Sign SBOMs with SMCTL
DigiCert® Signing Manager Controller (SMCTL) is a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention.
SBOM signing enables users to securely sign their SBOMs, providing assurance of their authenticity and integrity throughout the software supply chain. Additionally, SBOM verification ensures that received SBOMs have not been tampered with, enhancing trust and mitigating the risk of supply chain attacks.
Tip
SMCTL does not support all characters in sign commands, review the following:
Supported characters:
@ % ( ) - _ = [ ] { } ;
Unsupported characters:
| ` $ > < # ! ' & + ^
Note: Jarsigner supports the
^
character in sign commands.
To avoid errors, remove unsupported characters from file paths before attempting to sign or sign directly via the third party tool.
Prerequisites
SMCTL version 1.44.0 or higher
DigiCert ONE client authentication certificate
Keypair and default certificate
CycloneDX or SPDX SBOMs to be signed
Set PATH environment variables
Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.
Sign SBOMs with SMCTL
Note
SHA3 digest signing is not currently supported for RSA keys.
Commands for signing CycloneDX and SPDX SBOMs are shown below:
Sign SPDX JSON SBOMs
Command:
smctl sign in-toto spdx <sbom file path> <keypair ID or alias>
Command sample:
smctl sign in-toto spdx C:\Workspace\sbom-signing\golang.spdx.json 30dbb169-b120-4df6-b8fc-16e995909107
Sign CycloneDX JSON SBOMs
Command:
smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>
Command sample:
smctl sign in-toto cyclonedx C:\Workspace\sbom-signing\golang.cyclonedx.json fcfecdeb-4412-4796-962a-1c135948a15f
Note
For more information refer to the sign in-toto command manual.
Verify a signed SBOM with SMCTL
Note
SHA3 digest verification is not currently supported for RSA keys.
Commands to verify signed SBOMs are shown below:
Verify a signed SBOM using your keypair ID
Verify a signed JSON SBOM using the hash algorithm and keypair ID.
Command:
smctl sign in-toto verify keypair-id <signed file> <hash algorithm> <keypair ID or alias>
Command sample:
smctl sign in-toto verify keypair-id C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 fcfecdeb-4412-4796-962a-1c135948a15f
Verify a signed SBOM using the public key
Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file and keypair ID.
Command:
smctl sign in-toto verify public-key <path to public key> <hash algorithm> <keypair ID or alias>
Command sample:
smctl sign in-toto verify public-key C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 new-keypair.pem
Note
For more information refer to the in-toto verify command manual.