Add sbom and bundle signing
Bundle/Delivered SBOM Signing
- Add option to bundle command
--sign
- When specified with
--attest
leverage functionary key for signing bundle and sbom
- When specified with
- Required inputs would be private key and password - can re-use how
--attest
includes password - Should support same client provided keys as the in-toto signing to limit scope
- Should be able to leverage cryptography library
Bundle
- Output should include signature file with bundle name and
.sig
extension in same directory
Delivered SBOM
- Output should include signature file with sbom name and
.sig
extension in same directory
Edited by Patrick Kwiatkowski