Re: SPDX Signing #spdx

Steve Kilbane

May as well throw out a plug for, and for in particular, here.


A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.




* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.


From: spdx@... <spdx@...> On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx






I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).


REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.


The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.




Dick Brooks


Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership


Never trust software, always verify and report!

Email: dick@...

Tel: +1 978-696-1788


From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx


Hi All,
Is there any guidelines to sign SPDX file ? 


Join to automatically receive all group messages.