Codenotary Trustcenter Blog

Simplifying SBOM Signing with SBOM.sh for CycloneDX JSON SBOMs

Written by Dennis | Jul 8, 2024 7:33:36 AM

In our previous blog post, we discussed the importance of signing Software Bill of Materials (SBOMs) to enhance supply chain security and introduced CycloneDX's signature capabilities. While CycloneDX has made significant strides, the current process is limited to XML SBOM files, requiring error-prone conversion from JSON. This is where SBOM.sh comes in, providing a seamless solution for signing CycloneDX JSON SBOMs directly from a user-friendly dashboard.

This follow-up post will explore how SBOM.sh simplifies the signing process, ensuring your SBOMs are secure, verifiable, and easily shareable.

Introducing SBOM.sh: Streamlined Signing for JSON SBOMs

SBOM.sh offers a comprehensive platform that allows you to sign CycloneDX JSON SBOMs effortlessly. Here’s how it works:

Step 1: Generate or Upload your CycloneDX JSON SBOM

Start by generating a new SBOM or uploading an existing SBOM into the SBOM.sh dashboard. The intuitive interface is designed to simplify the process, even for those new to SBOM signing.

Step 2: Sign the SBOM

With just a few clicks, you can sign your JSON SBOM. SBOM.sh uses secure cryptographic keys stored in a managed environment to ensure the integrity and authenticity of your SBOM. The platform automatically generates the necessary keys if you don't have them already, streamlining the process even further.

Step 3: Download and Share

Once signed, your SBOM will be downloaded automatically from the dashboard. You can also share it with stakeholders or publish it as needed.

Step 4: Verify

SBOM.sh provides built-in verification tools, allowing anyone to verify the signature and ensure the SBOM's integrity. Simply upload the signed SBOM file to https://sbom.sh and you'll see a verification message:

The public key of SBOM.sh is stored Base64-encoded and tamper-proof on immudb Vault: https://vault.immudb.io/OOaFkw53 

The Benefits of Using SBOM.sh

SBOM.sh simplifies the signing process, making it accessible and efficient. Here are some key benefits:

  • User-Friendly Interface: The dashboard is designed to be intuitive, minimizing the learning curve and making it easy for anyone to sign and manage SBOMs.
  • Direct JSON Support: Skip the error-prone conversion step—SBOM.sh supports CycloneDX JSON SBOMs natively.
  • Secure Key Management: SBOM.sh securely manages your cryptographic keys, ensuring they are stored and used in a safe environment.
  • Verification and Sharing: Signed SBOMs can be easily verified and shared, promoting transparency and trust within your software supply chain.

Ensuring Security with SBOM.sh

Security is a cornerstone of SBOM.sh. The platform follows best practices for managing cryptographic keys and securing SBOM data. Here are some measures in place:

  • Secure Storage: Private keys are stored in a secure environment, protecting them from unauthorized access.
  • Access Control: Only authorized users can sign SBOMs, and access to sensitive operations is tightly controlled.
  • Regular Audits: SBOM.sh undergoes regular security audits to ensure compliance with the latest security standards.

Conclusion

SBOM.sh revolutionizes the way you handle CycloneDX JSON SBOMs by providing a simple, secure, and efficient signing process directly from a user-friendly dashboard. By leveraging SBOM.sh, you can enhance your supply chain security, ensure the integrity and authenticity of your software components, and build trust with your stakeholders.

Embrace SBOM.sh and take control of your SBOM signing process today. With SBOM.sh, securing your software supply chain has never been easier. Visit SBOM.sh to learn more and get started.

By integrating SBOM.sh into your workflow, you can streamline the process of signing CycloneDX JSON SBOMs and ensure that your software components remain secure and verifiable. The platform's comprehensive features and user-friendly interface make it an invaluable tool for developers and DevOps engineers alike.