Sign in-toto commands

This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.

Note

SHA3 digest signing and verification is not currently supported for RSA keys.

Sign

Sign commands begin with:

smctl sign in-toto <subcommand>

Subcommands

The sign command supports these subcommands:

Table 1. Subcommands for managing signatures

Shortcut	Subcommand	Description
	cyclonedx	Sign CycloneDX JSON SBOMs using In-toto functionality.
	spdx	Sign SPDX JSON SBOMs using In-toto functionality.
	verify	Verify JSON SBOMs using In-toto functionality
-h	--help	Help for in-toto commands.

Sign CycloneDX JSON SBOMs

Sign CycloneDX JSON SBOMs commands begins with:

smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>

Flags

The CycloneDX signature command supports these flags:

Table 2. Flags for signing CycloneDX JSON SBOMs

Shortcut	Flag	Description
	--artifact-digest string	SHA256 digest of the artifact for which this SBOM was generated.
	--hash-algorithm string	Hash algorithm for the signature (default "SHA256"). Note SHA3 digest signing is not currently supported for RSA keys.
	--signed-file string	File name of the signed SBOM (default "signed_"+InputFileName)
-h	--help	Help for signing CycloneDX JSON SBOMs.

Example

Description: Sign CycloneDX JSON SBOM.

Command:

smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>

Command sample:

smctl sign in-toto cyclonedx  C:\Workspace\sbom-signing\golang.cyclonedx.json fcfecdeb-4412-4796-962a-1c135948a15f

Sign SPDX JSON SBOMs

Sign SPDX JSON SBOMs commands begins with:

smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>

Flags

The SPDX signature command supports these flags:

Table 3. Flags for signing SPDX JSON SBOMs

Shortcut	Flag	Description
	--artifact-digest string	SHA256 digest of the artifact for which this SBOM was generated.
	--hash-algorithm string	Hash algorithm for the signature (default "SHA256"). Note SHA3 digest signing is not currently supported for RSA keys.
	--signed-file string	File name of the signed SBOM (default "signed_"+InputFileName)
-h	--help	Help for signing SPDX JSON SBOMs.

Example

Description: Sign SPDX JSON SBOM.

Command:

smctl sign in-toto spdx <sbom file path> <keypair ID or alias>

Command sample:

smctl sign in-toto spdx C:\Workspace\sbom-signing\golang.spdx.json 30dbb169-b120-4df6-b8fc-16e995909107

Verify JSON SBOMs command

Note

SHA3 digest verification is not currently supported for RSA keys.

Verify JSON SBOMs commands begins with:

smctl sign in-toto verify

Subcommands

The verify JSON SBOM signature command supports these subcommands:

Table 4. Subcommands for verify JSON SBOMs signatures

Shortcut	Flag	Description
	keypair-id	Verify a signed JSON SBOM using the hash algorithm and keypair ID.
	public-key	Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file.
-h	--help	Help for verifying JSON SBOMs.

Example

Description: Verify a signed JSON SBOM using the hash algorithm and keypair ID.

Command:

smctl sign in-toto verify keypair-id <signed file> <hash algorithm> <keypair ID or alias>

Command sample:

smctl sign in-toto verify keypair-id C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 fcfecdeb-4412-4796-962a-1c135948a15f

Example

Description: Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file.

Command:

smctl sign in-toto verify public-key <path to public key> <hash algorithm> <keypair ID or alias>

Command sample:

smctl sign in-toto verify public-key C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 new-keypair.pem

In this section:

Sign in-toto commands

Note

Sign

Subcommands

Sign CycloneDX JSON SBOMs

Note

Sign SPDX JSON SBOMs

Note

Verify JSON SBOMs command

Note

Search results