Re: SPDX Signing #spdx


hectorf@...
 

Sandeep,

I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and potentially contains more metadata.

Hector

Join spdx@lists.spdx.org to automatically receive all group messages.