Tim Ellison
Tim Ellison
An example of the signing of the SBOM is given as a [CycloneDX use-case](https://cyclonedx.org/use-cases/#authenticity)
Unlike the detached signature of the runtime binary, the SBOM signature should be part of the SBOM itself, presumably in [JSON signature format](https://cyberphone.github.io/doc/security/jsf.html). Is that how you see it too...
What have you done? This will be part of the "contract" with consumers so best we get it right first time rather than plan on changing it (and expecting users...
Maybe check the [CycloneDX CLI tool](https://github.com/CycloneDX/cyclonedx-cli#sign-command) that can sign the BOM (and presumably in the required format). Available in [a docker image](https://hub.docker.com/r/cyclonedx/cyclonedx-cli).
``` $ ./cyclonedx validate --input-file OpenJDK-sbom_aarch64_linux_hotspot_2022-11-18-03-30.json --input-format json --input-version v1_4 --fail-on-errors Validating JSON BOM... BOM validated successfully. ``` :-) ``` $ ./cyclonedx sign bom OpenJDK-sbom_aarch64_linux_hotspot_2022-11-18-03-30.json --key-file ~/.ssh/adoptopenjdk Loading private key......
The tool can convert from json to XML format, so ``` $ ./cyclonedx convert --input-file OpenJDK-sbom_aarch64_linux_hotspot_2022-11-18-03-30.json --input-format json --output-file sbom.xml --output-format xml works as expected and there is a valid...
See also this issue for signing JSON format files directly https://github.com/CycloneDX/cyclonedx-cli/issues/260 The error I get when trying to sign XML files [is already reported](https://github.com/CycloneDX/cyclonedx-cli/issues/251) back in July, but no follow-up...
Not making much progress on this. The CycloneDX tools don't do what we want, and [it doesn't sound like](https://github.com/CycloneDX/cyclonedx-cli/issues/251#issuecomment-1324878009) that is going to change imminently. Options as I see it...
Thanks @smlambert that looks promising: ``` $ cd openkeystore/library/ $ ant build Buildfile: /openkeystore/library/build.xml build: _jdktest: [delete] Deleting directory /openkeystore/library/dist _preprocess: [mkdir] Created dir: /openkeystore/library/.tmp [copy] Copying 22 files to...
The PMC discussed this on 8th May, and agreed to moving to this build tool chain, on the understanding that the license is acceptable.