π Convergence in SBOM Signing
2026-03-16
Jason Smith
“Don’t roll your own crypto.” It’s the first rule of security engineering, and it turns out it’s also the best way to build a global standard. π€
The last few weeks of work on SBOM Signing Best Practices have been a masterclass in the power of open-source community collaboration. What started as a technical draft has evolved into real-time alignment between CycloneDX and SPDX.
Here are the major updates and lessons learned:
1οΈβ£ From JSF to JSS (The CycloneDX Evolution)
While CycloneDX currently uses JSF (JSON Signature Format), a conversation with Steve Springett led me to the authors of the specs, Anders Rundgren and Bret Jordan, MS, CISSP.
I learned JSF evolved into JSS (JSON Signature Scheme), which was formally standardized by the ITU as X.590. With CycloneDX moving toward JSON-only in v2 later this year, it was the perfect time to suggest a move to this formal standard. Steve agreed, and a PoC is already in the works to make JSS the signature standard for the next generation of CycloneDX. π
π Track the Issue Here: https://github.com/CycloneDX/specification/issues/851
2οΈβ£ Bringing Consistency to SPDX
Following a presentation to the OpenSSF SBOM Everywhere SIG, Kate Stewart invited me to share these findings with the SPDX Tech Call. The feedback was fantastic and has led to new initiatives within the SPDX model:
SPDX is considering using JCS for underlying data consistency.
π Track the Issue Here: https://github.com/spdx/spdx-spec/issues/1362
SPDX is exploring JSS (X.590) as an option for introducing cryptographic signatures to the SPDX 3.0 model.
π Track the Issue Here: https://github.com/spdx/spdx-3-model/issues/1065
3οΈβ£ The Road to Formal Standardization (ITU)
A common concern with new specs is “Who owns this”? I’m excited to share that Bret Jordan is also leading an initiative to formally standardize JCS within the ITU.
Moving JCS to a formal ITU standard provides the regulatory-grade foundation that global enterprises and governments require for long-term supply chain trust.
π€ Why This Matters: A Unified Path
The technical stars are aligning. By leveraging JSS and JCS, we are building a unified path for the industry.
π― Core Support: JCS is heavily used across many industries. It was recently added as a core function in Go with existing libraries available in many other languages, enabling dependency-light implementations.
π Interoperability: This drives consistency between SPDX and CycloneDX, offering a standardized approach that works across the entire software supply chain.
π ββοΈ No Custom Logic: This approach leverages existing, supported international standards rather than “rolling our own”.
A huge thank you to the open source community on the collaboration and the sanity checks on this journey.
The benchmark for SBOM integrity is being built right now. Are you ready for a standardized future?
#SBOM #SupplyChainSecurity #Cryptography #JCS #JSS