FWIW, I kluged a digital signature into a spdx file by abusing the "creator
comment" field for a project I worked on.
essentially, the entire spdx doc, _*except the creator comment*_ is
serialized and a digital signature generated, which is placed into the
creation info->creator comment, tagged with "Signature". Validation works
the same way, more or less.
"It works." It would be nice if there was a dedicated field for a digital
signature, but I think the approach generally works.
spdx_doc.creation_info.creator_comment = f'Signature: {signature}'
python code, that works with 'tools-python' SPDX library here:
https://github.com/jotterson/sbom-validator/blob/master/spdx_utilities.py#L456
and
https://github.com/jotterson/sbom-validator/blob/master/signature_utilities.py#L40
The approach uses a RSA keypair created with ssh-keygen for signing and
validation.
Perhaps this will be useful to somebody.
Jeff
On Wed, Jul 31, 2024 at 8:35 AM Dick Brooks via lists.spdx.org <dick=
[email protected]> wrote:
> Vivek,
>
>
>
> I can offer a glimpse of how Business Cyber Guardian delivers signed
> SBOM’s.
>
>
>
> We provide parties with a “Vendor Response Form” (VRF) containing links to
> attestation materials and other artifacts needed to perform a software
> product risk assessment following US Government requirements specified in
> the CISA “CISA Secure Software Attestation Form”, a/k/a the “Common Form”.
>
>
>
> Here is how we communicate information about digitally signed SBOM’s in
> the VRF:
>
>
>
> "Products": [
>
>
>
> {
>
>
>
> "LicensorName": "BUSINESS CYBER GUARDIAN
> (Reliable Energy Analytics LLC)",
>
>
>
> "ProductName": "SAG-PM (TM)",
>
>
>
> "DescriptionURL": "
> https://reliableenergyanalytics.com/products";,
>
>
>
> "Version": "2.1.0",
>
>
>
> "SBOM": {
>
>
>
> "type": "spdx",
>
>
>
> "version": "2.3",
>
>
>
> "format": "JSON",
>
>
>
> "DigitalSignatureURL": "
> https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json.sig";,
>
>
>
> "URL": "
> https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json";
>
>
>
> },
>
>
>
>
>
>
>
> Thanks,
>
>
>
> Dick Brooks
>
>
>
> *Active Member of the CISA Critical Manufacturing Sector, *
>
> *Sector Coordinating Council – A Public-Private Partnership*
>
>
>
> *Never trust software, always verify and report!
> <https://reliableenergyanalytics.com/products>* ™
>
> https://businesscyberguardian.com/
>
> Email: [email protected]
>
> Tel: +1 978-696-1788
>
>
>
>
>
> *From:* [email protected] <[email protected]> *On Behalf Of *Olle E
> Johansson
> *Sent:* Wednesday, July 31, 2024 3:34 AM
> *To:* [email protected]
> *Cc:* [email protected]
> *Subject:* Re: [spdx] Does SPDX support attachment of signature ?
>
>
>
>
>
>
>
> On 31 Jul 2024, at 02:24, Gary O'Neall <[email protected]> wrote:
>
>
>
> Hi Vivek,
>
>
>
> Thanks for posting the question.
>
>
>
> We have discussed this topic in the SPDX technical team meetings.
>
>
>
> I think you will find many of us believe signing SPDX document is key to
> preserving the integrity of the software supply chain.
>
>
>
> We came to the conclusion that signing should be done with an external
> standard and facility – such as sigstore <https://www.sigstore.dev/>.
> There are two reasons I recall from the discussions:
>
> - The SBOM cannot store the digest for itself in itself so storing a
> signature within the SPDX serialized document can be challenging
> - There several already existing standards outside of SPDX which
> specify not only the digital signature formats, but also how to handle
> certificate authoring, self-signing, and other related processes
>
>
>
> If you’d like to continue the discussion, I would suggest posting to the
> SPDX tech mailing list (added to the cc) or attending one of our weekly
> meetings.
>
>
>
> I think this is an important discussion. I have been trying to sort out a
> couple of thoughts around this while working with the TEA solution. There’s
> also some work on third party trust and attestations happening in the iETF
> SCITT working group.
>
>
>
> I’ll join the tech mailing list to follow the discussion.
>
>
>
> /O
>
> Best regards,
>
>
>
> *From:* [email protected] <[email protected]> *On Behalf Of *
> [email protected]
> *Sent:* Tuesday, July 30, 2024 1:02 AM
> *To:* [email protected]
> *Subject:* [spdx] Does SPDX support attachment of signature ?
>
>
>
> Digital signatures are essential for ensuring document integrity. Given
> the critical role of Software Bill of Materials (SBOMs) in providing
> software component information, signing SBOMs with tools like GPG or Cosign
> is crucial. To facilitate verification, we need to determine the
> appropriate location within the SPDX format to incorporate these
> signatures. Does SPDX formatted SBOM supports fields for storing these
> signatures ?
>
>
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1901): https://lists.spdx.org/g/spdx/message/1901
Mute This Topic: https://lists.spdx.org/mt/107630122/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
