May as well throw out a plug for
https://openssf.org/, and for
https://www.sigstore.dev/ in particular, here.
A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.
steve
* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.
From: spdx@... <spdx@...>
On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx
Sandeep,
I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).
REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.
We simply have to make our public key available for verification of signed SBOM’s.
The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.
https://github.com/ietf-scitt
Thanks,
Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never
trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email:
dick@...
Tel: +1 978-696-1788
Hi All,
Is there any guidelines to sign SPDX file ?
Regards
Sandeep