Add CoSWID signing for validation #26
Comments
|
I'm not sure it's required for UEFI firmware generally, as if you have malicious data in your SPI chip then you have bigger problems than your SBOM being wrong. It's also way underspecificified in my opinion too. I'd say lets get the basics working too, then have a way to verify it as a nice-to-have. |
|
I agree, but let's leave the issue open to keep it in mind. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CoSWID defines a method of validating, that a CoSWID tag is actually created by the party owning the software and not changed along the way. I think that would be great think to add to uswid and goswid.
https://tools.ietf.org/id/draft-ietf-sacm-coswid-21.html#name-signed-coswid-tags
there is only one problem, which the specification doesn't cover:
"To support signature validation, there is the need to associate the right key with the software provider or party originating the signature in a secure way. This operation is application specific and needs to be addressed by the application or a user of the application; a specific approach for which is out-of-scope for this document."
The text was updated successfully, but these errors were encountered: