May as well throw out a plug for
https://openssf.org/, and for
https://www.sigstore.dev/ in particular, here.
A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.
* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.
From: spdx@... <spdx@...>
On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
Subject: Re: [spdx] SPDX Signing #spdx
I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).
REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.
We simply have to make our public key available for verification of signed SBOM’s.
The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
trust software, always verify and report! ™
Tel: +1 978-696-1788
Is there any guidelines to sign SPDX file ?