cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard
verified publisher icon CycloneDX

Unable to sign bom

Open g-sahil22 opened this issue 3 years ago • 8 comments

Steps:

image

g-sahil22 avatar Jul 29 '22 07:07 g-sahil22

I'm also seeing this same error when attempting to sign our SBOM See discussion at: https://github.com/adoptium/temurin-build/issues/3158

tellison avatar Nov 23 '22 09:11 tellison

Hi @tellison

Regarding the linked discussion and JSON signing,

Last time I checked there wasn't a JSF library available for .NET. That's why the CLI tool doesn't yet support enveloped signing for JSON format. It's been on my todo list for a while. But keeps getting bumped as it will take some care to make sure it is implemented correctly.

Are all the .NET runtime dependencies installed? In particular the required SSL library package?

coderpatros avatar Nov 23 '22 11:11 coderpatros

Hi @coderpatros ,

I have tried it from the cli docker image where I assume that the dependencies are correct, and get the same outcome.

$ docker run -v "$(pwd)":/sbom cyclonedx/cyclonedx-cli keygen
Generating new public/private key pair...
Saving public key to public.key
Saving private key to private.key

$ docker run -v "$(pwd)":/sbom cyclonedx/cyclonedx-cli sign bom /sbom/sbom.xml --key-file /sbom/private.key
Loading private key...
Loading XML BOM...
Generating signature...
Unhandled exception: System.Security.Cryptography.CryptographicException: Could not create hash algorithm object.
   at System.Security.Cryptography.Xml.Reference.CalculateHashValue(XmlDocument , CanonicalXmlNodeList )
   at System.Security.Cryptography.Xml.SignedXml.BuildDigestedReferences()
   at System.Security.Cryptography.Xml.SignedXml.ComputeSignature()
   ....

tellison avatar Nov 23 '22 11:11 tellison

I only had 30 mins to look at this as I was also getting the same error. When built from Visual Studio in either Debug or Release configurations the tool works as expected. When published as a self-contained, single file executable the observed error behaviour occurs. I suspect that the trimming functions of the compiler are not correct. I will try and have another look later this week.

MatthewPowley avatar Feb 01 '23 08:02 MatthewPowley

I can confirm that setting <PublishTrimmed>true</PublishTrimmed> to false in the csproj file fixes this. In fact, when running the publish command, the compiler warnings already warn that trimming may result in issues.

As I am not a dotnet expert I am not sure what the fix should be. But considering the age of this issue, perhaps it is worthwhile to investigate further.

https://learn.microsoft.com/en-us/dotnet/core/deploying/trimming/trim-self-contained

From the documentation: To prevent changes in behavior when trimming applications, the .NET SDK provides static analysis of trim compatibility through "trim warnings." Trim warnings are produced by the trimmer when it finds code that may not be compatible with trimming. Code that's not trim-compatible may produce behavioral changes, or even crashes, in an application after it has been trimmed. Ideally, all applications that use trimming should have no trim warnings. If there are any trim warnings, the app should be thoroughly tested after trimming to ensure that there are no behavior changes.

Perhaps trimming should be disabled as it says that Xml parsers are non-trimmable.

martinvanhensbergen avatar Feb 23 '23 11:02 martinvanhensbergen

issue still seems to be present in 0.24.2 on debian sid

looks like merging #306 is the fix? works for me, although the binary is then about 3x the size.

sej7278 avatar Mar 18 '23 20:03 sej7278

@tellison @g-sahil22 Can you confirm that this is fixed in 0.25.0 thanks to https://github.com/CycloneDX/cyclonedx-cli/commit/319467b722903828300d87f8bdcaf7189a64f637?

andreas-hilti avatar Oct 01 '23 12:10 andreas-hilti

Hi @tellison , image

g-sahil22 avatar Jan 25 '24 14:01 g-sahil22