In an era where supply chain attacks are becoming increasingly sophisticated, ensuring the integrity and authenticity of your software components is paramount. CycloneDX introduces new signature capabilities that enable developers and DevOps engineers to sign Software Bill of Materials (SBOM) files, adding an essential layer of security to the software development lifecycle.
In this blog post, we will explore the importance of signing SBOMs, how to leverage CycloneDX to sign these files, and best practices for managing your signing keys.
Currently only XML SBOM files are supported using the CycloneDX-CLI tool. Therefore you would need to convert JSON file to XML, what is errorprone. Stay tuned to learn in our follow up blog post how to sign JSON SBOMs.
A Software Bill of Materials (SBOM) is a comprehensive list of components, libraries, and modules that make up a software application. It is an essential tool for managing dependencies, understanding potential vulnerabilities, and ensuring compliance with security policies. However, an SBOM is only as reliable as the environment in which it was generated and the security measures in place to protect it.
By signing an SBOM, you can:
CycloneDX makes the process of signing an SBOM straightforward. Here are the steps you need to follow:
Before you can sign an SBOM, you need to generate a pair of cryptographic keys: a private key for signing and a public key for verification. CycloneDX provides a simple command-line interface (CLI) to accomplish this:
./cyclonedx-cli keygenGenerating new public/private key pair...Saving public key to public.keySaving private key to private.key
This command generates a new key pair and saves the public key to public.key and the private key to private.key.
Once you have your keys, you can sign your SBOM using the cyclonedx-cli tool. Assuming you have an SBOM file named bom.xml, you can sign it with the following command:
./cyclonedx-cli sign bom bom.xml --key-file=private.keyLoading private key...
Loading XML BOM...
Generating signature...
Saving signature...
This command loads your private key, reads the SBOM file, generates a signature, and appends a <Signature> tag to the end of the SBOM file.
To ensure the integrity and authenticity of a signed SBOM, the signature can be verified using the corresponding public key:
./cyclonedx-cli verify all bom.xml --key-file=public.keyLoading public key...
Loading XML BOM...
Reading signatures...
Found 1 signatures...
Verifying signature 1... verified
All signatures verified
If the SBOM has not been tampered with, the verification process will confirm that the signature is valid.
Signing keys are a critical part of your security infrastructure. Here are some best practices for managing them:
Private keys should be stored securely in a trusted environment. Use hardware security modules (HSMs) or secure key management services provided by cloud providers to store private keys.
Access to the private key should be restricted to the environments where SBOMs are generated. Avoid sharing the private key with third parties and ensure that only authorized personnel have access.
Periodically rotate your key pairs to minimize the risk of key compromise. Establish a key rotation policy that aligns with your organization's security requirements.
Distribute your public key to all stakeholders who need to verify the integrity of your SBOMs. Ensure that the public key is accessible and verifiable by those who depend on your software.
The new signature capabilities of CycloneDX provide a robust mechanism for ensuring the integrity and authenticity of SBOMs. By signing SBOMs, developers and DevOps engineers can enhance their supply chain security, prevent tampering, and build trust with their software consumers. Implementing a secure process for generating, signing, and verifying SBOMs, along with proper key management practices, is essential for maintaining the integrity of your software supply chain.
As supply chain attacks continue to evolve, tools like CycloneDX and its new signature capabilities will play a crucial role in defending against these threats. Embrace these new features and fortify your software development practices to safeguard your applications and users.