cyclonedx-dotnet icon indicating copy to clipboard operation
cyclonedx-dotnet copied to clipboard
verified publisher icon CycloneDX

#916 - Allow signing XML BOMs with RSA

Open Lachstec opened this issue 6 months ago • 0 comments

This PR addresses Issue #916 by allowing users to directly sign the generated BOM by using the new flag --signing-key <filepath> and providing an RSA private key. Signature was tested with to verify without errors with the CycloneDX-CLI to ensure compatability.

  • [x] Add new Flag --signing-key (short: -sk) to allow passing a private key
  • [x] XmlBomSinger.cs handles signing the BOM using System.Security.Cryptography.Xml
  • [x] Returns an Error if JSON Signing is used.

It would make sense to also allow signing JSON BOMs and allow the usage of X509 certificates. The CycloneDX-CLI does not seem to support that at this moment, so this PR only implements parity with it. Further work on this could be done in a follow up PR.

Lachstec avatar Oct 14 '25 17:10 Lachstec