I really think the option of having the signature live outside the SBOM is a good idea. I think it's good if SBOMs are shipped as a bundle of the signature and SBOM but including the signature in the SBOM itself really does hit those issues Gary raised. It also makes it easy to support existing signature ecosystems without having to support those ecosystems directly in the SBOM.
On Wed, Jul 31, 2024 at 1:01 PM Jeffrey Otterson via lists.spdx.org <[email protected]> wrote: > FWIW, I kluged a digital signature into a spdx file by abusing > the "creator comment" field for a project I worked on. > > essentially, the entire spdx doc, _*except the creator comment*_ is > serialized and a digital signature generated, which is placed into the > creation info->creator comment, tagged with "Signature". Validation works > the same way, more or less. > > "It works." It would be nice if there was a dedicated field for a digital > signature, but I think the approach generally works. > > spdx_doc.creation_info.creator_comment = f'Signature: {signature}' > > > python code, that works with 'tools-python' SPDX library here: > > > https://github.com/jotterson/sbom-validator/blob/master/spdx_utilities.py#L456 > and > > https://github.com/jotterson/sbom-validator/blob/master/signature_utilities.py#L40 > > The approach uses a RSA keypair created with ssh-keygen for signing and > validation. > > Perhaps this will be useful to somebody. > > Jeff > > On Wed, Jul 31, 2024 at 8:35 AM Dick Brooks via lists.spdx.org <dick= > [email protected]> wrote: > >> Vivek, >> >> >> >> I can offer a glimpse of how Business Cyber Guardian delivers signed >> SBOM’s. >> >> >> >> We provide parties with a “Vendor Response Form” (VRF) containing links >> to attestation materials and other artifacts needed to perform a software >> product risk assessment following US Government requirements specified in >> the CISA “CISA Secure Software Attestation Form”, a/k/a the “Common Form”. >> >> >> >> Here is how we communicate information about digitally signed SBOM’s in >> the VRF: >> >> >> >> "Products": [ >> >> >> >> { >> >> >> >> "LicensorName": "BUSINESS CYBER GUARDIAN >> (Reliable Energy Analytics LLC)", >> >> >> >> "ProductName": "SAG-PM (TM)", >> >> >> >> "DescriptionURL": " >> https://reliableenergyanalytics.com/products";, >> >> >> >> "Version": "2.1.0", >> >> >> >> "SBOM": { >> >> >> >> "type": "spdx", >> >> >> >> "version": "2.3", >> >> >> >> "format": "JSON", >> >> >> >> "DigitalSignatureURL": " >> https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json.sig";, >> >> >> >> "URL": " >> https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json"; >> >> >> >> }, >> >> >> >> >> >> >> >> Thanks, >> >> >> >> Dick Brooks >> >> >> >> *Active Member of the CISA Critical Manufacturing Sector, * >> >> *Sector Coordinating Council – A Public-Private Partnership* >> >> >> >> *Never trust software, always verify and report! >> <https://reliableenergyanalytics.com/products>* ™ >> >> https://businesscyberguardian.com/ >> >> Email: [email protected] >> >> Tel: +1 978-696-1788 >> >> >> >> >> >> *From:* [email protected] <[email protected]> *On Behalf Of *Olle E >> Johansson >> *Sent:* Wednesday, July 31, 2024 3:34 AM >> *To:* [email protected] >> *Cc:* [email protected] >> *Subject:* Re: [spdx] Does SPDX support attachment of signature ? >> >> >> >> >> >> >> >> On 31 Jul 2024, at 02:24, Gary O'Neall <[email protected]> wrote: >> >> >> >> Hi Vivek, >> >> >> >> Thanks for posting the question. >> >> >> >> We have discussed this topic in the SPDX technical team meetings. >> >> >> >> I think you will find many of us believe signing SPDX document is key to >> preserving the integrity of the software supply chain. >> >> >> >> We came to the conclusion that signing should be done with an external >> standard and facility – such as sigstore <https://www.sigstore.dev/>. >> There are two reasons I recall from the discussions: >> >> - The SBOM cannot store the digest for itself in itself so storing a >> signature within the SPDX serialized document can be challenging >> - There several already existing standards outside of SPDX which >> specify not only the digital signature formats, but also how to handle >> certificate authoring, self-signing, and other related processes >> >> >> >> If you’d like to continue the discussion, I would suggest posting to the >> SPDX tech mailing list (added to the cc) or attending one of our weekly >> meetings. >> >> >> >> I think this is an important discussion. I have been trying to sort out a >> couple of thoughts around this while working with the TEA solution. There’s >> also some work on third party trust and attestations happening in the iETF >> SCITT working group. >> >> >> >> I’ll join the tech mailing list to follow the discussion. >> >> >> >> /O >> >> Best regards, >> >> >> >> *From:* [email protected] <[email protected]> *On Behalf Of * >> [email protected] >> *Sent:* Tuesday, July 30, 2024 1:02 AM >> *To:* [email protected] >> *Subject:* [spdx] Does SPDX support attachment of signature ? >> >> >> >> Digital signatures are essential for ensuring document integrity. Given >> the critical role of Software Bill of Materials (SBOMs) in providing >> software component information, signing SBOMs with tools like GPG or Cosign >> is crucial. To facilitate verification, we need to determine the >> appropriate location within the SPDX format to incorporate these >> signatures. Does SPDX formatted SBOM supports fields for storing these >> signatures ? >> >> >> >> > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1902): https://lists.spdx.org/g/spdx/message/1902 Mute This Topic: https://lists.spdx.org/mt/107630122/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
