Sign in-toto commands
This section covers commands that you use in SMCTL to manage signatures. These commands are: sign, verify signature, and remove signature. Use flags to specify command parameters.
Nota
SHA3 digest signing and verification is not currently supported for RSA keys.
Sign
Sign commands begin with:
smctl sign in-toto <subcommand>
Subcommands
The sign command supports these subcommands:
Sign CycloneDX JSON SBOMs
Sign CycloneDX JSON SBOMs commands begins with:
smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>
Flags
The CycloneDX signature command supports these flags:
Shortcut | Flag | Description |
---|---|---|
| --artifact-digest string | SHA256 digest of the artifact for which this SBOM was generated. |
--hash-algorithm string | Hash algorithm for the signature (default "SHA256"). NotaSHA3 digest signing is not currently supported for RSA keys. | |
--signed-file string | File name of the signed SBOM (default "signed_"+InputFileName) | |
-h | --help | Help for signing CycloneDX JSON SBOMs. |
Example
Description: Sign CycloneDX JSON SBOM.
Command:
smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>
Command sample:
smctl sign in-toto cyclonedx C:\Workspace\sbom-signing\golang.cyclonedx.json fcfecdeb-4412-4796-962a-1c135948a15f
Sign SPDX JSON SBOMs
Sign SPDX JSON SBOMs commands begins with:
smctl sign in-toto cyclonedx <sbom file path> <keypair ID or alias>
Flags
The SPDX signature command supports these flags:
Shortcut | Flag | Description |
---|---|---|
--artifact-digest string | SHA256 digest of the artifact for which this SBOM was generated. | |
--hash-algorithm string | Hash algorithm for the signature (default "SHA256"). NotaSHA3 digest signing is not currently supported for RSA keys. | |
--signed-file string | File name of the signed SBOM (default "signed_"+InputFileName) | |
-h | --help | Help for signing SPDX JSON SBOMs. |
Example
Description: Sign SPDX JSON SBOM.
Command:
smctl sign in-toto spdx <sbom file path> <keypair ID or alias>
Command sample:
smctl sign in-toto spdx C:\Workspace\sbom-signing\golang.spdx.json 30dbb169-b120-4df6-b8fc-16e995909107
Verify JSON SBOMs command
Nota
SHA3 digest verification is not currently supported for RSA keys.
Verify JSON SBOMs commands begins with:
smctl sign in-toto verify
Subcommands
The verify JSON SBOM signature command supports these subcommands:
Shortcut | Flag | Description |
---|---|---|
keypair-id | Verify a signed JSON SBOM using the hash algorithm and keypair ID. | |
public-key | Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file. | |
-h | --help | Help for verifying JSON SBOMs. |
Example
Description: Verify a signed JSON SBOM using the hash algorithm and keypair ID.
Command:
smctl sign in-toto verify keypair-id <signed file> <hash algorithm> <keypair ID or alias>
Command sample:
smctl sign in-toto verify keypair-id C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 fcfecdeb-4412-4796-962a-1c135948a15f
Example
Description: Verify a signed JSON SBOM using the hash algorithm and public key present in a PEM or DER file.
Command:
smctl sign in-toto verify public-key <path to public key> <hash algorithm> <keypair ID or alias>
Command sample:
smctl sign in-toto verify public-key C:\Workspace\sbom-signing\signed_golang.cyclonedx.json SHA256 new-keypair.pem