+1 on Sigstore. We are actively looking at that as our means for signing. On Sat, Jul 15, 2023 at 11:57 PM Eliot Lear <[email protected]> wrote:
> Has anyone looked at using JOSE/JWS? It’s a standard and there’s lots of > OSS SDK for it. > > Eliot > > On 15 Jul 2023, at 08:57, Hayden Blauzvern via lists.spdx.org <hblauzvern= > [email protected]> wrote: > > > Hey all, excited to see interest in using Sigstore to sign SBOMs! As Isaac > noted, Cosign supports signing and verifying blobs, which should be a good > fit for what you want to sign. See > https://docs.sigstore.dev/cosign/signing_with_blobs/ and > https://docs.sigstore.dev/cosign/verify/ for more information. > > By default, Cosign supports identity-based signing with ephemeral signing > keys, which is what the Sigstore project recommends as this removes the > need for developer-managed keys. There is also support for signing with > existing keys from KMS or HSMs. Sigstore also supports signing identities > from CI workflows, such as GitHub Actions and GitLab, which works well if > CI automation is generating SBOMs as part of the build process. In all > cases, you'll have signature transparency since signing events are written > to an auditable, append-only transparency log. > > Happy to chat more, Sigstore's Slack > <https://join.slack.com/t/sigstore/shared_invite/zt-1z7jzpemb-xEKSUtpgDFXpIEMwMYZQKQ> > is > quite active also. > > On Fri, Jul 14, 2023 at 4:12 PM Isaac Hepworth <[email protected]> wrote: > >> +1 on Sigstore/Cosign. There's support for signing and verifying blobs as >> well as containers, which should work great for your use case as I >> understand it. >> >> +Hayden Blauzvern <[email protected]> from the Sigstore team will >> likely be able to point you at useful existing examples of folks doing >> exactly this. >> >> Isaac >> >> On Fri, Jul 14, 2023 at 4:04 PM Gary O'Neall <[email protected]> >> wrote: >> >>> Hi Sahil, >>> >>> >>> >>> To date, we have not standardized on the signing of SBOM documents >>> within the SPDX specification itself. >>> >>> >>> >>> I would suggest looking into Sigstore <https://www.sigstore.dev/> as a >>> possible standard and set of tools which can be leveraged for this purpose. >>> >>> >>> >>> Best regards, >>> >>> Gary >>> >>> >>> >>> *From:* [email protected] <[email protected]> *On Behalf Of * >>> [email protected] >>> *Sent:* Friday, July 14, 2023 1:28 PM >>> *To:* [email protected] >>> *Subject:* [spdx] SBOM Signing >>> >>> >>> >>> Hi, >>> >>> Is there any standard around signing SPDX JSON SBOM, or do we need to >>> sign the SBOM file using OpenSSL or gpg? Although we can sign the SPDX SBOM >>> using cosign, for that, we have to attach that SBOM into a container >>> (cosign/specs/SBOM_SPEC.md >>> at main · sigstore/cosign · GitHub >>> <https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md>), but >>> if the application is not based on the container, then in such case what >>> process we have to follow to sign and validate the SPDX JSON SBOM. >>> >>> Thanks >>> Sahil >>> >>> > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1712): https://lists.spdx.org/g/spdx/message/1712 Mute This Topic: https://lists.spdx.org/mt/100149475/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
