Re: SPDX Signing #spdx

Brandon Lum

I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size and this (point to a URI) also allows one to defer authorization of the blob to a storage server and point to a collection of documents.

Still in draft, but this is a approximation of what we're using

  "_type": "",
  "predicateType": "",
  "subject": [
      "name": "binary-linux-amd64",
      "digest": {
        "sha256": "f2e59e0e82c6a1b2c18ceea1dcb739f680f50ad588759217fc564b6aa5234791"
  "predicate": {
    "sboms": [
        "format": "SPDX",
        "digest": {
          "sha256": "02948ad50464ee57fe237b09054c45b1bff6c7d18729eea1eb740d89d9563209"
        "uri": ""
    // BuildMetadata is optional, but is used for provenance verification in the event SLSA 
    // provenance is not available. Specific to github actions workflow.
    "build-metadata": {
      "artifact-source-repo": "",
      "artifact-source-repo-commit": "c8cb5f292c77064aeabb488ea4f5e483a5073076",
      "attestation-generator-repo": "",
      "attestation-generator-repo-commit": "6948f4c67f6bca55657fe1fb3630b55b1714ef2d"

On Mon, Aug 8, 2022 at 7:51 AM Steve Kilbane <stephen.kilbane@...> wrote:

May as well throw out a plug for, and for in particular, here.


A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.




* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.


From: spdx@... <spdx@...> On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx






I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).


REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.


The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.




Dick Brooks


Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership


Never trust software, always verify and report!

Email: dick@...

Tel: +1 978-696-1788


From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx


Hi All,
Is there any guidelines to sign SPDX file ? 


Join to automatically receive all group messages.