This project provides a Node.js script to securely sign and verify CycloneDX Software Bill of Materials (SBOM) files using RSA keys and JSON Web Signatures (JWS). It aims to enhance the security of software supply chains through robust integrity checks. While most SBOM signature tools are limited to XML files, this tool is especially meant to sign JSON SBOMs. The idea came up after checking out https://github.com/CycloneDX/cdxgen
- RSA Key Generation: Automatically generate RSA public and private keys.
- SBOM Signing: Sign an SBOM using a newly generated private key or an existing private key to ensure its integrity and authenticity.
- SBOM Verification: Verify the signature of an SBOM using the corresponding public key or an existing public key to ensure it has not been tampered with.
Before you begin, ensure you have the following installed:
- Node.js (version 14 or higher)
- npm (Node Package Manager)
To set up this project locally, follow these steps:
- Clone the repository to your local machine:
git clone [email protected]:yourusername/your-repo-name.git
- Navigate to the project directory:
cd your-repo-name - Install the necessary Node.js packages:
npm install
- Generate and Sign an SBOM:
Use this command to generate new RSA keys and sign an SBOM file. This generates
private.keyandpublic.keyin your specified output directory and uses the private key to sign the SBOM.node sign-sbom.js --generate-and-sign --sbom path/to/your/sbom.json --output path/to/output/signed-sbom.json
- Sign an SBOM:
If you already have a private key and want to use it to sign an SBOM, specify the path to your private key with the
--private-keyoption.node sign-sbom.js --sign --sbom path/to/your/sbom.json --output path/to/output/signed-sbom.json --private-key path/to/your/private.key
- Verify an SBOM:
To verify the signature of an SBOM file, specify the path to the public key used for signing or another trusted public key.
node sign-sbom.js --verify --sbom path/to/signed-sbom.json --public-key path/to/public.key