SARIF artifact signing #607
Comments
|
The TC will discuss and decide, but I cannot imagine that a sole signing tool or method will be recommended by the TC in the end (speculating here). On this example: The tool
Also, CBOR and COSE may or may not be helpful. I think a good question to explore before considering tools and techniques for signing would be to find if it is really adding value to not simply sign the JSON text as text per long existing and widely deployed methods like mining, gpg/pgp or similar. For text files (like JSON) it is generally a problem to maintain the relationship between a detached signature and the original object as the line end character transforms may break the link (the hash). This is not to block or hinder anyone considering the aforementioned tool, just my feedback as a start for discussing. |
The integrity and source of a SARIF artifact need to be ensured when used in a supply chain context.
Microsoft recently open sourced a tool (CoseSignTool) for signing JSON files. This may be on interest as outside entities look to what the OASIS SARIF group recommends in the area of tooling.
https://github.com/microsoft/CoseSignTool
The text was updated successfully, but these errors were encountered: