cyclonedx-cli
cyclonedx-cli copied to clipboard
CycloneDX
Cannot verify multiple signatures on SBOM
The cli will allow a user to sign a bom with multiple keys by specifying a different private key in the --key-file argument when run multiple times, (It will also allow the user to sign it multiple times with the same private key)
cyclonedx-cli sign bom bom.xml
Loading private key...
Loading XML BOM...
Generating signature...
Saving signature...
cyclonedx-cli sign bom bom.xml --key-file private2.key
Loading private key...
Loading XML BOM...
Generating signature...
Saving signature...
However when validating the signatures, the cli doesnt allow multiple public keys to be passed in to verify each signature. it fails with a validate error.
cyclonedx-cli verify all bom.xml --key-file public.key public2.key
Unrecognized command or argument 'public2.key'
all
Verify all signatures in a BOM
Usage:
cyclonedx-cli [options] verify all <bom-file>
Arguments:
<bom-file> BOM filename
Options:
--key-file <key-file> Public key filename (RSA public key in PEM format, defaults to "public.key")
-?, -h, --help Show help and usage information
when the first key (public,key from the above example) is provided, signature verification fails for all sigs
cyclonedx-cli verify all bom.xml --key-file public.key
Loading public key...
Loading XML BOM...
Reading signatures...
Found 2 signatures...
Verifying signature 1... failed verification
Verifying signature 2... failed verification
Signatures failed verification
when the second public key is provided, the second sig verifes but the first fails. All are marked as a failure
cyclonedx-cli verify all bom.xml --key-file public2.key
Loading public key...
Loading XML BOM...
Reading signatures...
Found 2 signatures...
Verifying signature 1... failed verification
Verifying signature 2... verified
Signatures failed verification
Is the ability to sign the SBOM multiple times a feature? We are looking to leverage the ability to sign the sbom multiple times as it passes through our pipelines, however the lack of verifiability breaks that. any advice would be appreciated.
