sthagen
commented
8 months ago The TC will discuss and decide, but I cannot imagine that a sole signing tool or method will be recommended by the TC in the end (speculating here).
On this example: The tool
- appears to be a bit more than one year old
- is only based on dot net
- has only 450 or so commits
- most of the commits are with invalid or unverified signatures
Also, CBOR and COSE may or may not be helpful.
I think a good question to explore before considering tools and techniques for signing would be to find if it is really adding value to not simply sign the JSON text as text per long existing and widely deployed methods like mining, gpg/pgp or similar.
For text files (like JSON) it is generally a problem to maintain the relationship between a detached signature and the original object as the line end character transforms may break the link (the hash).
This is not to block or hinder anyone considering the aforementioned tool, just my feedback as a start for discussing.
The integrity and source of a SARIF artifact need to be ensured when used in a supply chain context.
Microsoft recently open sourced a tool (CoseSignTool) for signing JSON files. This may be on interest as outside entities look to what the OASIS SARIF group recommends in the area of tooling.
https://github.com/microsoft/CoseSignTool