Sign SBOMs with SMCTL

DigiCert® Signing Manager Controller (SMCTL) is a Command Line Interface (CLI) that facilitates manual and automated private key management, certificate management, and signing with or without the need for human intervention.

SBOM signing enables users to securely sign their SBOMs, providing assurance of their authenticity and integrity throughout the software supply chain. Additionally, SBOM verification ensures that received SBOMs have not been tampered with, enhancing trust and mitigating the risk of supply chain attacks.

Sugerencia

SMCTL does not support all characters in sign commands, review the following:

Supported characters: @ % ^ ( ) - _ = [ ] { } ;
Unsupported characters: | ` $ > < # ! ' & +.

To avoid errors, remove unsupported characters from file paths before attempting to sign.

Prerequisites

SMCTL version 1.44.0 or higher
DigiCert ONE API key
DigiCert ONE client authentication certificate
Keypair and default certificate
CycloneDX or SPDX SBOMs to be signed

Set PATH environment variables

Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.

ejemplo 1. Windows

You can configure the signing tools using SMCTL or environment variables.

To set the path to your signing tools via SMCTL:

Run:

set PATH=%path%;<Path to DigiCert ONE Signing Manager Tools folder>

Command sample:

set PATH=%path%;C:\Program Files\DigiCert\DigiCert One Signing Manager Tools

To verify that the tool has been integrated run the following command in SMCTL:
```
smctl healthcheck --tools
```

To set the path to your signing tools for your system or account:

Search for environment variables in the Windows start menu.
Select Edit environment variables for your account or Edit system environment variables.
Double click on the Path variable.
Click New.
Select Browse.
Select the path to the signing tool.
Signtool 64-bit path example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64
Signtool 32-bit path example: C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86
Jarsigner path example: C:\Program Files\Java\jdk-17\bin\
Apksigner path example: C:\build-tools\31.0.0
Click OK to save the path.
Click on OK to close the dialog.

ejemplo 2. Linux

Configure the signing tools using SMCTL.

Launch the Terminal application.
Open the file in an editor:
```
nano ~/.profile
```

Add any exports definitions you need:

export PATH=<Path to Jarsigner>
export PATH=<Path to Jsign>
export PATH=<Path to osslsigncode>

Click CTRL+X to exit.
Click Y to save.
Click Enter to keep the same file name.
Execute the new .profile by restarting Terminal or using:
```
 source ~/.profile
```

ejemplo 3. macOS

Configure the signing tools using SMCTL.

Launch the Terminal application.
Create a profile file:
```
touch ~/.zprofile
```
Open the file in an editor:
```
open ~/.zprofile
```

Add any exports definitions you need, such as:

export PATH=<Path to Apksigner>
export PATH=<Path to Jarsigner>
export PATH=<Path to Jsign>
export PATH=<Path to osslsigncode>
export PATH=<Path to Codesign>
export PATH=<Path to Productsign>

To save the new .zprofile, click File > Save (CMD + S).
Close the terminal window and reopen to use new saved variables.

Sync certificates (Windows only)

To sync the default certificate associated with the specified keypair alias to the Windows certificate store:

smctl windows certsync --keypair-alias=<keypair alias>