+1 Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: [email protected] <[email protected]> on behalf of Michael Lieberman <[email protected]> Sent: Wednesday, July 31, 2024 2:02:36 PM To: [email protected] <[email protected]> Subject: [EXT] Re: [spdx] Does SPDX support attachment of signature ?
I really think the option of having the signature live outside the SBOM is a good idea. I think it's good if SBOMs are shipped as a bundle of the signature and SBOM but including the signature in the SBOM itself really does hit those issues I really think the option of having the signature live outside the SBOM is a good idea. I think it's good if SBOMs are shipped as a bundle of the signature and SBOM but including the signature in the SBOM itself really does hit those issues Gary raised. It also makes it easy to support existing signature ecosystems without having to support those ecosystems directly in the SBOM. On Wed, Jul 31, 2024 at 1:01 PM Jeffrey Otterson via lists.spdx.org<http://lists.spdx.org> <[email protected]<mailto:[email protected]>> wrote: FWIW, I kluged a digital signature into a spdx file by abusing the "creator comment" field for a project I worked on. essentially, the entire spdx doc, _except the creator comment_ is serialized and a digital signature generated, which is placed into the creation info->creator comment, tagged with "Signature". Validation works the same way, more or less. "It works." It would be nice if there was a dedicated field for a digital signature, but I think the approach generally works. spdx_doc.creation_info.creator_comment = f'Signature: {signature}' python code, that works with 'tools-python' SPDX library here: https://github.com/jotterson/sbom-validator/blob/master/spdx_utilities.py#L456 and https://github.com/jotterson/sbom-validator/blob/master/signature_utilities.py#L40 The approach uses a RSA keypair created with ssh-keygen for signing and validation. Perhaps this will be useful to somebody. Jeff On Wed, Jul 31, 2024 at 8:35 AM Dick Brooks via lists.spdx.org<http://lists.spdx.org> <[email protected]<mailto:[email protected]>> wrote: Vivek, I can offer a glimpse of how Business Cyber Guardian delivers signed SBOM’s. We provide parties with a “Vendor Response Form” (VRF) containing links to attestation materials and other artifacts needed to perform a software product risk assessment following US Government requirements specified in the CISA “CISA Secure Software Attestation Form”, a/k/a the “Common Form”. Here is how we communicate information about digitally signed SBOM’s in the VRF: "Products": [ { "LicensorName": "BUSINESS CYBER GUARDIAN (Reliable Energy Analytics LLC)", "ProductName": "SAG-PM (TM)", "DescriptionURL": "https://reliableenergyanalytics.com/products";, "Version": "2.1.0", "SBOM": { "type": "spdx", "version": "2.3", "format": "JSON", "DigitalSignatureURL": "https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json.sig";, "URL": "https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json"; }, Thanks, Dick Brooks [cid:ii_19109ab36ca5b16b21] [cid:ii_19109ab36ca7745b42] [cid:ii_19109ab36ca9374b63] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership Never trust software, always verify and report!<https://reliableenergyanalytics.com/products> ™ https://businesscyberguardian.com/ Email: [email protected]<mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Olle E Johansson Sent: Wednesday, July 31, 2024 3:34 AM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Re: [spdx] Does SPDX support attachment of signature ? On 31 Jul 2024, at 02:24, Gary O'Neall <[email protected]<mailto:[email protected]>> wrote: Hi Vivek, Thanks for posting the question. We have discussed this topic in the SPDX technical team meetings. I think you will find many of us believe signing SPDX document is key to preserving the integrity of the software supply chain. We came to the conclusion that signing should be done with an external standard and facility – such as sigstore<https://www.sigstore.dev/>. There are two reasons I recall from the discussions: * The SBOM cannot store the digest for itself in itself so storing a signature within the SPDX serialized document can be challenging * There several already existing standards outside of SPDX which specify not only the digital signature formats, but also how to handle certificate authoring, self-signing, and other related processes If you’d like to continue the discussion, I would suggest posting to the SPDX tech mailing list (added to the cc) or attending one of our weekly meetings. I think this is an important discussion. I have been trying to sort out a couple of thoughts around this while working with the TEA solution. There’s also some work on third party trust and attestations happening in the iETF SCITT working group. I’ll join the tech mailing list to follow the discussion. /O Best regards, From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of [email protected]<mailto:[email protected]> Sent: Tuesday, July 30, 2024 1:02 AM To: [email protected]<mailto:[email protected]> Subject: [spdx] Does SPDX support attachment of signature ? Digital signatures are essential for ensuring document integrity. Given the critical role of Software Bill of Materials (SBOMs) in providing software component information, signing SBOMs with tools like GPG or Cosign is crucial. To facilitate verification, we need to determine the appropriate location within the SPDX format to incorporate these signatures. Does SPDX formatted SBOM supports fields for storing these signatures ? -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1903): https://lists.spdx.org/g/spdx/message/1903 Mute This Topic: https://lists.spdx.org/mt/107630122/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
