SBOM signing errors and solutions
The following errors may occur during SBOM signing.
SHA3 algorithm not supported for RSA keys
Error message
SHA3 hash algorithm signing is not supported for RSA keys
Description
Your in-toto sign command is attempting to use a SHA3 algorithm with an RSA key. SHA3 SBOM signing is currently only supported for ECDSA keypair.
Solution
There are two solutions to this error:
To sign using SHA3, specify a ECDSA keypair in the sign command.
To sign with your RSA keypair, select an alternative algorithm in the sign command.
Unsupported hash function
Error message
crypto/rsa: unsupported hash function
Description
Your in-toto sign verify command is attempting to use a SHA3 algorithm with an RSA key. SHA3 SBOM verification is currently only supported for ECDSA keypair.
Solution
There are two solutions to this error:
To sign and then verify a signed SBOM using SHA3, specify a ECDSA keypair in the verify command.
To sign and then verify a signed SBOM with your RSA keypair, select an alternative algorithm in the verify command.