Skip to main content

Sign SBOMs with SMCTL

DigiCert​​®​​ Signing Manager Controller (SMCTL) is a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention.

SBOM signing enables users to securely sign their SBOMs, providing assurance of their authenticity and integrity throughout the software supply chain. Additionally, SBOM verification ensures that received SBOMs have not been tampered with, enhancing trust and mitigating the risk of supply chain attacks.

Tip

SMCTL does not support all characters in sign commands, review the following:

  • Supported characters: @ % ( ) - _ = [ ] { } ;

  • Unsupported characters: | ` $ > < # ! ' & + ^

    Note: Jarsigner supports the ^ character in sign commands.

To avoid errors, remove unsupported characters from file paths before attempting to sign or sign directly via the third party tool.

Prerequisites

  • SMCTL version 1.44.0 or higher

  • DigiCert ONE API key

  • DigiCert ONE client authentication certificate

  • Keypair and default certificate

  • CycloneDX or SPDX SBOMs to be signed

Set PATH environment variables

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

Sign SBOMs with SMCTL

Note

SHA3 digest signing is not currently supported for RSA keys.

Commands for signing CycloneDX and SPDX SBOMs are shown below:

Sign SPDX JSON SBOMs

Command:

smctl sign in-toto spdx <sbom file path> <keypair ID or alias>

Command sample:

smctl sign in-toto spdx C:\Workspace\sbom-signing\golang.spdx.json 30dbb169-b120-4df6-b8fc-16e995909107

Sign CycloneDX JSON SBOMs

Command:

smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>

Command sample:

smctl sign in-toto cyclonedx  C:\Workspace\sbom-signing\golang.cyclonedx.json fcfecdeb-4412-4796-962a-1c135948a15f

Note

For more information refer to the sign in-toto command manual.

Verify a signed SBOM with SMCTL

Note

SHA3 digest verification is not currently supported for RSA keys.

Commands to verify signed SBOMs are shown below:

Verify a signed SBOM using your keypair ID

Verify a signed JSON SBOM using the hash algorithm and keypair ID.

Command:

smctl sign in-toto verify keypair-id <signed file> <hash algorithm> <keypair ID or alias>

Command sample:

smctl sign in-toto verify keypair-id C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 fcfecdeb-4412-4796-962a-1c135948a15f

Verify a signed SBOM using the public key

Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file and keypair ID.

Command:

smctl sign in-toto verify public-key <path to public key> <hash algorithm> <keypair ID or alias>

Command sample:

smctl sign in-toto verify public-key C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 new-keypair.pem

Note

For more information refer to the in-toto verify command manual.