Troubleshooting Most Common SBOM Signing Errors
Software Bill of Materials is quickly becoming a critical component in an organization’s cybersecurity defense strategy. Software Bill of Materials (SBOM) signing errors can arise during the process of signing, verifying, or handling SBOMs.
Some Common SBOM Errors and Their Solutions:
SHA3 Algorithm not supported for RSA Keys
Error Message
SHA3 hash algorithm signing is not supported for RSA keys
Why does this error occur?
This error occurs when an individual uses the in-toto sign command with the SHA3 algorithm and an RSA key. Currently, SHA3 SBOM signing is supported only for ECDSA key pairs.
Solution:
You have two ways to resolve this error
- Use an ECDSA Keypair: To sign with the SHA3 algorithm, specify an ECDSA keypair in your signing command.
- Choose an alternative algorithm: If you prefer to continue using your RSA key pair, select a different hash algorithm in your signing command.
Unsupported Hash Function
Error Message
crypto/rsa: unsupported hash function
Why does this error occur?
This error occurs when an individual uses the in-toto sign verify command with the SHA3 algorithm and an RSA key. Currently, SHA3 SBOM signing is supported only for ECDSA key pairs.
Solution
- Use an ECDSA Keypair: To sign and verify an SBOM using the SHA3 algorithm, specify an ECDSA keypair in the verification command.
- To sign and verify a signed SBOM with an RSA key pair, select another hash algorithm for the verification process.
Conclusion
By avoiding the most common SBOM mistakes and adopting best practices for SBOM management, organizations can enhance the security of their digital assets effectively.
DigiCert Software Trust Manager is an integrated platform that uses Software Bill of Materials to enhance software supply chain security by generating, signing, and verifying SBOMs, detecting vulnerabilities, and automating code signing processes to ensure software integrity, compliance, and transparency
