Skip to main content

SBOM signing errors and solutions

The following errors may occur during SBOM signing.

SHA3 algorithm not supported for RSA keys

Error message

SHA3 hash algorithm signing is not supported for RSA keys

Description

Your in-toto sign command is attempting to use a SHA3 algorithm with an RSA key. SHA3 SBOM signing is currently only supported for ECDSA keypair.

Solution

There are two solutions to this error:

  • To sign using SHA3, specify a ECDSA keypair in the sign command.

  • To sign with your RSA keypair, select an alternative algorithm in the sign command.

Unsupported hash function

Error message

crypto/rsa: unsupported hash function

Description

Your in-toto sign verify command is attempting to use a SHA3 algorithm with an RSA key. SHA3 SBOM verification is currently only supported for ECDSA keypair.

Solution

There are two solutions to this error:

  • To sign and then verify a signed SBOM using SHA3, specify a ECDSA keypair in the verify command.

  • To sign and then verify a signed SBOM with your RSA keypair, select an alternative algorithm in the verify command.