Skip to main content

Sign in-toto commands

This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.

Note

SHA3 digest signing and verification is not currently supported for RSA keys.

Sign

Sign commands begin with:

smctl sign in-toto <subcommand>

Subcommands

The sign command supports these subcommands:

Tableau 1. Subcommands for managing signatures

Shortcut

Subcommand

Description

cyclonedx

Sign CycloneDX JSON SBOMs using In-toto functionality.

spdx

Sign SPDX JSON SBOMs using In-toto functionality.

verify

Verify JSON SBOMs using In-toto functionality

-h

--help

Help for in-toto commands.


Sign CycloneDX JSON SBOMs

Sign CycloneDX JSON SBOMs commands begins with:

smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>

Flags

The CycloneDX signature command supports these flags:

Tableau 2. Flags for signing CycloneDX JSON SBOMs

Shortcut

Flag

Description

 

--artifact-digest string

SHA256 digest of the artifact for which this SBOM was generated.

--hash-algorithm string

Hash algorithm for the signature (default "SHA256").

Note

SHA3 digest signing is not currently supported for RSA keys.

--signed-file string

File name of the signed SBOM (default "signed_"+InputFileName)

-h

--help

Help for signing CycloneDX JSON SBOMs.


Example

Description: Sign CycloneDX JSON SBOM.

Command:

smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>

Command sample:

smctl sign in-toto cyclonedx  C:\Workspace\sbom-signing\golang.cyclonedx.json fcfecdeb-4412-4796-962a-1c135948a15f

Sign SPDX JSON SBOMs

Sign SPDX JSON SBOMs commands begins with:

smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>

Flags

The SPDX signature command supports these flags:

Tableau 3. Flags for signing SPDX JSON SBOMs

Shortcut

Flag

Description

--artifact-digest string

SHA256 digest of the artifact for which this SBOM was generated.

--hash-algorithm string

Hash algorithm for the signature (default "SHA256").

Note

SHA3 digest signing is not currently supported for RSA keys.

--signed-file string

File name of the signed SBOM (default "signed_"+InputFileName)

-h

--help

Help for signing SPDX JSON SBOMs.


Example

Description: Sign SPDX JSON SBOM.

Command:

smctl sign in-toto spdx <sbom file path> <keypair ID or alias>

Command sample:

smctl sign in-toto spdx C:\Workspace\sbom-signing\golang.spdx.json 30dbb169-b120-4df6-b8fc-16e995909107

Verify JSON SBOMs command

Note

SHA3 digest verification is not currently supported for RSA keys.

Verify JSON SBOMs commands begins with:

smctl sign in-toto verify

Subcommands

The verify JSON SBOM signature command supports these subcommands:

Tableau 4. Subcommands for verify JSON SBOMs signatures

Shortcut

Flag

Description

keypair-id

Verify a signed JSON SBOM using the hash algorithm and keypair ID.

public-key

Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file.

-h

--help

Help for verifying JSON SBOMs.


Example

Description: Verify a signed JSON SBOM using the hash algorithm and keypair ID.

Command:

smctl sign in-toto verify keypair-id <signed file> <hash algorithm> <keypair ID or alias>

Command sample:

smctl sign in-toto verify keypair-id C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 fcfecdeb-4412-4796-962a-1c135948a15f

Example

Description: Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file.

Command:

smctl sign in-toto verify public-key <path to public key> <hash algorithm> <keypair ID or alias>

Command sample:

smctl sign in-toto verify public-key C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 new-keypair.pem