Re: SPDX Signing

Home Messages Hashtags Subgroups

hectorf@... #1580 Sandeep, I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and potentially contains more metadata. Hector
More All Messages By This Member

Join spdx@lists.spdx.org to automatically receive all group messages.