Re: SPDX Signing #spdx


Steve Kilbane
 

May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here.

 

A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.

 

steve

 

* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.

 

From: spdx@... <spdx@...> On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx

 

[External]

 

Sandeep,

 

I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).

 

REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.

 

The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.

https://github.com/ietf-scitt

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx

 

Hi All,
Is there any guidelines to sign SPDX file ? 

Regards
Sandeep 

Join spdx@lists.spdx.org to automatically receive all group messages.