Hi all,
fwiw, in IETF SCITT [1] we wrap the to-be-signed bytes (an un-tampered
payload that is a statement about artifacts in the software supply chain
& some crypto/identity metadata) in a standardized signing envelope that
scales well with constraint devices (i.e., COSE_Sign1 as defined in IETF
STD 96 => RFC9052 & RFC 9338).
It is of course possible to use XML DSig'esque approaches, but I think
today we are trying to avoid that.
Viele Grüße,
Henk
[1]
https://www.ietf.org/archive/id/draft-ietf-scitt-architecture-08.html#name-signed-statement-examples
On 31.07.24 20:15, Martin, Robert A wrote:
+1
Get Outlook for iOS <https://aka.ms/o0ukef>
------------------------------------------------------------------------
*From:* [email protected] <[email protected]> on behalf of Michael
Lieberman <[email protected]>
*Sent:* Wednesday, July 31, 2024 2:02:36 PM
*To:* [email protected] <[email protected]>
*Subject:* [EXT] Re: [spdx] Does SPDX support attachment of signature ?
I really think the option of having the signature live outside the SBOM
is a good idea. I think it's good if SBOMs are shipped as a bundle of
the signature and SBOM but including the signature in the SBOM itself
really does hit those issues
I really think the option of having the signature live outside the SBOM
is a good idea. I think it's good if SBOMs are shipped as a bundle of
the signature and SBOM but including the signature in the SBOM itself
really does hit those issues Gary raised. It also makes it easy to
support existing signature ecosystems without having to support those
ecosystems directly in the SBOM.
On Wed, Jul 31, 2024 at 1:01 PM Jeffrey Otterson via lists.spdx.org
<http://lists.spdx.org> <[email protected]
<mailto:[email protected]>> wrote:
FWIW, I kluged a digital signature into a spdx file by abusing
the "creator comment" field for a project I worked on.
essentially, the entire spdx doc, _/except the creator comment/_ is
serialized and a digital signature generated, which is placed into
the creation info->creator comment, tagged with "Signature".
Validation works the same way, more or less.
"It works." It would be nice if there was a dedicated field for a
digital signature, but I think the approach generally works.
spdx_doc.creation_info.creator_comment = f'Signature: {signature}'
python code, that works with 'tools-python' SPDX library here:
https://github.com/jotterson/sbom-validator/blob/master/spdx_utilities.py#L456
<https://github.com/jotterson/sbom-validator/blob/master/spdx_utilities.py#L456>
and
https://github.com/jotterson/sbom-validator/blob/master/signature_utilities.py#L40
<https://github.com/jotterson/sbom-validator/blob/master/signature_utilities.py#L40>
The approach uses a RSA keypair created with ssh-keygen for signing
and validation.
Perhaps this will be useful to somebody.
Jeff
On Wed, Jul 31, 2024 at 8:35 AM Dick Brooks via lists.spdx.org
<http://lists.spdx.org>
<[email protected]
<mailto:[email protected]>> wrote:
Vivek,____
__ __
I can offer a glimpse of how Business Cyber Guardian delivers
signed SBOM’s.____
__ __
We provide parties with a “Vendor Response Form” (VRF)
containing links to attestation materials and other artifacts
needed to perform a software product risk assessment following
US Government requirements specified in the CISA “CISA Secure
Software Attestation Form”, a/k/a the “Common Form”.____
__ __
Here is how we communicate information about digitally signed
SBOM’s in the VRF:____
__ __
"Products": [____
__ __
{____
__ __
"LicensorName": "BUSINESS CYBER
GUARDIAN (Reliable Energy Analytics LLC)",____
__ __
"ProductName": "SAG-PM (TM)",____
__ __
"DescriptionURL":
"https://reliableenergyanalytics.com/products
<https://reliableenergyanalytics.com/products>",____
__ __
"Version": "2.1.0",____
__ __
"SBOM": {____
__ __
"type": "spdx",____
__ __
"version": "2.3",____
__ __
"format": "JSON",____
__ __
"DigitalSignatureURL":
"https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json.sig
<https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json.sig>",____
__ __
"URL":
"https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json
<https://softwareassuranceguardian.com/SAG-PM_SBOM_V2_1_0.json>"____
__ __
},____
__ __
__ __
__ __
Thanks,____
__ __
Dick Brooks____
____
/Active Member of the CISA Critical Manufacturing Sector, /____
/Sector Coordinating Council – A Public-Private Partnership/____
__ __
*/Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>/*™____
https://businesscyberguardian.com/
<https://businesscyberguardian.com/> ____
Email: [email protected]
<mailto:[email protected]>____
Tel: +1 978-696-1788____
__ __
__ __
*From:* [email protected] <mailto:[email protected]>
<[email protected] <mailto:[email protected]>> *On Behalf Of
*Olle E Johansson
*Sent:* Wednesday, July 31, 2024 3:34 AM
*To:* [email protected] <mailto:[email protected]>
*Cc:* [email protected] <mailto:[email protected]>
*Subject:* Re: [spdx] Does SPDX support attachment of signature
?____
__ __
__ __
____
On 31 Jul 2024, at 02:24, Gary O'Neall
<[email protected] <mailto:[email protected]>>
wrote:____
__ __
Hi Vivek,____
____
Thanks for posting the question.____
____
We have discussed this topic in the SPDX technical team
meetings.____
____
I think you will find many of us believe signing SPDX
document is key to preserving the integrity of the software
supply chain.____
____
We came to the conclusion that signing should be done with
an external standard and facility – such assigstore
<https://www.sigstore.dev/>. There are two reasons I recall
from the discussions:____
* The SBOM cannot store the digest for itself in itself so
storing a signature within the SPDX serialized document
can be challenging____
* There several already existing standards outside of SPDX
which specify not only the digital signature formats,
but also how to handle certificate authoring,
self-signing, and other related processes____
____
If you’d like to continue the discussion, I would suggest
posting to the SPDX tech mailing list (added to the cc) or
attending one of our weekly meetings.____
__ __
I think this is an important discussion. I have been trying to
sort out a couple of thoughts around this while working with the
TEA solution. There’s also some work on third party trust and
attestations happening in the iETF SCITT working group.____
__ __
I’ll join the tech mailing list to follow the discussion.____
__ __
/O
____
Best regards,____
____
*From:*[email protected]
<mailto:[email protected]><[email protected]
<mailto:[email protected]>>*On Behalf
Of*[email protected]
<mailto:[email protected]>
*Sent:*Tuesday, July 30, 2024 1:02 AM
*To:*[email protected] <mailto:[email protected]>
*Subject:*[spdx] Does SPDX support attachment of signature ?____
____
Digital signatures are essential for ensuring document
integrity. Given the critical role of Software Bill of
Materials (SBOMs) in providing software component
information, signing SBOMs with tools like GPG or Cosign is
crucial. To facilitate verification, we need to determine
the appropriate location within the SPDX format to
incorporate these signatures. Does SPDX formatted SBOM
supports fields for storing these signatures ?____
__ __
__
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1905): https://lists.spdx.org/g/spdx/message/1905
Mute This Topic: https://lists.spdx.org/mt/107630122/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
