isaac Hepworth <isa...@google.com> wrote: +1 on Sigstore/Cosign. There's support for signing and verifying blobs as well as containers, which should work great for your use case as I understand it. +Hayden Blauzvern from the Sigstore team will likely be able to point you at useful existing examples of folks doing exactly this. Isaac On Fri, Jul 14, 2023 at 4:04 PM Gary O'Neall <g...@sourceauditor.com> wrote: Hi Sahil,   To date, we have not standardized on the signing of SBOM documents within the SPDX specification itself.   I would suggest looking into Sigstore as a possible standard and set of tools which can be leveraged for this purpose.   Best regards, Gary   From: spdx@lists.spdx.org <spdx@lists.spdx.org> On Behalf Of sahilgupta311...@gmail.com Sent: Friday, July 14, 2023 1:28 PM To: spdx@lists.spdx.org Subject: [spdx] SBOM Signing   Hi, Is there any standard around signing SPDX JSON SBOM, or do we need to sign the SBOM file using OpenSSL or gpg? Although we can sign the SPDX SBOM using cosign, for that, we have to attach that SBOM into a container (cosign/specs/SBOM_SPEC.md at main · sigstore/cosign · GitHub), but if the application is not based on the container, then in such case what process we have to follow to sign and validate the SPDX JSON SBOM. Thanks Sahil _._,_._,_ Links: You receive all messages sent to this group. View/Reply Online (#1711) | Reply To Group | Reply To Sender | Mute This Topic | New Topic Your Subscription | Contact Group Owner | Unsubscribe [arch...@mail-archive.com] _._,_._,_