Smctl で署名する
SignTool、jarsigner、apksigner、NuGet、Mage、jsign で smctL を使用して署名することができます。
SBOM signing enables users to securely sign their SBOMs, providing assurance of their authenticity and integrity throughout the software supply chain. Additionally, SBOM verification ensures that received SBOMs have not been tampered with, enhancing trust and mitigating the risk of supply chain attacks.
ヒント
SMCTL does not support all characters in sign commands, review the following:
Supported characters:
@ % ^ ( ) - _ = [ ] { } ;Unsupported characters:
| ` $ > < # ! ' & +.
To avoid errors, remove unsupported characters from file paths before attempting to sign.
Prerequisites
SMCTL version 1.44.0 or higher
CycloneDX or SPDX SBOMs to be signed
ツールをセットアップする
Operating systems use the environment variable called PATH to determine where executable files are stored on your system. Use the PATH environment variable to store the file path to your signing tools to ensure that the CLI can reference these signing tools.
鍵ペアエイリアスと証明書ファイルパスを提供する
証明書を同期させ、鍵ペアエイリアスと証明書ファイルのパスを入力してください。
smctl windows certsync --keypair-alias=<keypair alias>
Sign SBOMs with SMCTL
注記
SHA3 digest signing is not currently supported for RSA keys.
Commands for signing CycloneDX and SPDX SBOMs are shown below:
Sign SPDX JSON SBOMs
Command:
smctl sign in-toto spdx <sbom file path> <keypair ID or alias>
Command sample:
smctl sign in-toto spdx C:\Workspace\sbom-signing\golang.spdx.json 30dbb169-b120-4df6-b8fc-16e995909107
Sign CycloneDX JSON SBOMs
Command:
smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>
Command sample:
smctl sign in-toto cyclonedx C:\Workspace\sbom-signing\golang.cyclonedx.json fcfecdeb-4412-4796-962a-1c135948a15f
注記
For more information refer to the sign in-toto command manual.
Verify a signed SBOM with SMCTL
注記
SHA3 digest verification is not currently supported for RSA keys.
Commands to verify signed SBOMs are shown below:
Verify a signed SBOM using your keypair ID
Verify a signed JSON SBOM using the hash algorithm and keypair ID.
Command:
smctl sign in-toto verify keypair-id <signed file> <hash algorithm> <keypair ID or alias>
Command sample:
smctl sign in-toto verify keypair-id C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 fcfecdeb-4412-4796-962a-1c135948a15f
Verify a signed SBOM using the public key
Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file and keypair ID.
Command:
smctl sign in-toto verify public-key <path to public key> <hash algorithm> <keypair ID or alias>
Command sample:
smctl sign in-toto verify public-key C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 new-keypair.pem
注記
For more information refer to the in-toto verify command manual.