I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size and this (point to a URI) also allows one to defer authorization of the blob to a storage server and point to a collection of documents.

Still in draft, but this is a approximation of what we're using

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "http://google.com/sbom",
  "subject": [
    {
      "name": "binary-linux-amd64",
      "digest": {
        "sha256": "f2e59e0e82c6a1b2c18ceea1dcb739f680f50ad588759217fc564b6aa5234791"
      }
    }
  ],
  "predicate": {
    "sboms": [
      {
        "format": "SPDX",
        "digest": {
          "sha256": "02948ad50464ee57fe237b09054c45b1bff6c7d18729eea1eb740d89d9563209"
        },
        "uri": "https://github.com/lumjjb/sample-golang-prov/releases/download/v1.3/binary.spdx"
      }
    ],

    // BuildMetadata is optional, but is used for provenance verification in the event SLSA 

    // provenance is not available. Specific to github actions workflow.
    "build-metadata": {
      "artifact-source-repo": "https://github.com/lumjjb/sample-golang-prov",
      "artifact-source-repo-commit": "c8cb5f292c77064aeabb488ea4f5e483a5073076",
      "attestation-generator-repo": "https://github.com/lumjjb/slsa-github-generator-go",
      "attestation-generator-repo-commit": "6948f4c67f6bca55657fe1fb3630b55b1714ef2d"
    }
  }
}

On Mon, Aug 8, 2022 at 7:51 AM Steve Kilbane <stephen.kilbane@...> wrote:

May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here.

 

A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.

 

steve

 

* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.

 

From: spdx@... <spdx@...> On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx

 

[External]

 

Sandeep,

 

I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).

 

REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.

 

The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.

https://github.com/ietf-scitt

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx

 

Hi All,
Is there any guidelines to sign SPDX file ? 

Regards
Sandeep 

May as well throw out a plug for https://openssf.org/, and for https://www.sigstore.dev/ in particular, here.

 

A recent* Open Source Summit session gave an example of signing SBOMs using sigstore, if I recall correctly, though I don’t recall the details.

 

steve

 

* I say “recent” – could have been SupplyChainSecurityCon back in October. My sense of Time is out of whack since the pandemic.

 

From: spdx@... <spdx@...> On Behalf Of Dick Brooks
Sent: 08 August 2022 12:42
To: spdx@...
Subject: Re: [spdx] SPDX Signing #spdx

 

[External]

 

Sandeep,

 

I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX).

 

REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including SBOM’s.

We simply have to make our public key available for verification of signed SBOM’s.

 

The IETF is working on a new supply chain integrity, transparency and trust initiative (SCITT) that aims to produce a method for signing and verifying attestations, including SBOM’s.

https://github.com/ietf-scitt

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report! ™

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, August 8, 2022 7:08 AM
To: spdx@...
Subject: [spdx] SPDX Signing #spdx

 

Hi All,
Is there any guidelines to sign SPDX file ? 

Regards
Sandeep