Re: SPDX Signing #spdx


Dick Brooks
 

Sandeep,

 

I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).

 

REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.

 

The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.

https://github.com/ietf-scitt

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx

 

Hi All,
Is there any guidelines to sign SPDX file ? 

Regards
Sandeep 

Join spdx@lists.spdx.org to automatically receive all group messages.