Software consumers use digital signatures on software for integrity and authenticity verification, which is why a trusted “registration authority” is needed to verify the identify of signing parties. There is a IETF SCITT Use Case (3.1) that describes the need to verify the integrity and authenticity of digital signers for software:
https://datatracker.ietf.org/doc/draft-ietf-scitt-software-use-cases/ Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Pete Allor Sent: Sunday, July 16, 2023 10:31 AM To: [email protected] Cc: Isaac Hepworth <[email protected]> Subject: Re: [spdx] SBOM Signing +1 on Sigstore. We are actively looking at that as our means for signing. On Sat, Jul 15, 2023 at 11:57 PM Eliot Lear <[email protected] <mailto:[email protected]> > wrote: Has anyone looked at using JOSE/JWS? It’s a standard and there’s lots of OSS SDK for it. Eliot On 15 Jul 2023, at 08:57, Hayden Blauzvern via lists.spdx.org <http://lists.spdx.org> <[email protected] <mailto:[email protected]> > wrote: Hey all, excited to see interest in using Sigstore to sign SBOMs! As Isaac noted, Cosign supports signing and verifying blobs, which should be a good fit for what you want to sign. See https://docs.sigstore.dev/cosign/signing_with_blobs/ and https://docs.sigstore.dev/cosign/verify/ for more information. By default, Cosign supports identity-based signing with ephemeral signing keys, which is what the Sigstore project recommends as this removes the need for developer-managed keys. There is also support for signing with existing keys from KMS or HSMs. Sigstore also supports signing identities from CI workflows, such as GitHub Actions and GitLab, which works well if CI automation is generating SBOMs as part of the build process. In all cases, you'll have signature transparency since signing events are written to an auditable, append-only transparency log. Happy to chat more, Sigstore's Slack <https://join.slack.com/t/sigstore/shared_invite/zt-1z7jzpemb-xEKSUtpgDFXpIEMwMYZQKQ> is quite active also. On Fri, Jul 14, 2023 at 4:12 PM Isaac Hepworth <[email protected] <mailto:[email protected]> > wrote: +1 on Sigstore/Cosign. There's support for signing and verifying blobs as well as containers, which should work great for your use case as I understand it. +Hayden Blauzvern <mailto:[email protected]> from the Sigstore team will likely be able to point you at useful existing examples of folks doing exactly this. Isaac On Fri, Jul 14, 2023 at 4:04 PM Gary O'Neall <[email protected] <mailto:[email protected]> > wrote: Hi Sahil, To date, we have not standardized on the signing of SBOM documents within the SPDX specification itself. I would suggest looking into Sigstore <https://www.sigstore.dev/> as a possible standard and set of tools which can be leveraged for this purpose. Best regards, Gary From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of [email protected] <mailto:[email protected]> Sent: Friday, July 14, 2023 1:28 PM To: [email protected] <mailto:[email protected]> Subject: [spdx] SBOM Signing Hi, Is there any standard around signing SPDX JSON SBOM, or do we need to sign the SBOM file using OpenSSL or gpg? Although we can sign the SPDX SBOM using cosign, for that, we have to attach that SBOM into a container (cosign/specs/SBOM_SPEC.md at main · sigstore/cosign · GitHub <https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md> ), but if the application is not based on the container, then in such case what process we have to follow to sign and validate the SPDX JSON SBOM. Thanks Sahil -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1713): https://lists.spdx.org/g/spdx/message/1713 Mute This Topic: https://lists.spdx.org/mt/100149475/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
