Technical Team/SDPX 2.0 Provenance - Revision history

MartinMichlmayr: Convert to MediaWiki syntax

2013-03-07T11:59:44Z

Convert to MediaWiki syntax

Eaw at 18:17, 28 February 2012

2012-02-28T18:17:39Z

Eaw at 18:15, 28 February 2012

2012-02-28T18:15:22Z

Eaw at 18:15, 28 February 2012

2012-02-28T18:15:07Z

Eaw at 18:14, 28 February 2012

2012-02-28T18:14:01Z

Eaw at 17:30, 28 February 2012

2012-02-28T17:30:52Z

Eaw at 17:17, 28 February 2012

2012-02-28T17:17:17Z

Eaw at 17:15, 28 February 2012

2012-02-28T17:15:23Z

New page

<h1>Provenance</h1><p> </p><p>It is desirable to be able to know the provenance of SPDX data.  This means being able to reliably know who declared what SPDX information when, and where applicable, for what reason.</p><p> </p><p>Components of SPDX Provenance include</p><ol><li>Signing of SPDX Data</li></ol><p> </p><p> </p><h1>SPDX Data Signing</h1><p>Since SPDX Data can be represented in both RDF and Tag, and since there is no standard mechanism for signing RDF or Tag data as such (as there is in DSig for XML), we are left to fall back to signing the octets of the file containing that SPDX data. This has a few implications:</p><ol><li>The signature must be a in a separate file from the SPDX file (Example: foo.spdx has foo.spdx.sig containing it's signature)</li><li>The SPDX file, once signed, must not be changed by downstream consumers of the file (because to change its octets would be to invalidate the signature).</li></ol><p> </p><h2>SPDX Signing Proposal</h2><p>SPDX files should optionally be signed using <a href="http://www.ietf.org/rfc/rfc2440.txt">RFC 2440</a> PGP ascii-armored detached signatures.</p><h3>GPG Example:</h3><h4>Sign a file with GPG</h4><pre>sjc-vpn2-814:~ hagbard$ gpg --armor --output example.txt.sig --detach-sig example.txt

You need a passphrase to unlock the secret key for
user: "Ed Warnicke "
1024-bit DSA key, ID 9AB88650, created 2001-09-09
</pre><h4>See signature file</h4><pre>sjc-vpn2-814:~ hagbard$ cat example.txt.sig
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEABECAAYFAk9NCpUACgkQpqzn7Jq4hlA3cACfUOxrlkISMjjLELGlLQuNn93h
X6wAniliWFVoi7qfRGI79hwdLhajKcdI
=0NsF
-----END PGP SIGNATURE-----
</pre><h4>Verify file with GPG</h4><pre>sjc-vpn2-814:~ hagbard$ gpg --verify example.txt.sig example.txt
gpg: Signature made Tue Feb 28 11:10:45 2012 CST using DSA key ID 9AB88650
gpg: Good signature from "Ed Warnicke "
gpg: aka "Ed Warnicke "
Primary key fingerprint: 0B87 BC4A F6BF F571 FF9B BF51 A6AC E7EC 9AB8 8650
</pre>

@@ Line 1: / Line 1: @@
-<h3>Provenance</h3><p>&nbsp;</p><p>It is desirable to be able to know the provenance of SPDX data. &nbsp;This means being able to reliably know who declared what SPDX information when, and where applicable, for what reason.</p><p>&nbsp;</p><p>Components of SPDX Provenance include</p><ol><li>Signing of SPDX Data</li></ol><p>&nbsp;</p><p>&nbsp;</p><h3>SPDX Data Signing</h3><p>Since SPDX Data can be represented in both RDF and Tag, and since there is no standard mechanism for signing RDF or Tag data as such (as there is in DSig for XML), we are left to fall back to signing the octets of the file containing that SPDX data. This has a few implications:</p><ol><li>The signature must be a in a separate file from the SPDX file (Example: foo.spdx has foo.spdx.sig containing it's signature)</li><li>The SPDX file, once signed, must not be changed by downstream consumers of the file (because to change its octets would be to invalidate the signature).</li></ol><p>&nbsp;</p><h3>SPDX Signing Proposal</h3><p>SPDX files should optionally be signed using <a href="http://www.ietf.org/rfc/rfc2440.txt">RFC 2440</a> PGP ascii-armored detached signatures.</p><h3>GPG Example:</h3><h3>Sign a file with GPG</h3><pre>sjc-vpn2-814:~ hagbard$ gpg --armor --output example.txt.sig --detach-sig example.txt
+<h2>Provenance</h2><p>&nbsp;</p><p>It is desirable to be able to know the provenance of SPDX data. &nbsp;This means being able to reliably know who declared what SPDX information when, and where applicable, for what reason.</p><p>&nbsp;</p><p>Components of SPDX Provenance include</p><ol><li>Signing of SPDX Data</li></ol><p>&nbsp;</p><p>&nbsp;</p><h2>SPDX Data Signing</h2><p>Since SPDX Data can be represented in both RDF and Tag, and since there is no standard mechanism for signing RDF or Tag data as such (as there is in DSig for XML), we are left to fall back to signing the octets of the file containing that SPDX data. This has a few implications:</p><ol><li>The signature must be a in a separate file from the SPDX file (Example: foo.spdx has foo.spdx.sig containing it's signature)</li><li>The SPDX file, once signed, must not be changed by downstream consumers of the file (because to change its octets would be to invalidate the signature).</li></ol><p>&nbsp;</p><h3>SPDX Signing Proposal</h3><p>SPDX files should optionally be signed using <a href="http://www.ietf.org/rfc/rfc2440.txt">RFC 2440</a> PGP ascii-armored detached signatures.</p><h2>GPG Example:</h2><h2>Sign a file with GPG</h2><pre>sjc-vpn2-814:~ hagbard$ gpg --armor --output example.txt.sig --detach-sig example.txt
 You need a passphrase to unlock the secret key for
 user: "Ed Warnicke "
 -bit DSA key, ID 9AB88650, created 2001-09-09
-</pre><h3>See signature file</h3><pre>sjc-vpn2-814:~ hagbard$ cat example.txt.sig
+</pre><h2>See signature file</h2><pre>sjc-vpn2-814:~ hagbard$ cat example.txt.sig
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
@@ Line 18: / Line 18: @@
 gpg:                 aka "Ed Warnicke "
 Primary key fingerprint: 0B87 BC4A F6BF F571 FF9B  BF51 A6AC E7EC 9AB8 8650
-</pre><h3>Implementation Notes:</h3><p>GPG is available for Linux, Mac, and Windows and provides PGP support. PGP support is available via the Legion of the Bouncy Castle in Java, and they provide an example <a href="http://www.jarvana.com/jarvana/view/org/bouncycastle/bcpg-jdk15/1.45/bcpg-jdk15-1.45-javadoc.jar!/org/bouncycastle/openpgp/examples/DetachedSignatureProcessor.html">DetachedSignatureProcessor</a> in their openpgp examples section.</p>
+</pre><h2>Implementation Notes:</h2><p>GPG is available for Linux, Mac, and Windows and provides PGP support. PGP support is available via the Legion of the Bouncy Castle in Java, and they provide an example <a href="http://www.jarvana.com/jarvana/view/org/bouncycastle/bcpg-jdk15/1.45/bcpg-jdk15-1.45-javadoc.jar!/org/bouncycastle/openpgp/examples/DetachedSignatureProcessor.html">DetachedSignatureProcessor</a> in their openpgp examples section.</p>

← Older revision		Revision as of 18:15, 28 February 2012
Line 1:		Line 1:
−	<h1>Provenance</h1><p> </p><p>It is desirable to be able to know the provenance of SPDX data.  This means being able to reliably know who declared what SPDX information when, and where applicable, for what reason.</p><p> </p><p>Components of SPDX Provenance include</p><ol><li>Signing of SPDX Data</li></ol><p> </p><p> </p><h3>SPDX Data Signing</h3><p>Since SPDX Data can be represented in both RDF and Tag, and since there is no standard mechanism for signing RDF or Tag data as such (as there is in DSig for XML), we are left to fall back to signing the octets of the file containing that SPDX data. This has a few implications:</p><ol><li>The signature must be a in a separate file from the SPDX file (Example: foo.spdx has foo.spdx.sig containing it's signature)</li><li>The SPDX file, once signed, must not be changed by downstream consumers of the file (because to change its octets would be to invalidate the signature).</li></ol><p> </p><h3>SPDX Signing Proposal</h3><p>SPDX files should optionally be signed using <a href="http://www.ietf.org/rfc/rfc2440.txt">RFC 2440</a> PGP ascii-armored detached signatures.</p><h3>GPG Example:</h3><h3>Sign a file with GPG</h3><pre>sjc-vpn2-814:~ hagbard$ gpg --armor --output example.txt.sig --detach-sig example.txt	+	<h3>Provenance</h3><p> </p><p>It is desirable to be able to know the provenance of SPDX data.  This means being able to reliably know who declared what SPDX information when, and where applicable, for what reason.</p><p> </p><p>Components of SPDX Provenance include</p><ol><li>Signing of SPDX Data</li></ol><p> </p><p> </p><h3>SPDX Data Signing</h3><p>Since SPDX Data can be represented in both RDF and Tag, and since there is no standard mechanism for signing RDF or Tag data as such (as there is in DSig for XML), we are left to fall back to signing the octets of the file containing that SPDX data. This has a few implications:</p><ol><li>The signature must be a in a separate file from the SPDX file (Example: foo.spdx has foo.spdx.sig containing it's signature)</li><li>The SPDX file, once signed, must not be changed by downstream consumers of the file (because to change its octets would be to invalidate the signature).</li></ol><p> </p><h3>SPDX Signing Proposal</h3><p>SPDX files should optionally be signed using <a href="http://www.ietf.org/rfc/rfc2440.txt">RFC 2440</a> PGP ascii-armored detached signatures.</p><h3>GPG Example:</h3><h3>Sign a file with GPG</h3><pre>sjc-vpn2-814:~ hagbard$ gpg --armor --output example.txt.sig --detach-sig example.txt

	You need a passphrase to unlock the secret key for		You need a passphrase to unlock the secret key for

← Older revision		Revision as of 18:15, 28 February 2012
Line 1:		Line 1:
−	<h3>Provenance</h3><p> </p><p>It is desirable to be able to know the provenance of SPDX data.  This means being able to reliably know who declared what SPDX information when, and where applicable, for what reason.</p><p> </p><p>Components of SPDX Provenance include</p><ol><li>Signing of SPDX Data</li></ol><p> </p><p> </p><h3>SPDX Data Signing</h3><p>Since SPDX Data can be represented in both RDF and Tag, and since there is no standard mechanism for signing RDF or Tag data as such (as there is in DSig for XML), we are left to fall back to signing the octets of the file containing that SPDX data. This has a few implications:</p><ol><li>The signature must be a in a separate file from the SPDX file (Example: foo.spdx has foo.spdx.sig containing it's signature)</li><li>The SPDX file, once signed, must not be changed by downstream consumers of the file (because to change its octets would be to invalidate the signature).</li></ol><p> </p><h3>SPDX Signing Proposal</h3><p>SPDX files should optionally be signed using <a href="http://www.ietf.org/rfc/rfc2440.txt">RFC 2440</a> PGP ascii-armored detached signatures.</p><h3>GPG Example:</h3><h3>Sign a file with GPG</h3><pre>sjc-vpn2-814:~ hagbard$ gpg --armor --output example.txt.sig --detach-sig example.txt	+	<h1>Provenance</h1><p> </p><p>It is desirable to be able to know the provenance of SPDX data.  This means being able to reliably know who declared what SPDX information when, and where applicable, for what reason.</p><p> </p><p>Components of SPDX Provenance include</p><ol><li>Signing of SPDX Data</li></ol><p> </p><p> </p><h3>SPDX Data Signing</h3><p>Since SPDX Data can be represented in both RDF and Tag, and since there is no standard mechanism for signing RDF or Tag data as such (as there is in DSig for XML), we are left to fall back to signing the octets of the file containing that SPDX data. This has a few implications:</p><ol><li>The signature must be a in a separate file from the SPDX file (Example: foo.spdx has foo.spdx.sig containing it's signature)</li><li>The SPDX file, once signed, must not be changed by downstream consumers of the file (because to change its octets would be to invalidate the signature).</li></ol><p> </p><h3>SPDX Signing Proposal</h3><p>SPDX files should optionally be signed using <a href="http://www.ietf.org/rfc/rfc2440.txt">RFC 2440</a> PGP ascii-armored detached signatures.</p><h3>GPG Example:</h3><h3>Sign a file with GPG</h3><pre>sjc-vpn2-814:~ hagbard$ gpg --armor --output example.txt.sig --detach-sig example.txt

	You need a passphrase to unlock the secret key for		You need a passphrase to unlock the secret key for

← Older revision		Revision as of 17:30, 28 February 2012
Line 19:		Line 19:
	Primary key fingerprint: 0B87 BC4A F6BF F571 FF9B BF51 A6AC E7EC 9AB8 8650		Primary key fingerprint: 0B87 BC4A F6BF F571 FF9B BF51 A6AC E7EC 9AB8 8650
	</pre>		</pre>
		+
		+	<h3>Implementation Notes:</h3>
		+	GPG is available for Linux, Mac, and Windows and provides PGP support.
		+	PGP support is available via the Legion of the Bouncy Castle in Java, and they provide an example <a href="http://www.jarvana.com/jarvana/view/org/bouncycastle/bcpg-jdk15/1.45/bcpg-jdk15-1.45-javadoc.jar!/org/bouncycastle/openpgp/examples/DetachedSignatureProcessor.html">DetachedSignatureProcessor</a> in their openpgp examples section.

← Older revision	Revision as of 17:17, 28 February 2012
(No difference)