Support signSBOM with gpg public and private key file

[sophia-guo]

Current signSBOM is asking PRM format to generate the Key pair for https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/sign_src/TemurinSignSBOM.java#L118.

For gpg sign with gpg --armor --export the private and public key file can be exported as gpg armor/text format, which is similar to PEM but is NOT PEM.

To signSBOM with gpg we need either

• use extra tools to convert gpg armor format to pem files ( gpgsm && openssl together?)
• Security utility to generate Keypair with gpg armor format ?

Feels like the first option is easy if gpgsm is installed. @andrew-m-leonard suggestion?

[sophia-guo]

Related #3158

adoptium/ci-jenkins-pipelines#610

[sophia-guo]

Locally work in following steps SBOM can sign with GPG with some manual steps

1. clone keys from gpg keystore to the gpgsm keystore
2. gpgsm export to pcks12 file
3. openssl split and transform p12 file to pem files with --nodes flag
4. Sign sbom and verify successfully.

[andrew-m-leonard]

@sophia-guo agree, using gpgsm & openssl seems an easy option. Both gpgsm and openssl are already on our "gpgsign"(C3jenkins) node.

[sophia-guo]

More details about using gpg to sign sbom in my local environment. The main part is to convert gpg files to pem files. Also as a note for myself.

1. clone keys from gpg keystore to the gpgsm keystore

• $ gpg --list-secret-keys --with-keygrip
• $ gpgsm --gen-key -o temporary.cert -> interactive steps, could create script with one command
• $ gpgsm --import temporary.cert
• $ gpgsm --list-keys

weguo@weguo-mac ~ % gpg --list-secret-keys --with-keygrip
/Users/weguo/.gnupg/pubring.kbx
-------------------------------
sec   rsa2048 2023-08-03 [SC] [expires: 2024-08-02]
      1EE70CFB4CFAAF1B5B38187EF684D5966CC2B37F
      Keygrip = 211E8665FE5F9D4069D14D80DDFAC72128164322
uid           [ultimate] Sophia Guo (testing) <[email protected]>
ssb   rsa2048 2023-08-03 [E] [expires: 2024-08-02]
      Keygrip = 552A554FB0DD297979994DC94F4E89C71DADBE2E

weguo@weguo-mac ~ % gpgsm --gen-key -o temporary.cert       

gpgsm (GnuPG) 2.4.0; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA
   (2) Existing key
   (3) Existing key from card
Your selection? 2
Enter the keygrip: 211E8665FE5F9D4069D14D80DDFAC72128164322
Possible actions for a RSA key:
   (1) sign, encrypt
   (2) sign
   (3) encrypt
Your selection? 3
Enter the X.509 subject name: /CN=example.com
Invalid subject name '/CN=example.com'
                      ^
Enter the X.509 subject name: CN=example.com
Enter email addresses (end with an empty line):
> [email protected]
> 
Enter DNS names (optional; end with an empty line):
> 
Enter URIs (optional; end with an empty line):
> 
Create self-signed certificate? (y/N) y
These parameters are used:
    Key-Type: RSA
    Key-Length: 1024
    Key-Grip: 211E8665FE5F9D4069D14D80DDFAC72128164322
    Key-Usage: encrypt
    Serial: random
    Name-DN: CN=example.com
    Name-Email: [email protected]

Proceed with creation? (y/N) n
weguo@weguo-mac ~ % gpgsm --gen-key -o temporary.cert
gpgsm (GnuPG) 2.4.0; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA
   (2) Existing key
   (3) Existing key from card
Your selection? 2
Enter the keygrip: 211E8665FE5F9D4069D14D80DDFAC72128164322
Possible actions for a RSA key:
   (1) sign, encrypt
   (2) sign
   (3) encrypt
Your selection? 3
Enter the X.509 subject name: CN=example.com
Enter email addresses (end with an empty line):
> [email protected]
> 
Enter DNS names (optional; end with an empty line):
> 
Enter URIs (optional; end with an empty line):
> 
Create self-signed certificate? (y/N) y
These parameters are used:
    Key-Type: RSA
    Key-Length: 1024
    Key-Grip: 211E8665FE5F9D4069D14D80DDFAC72128164322
    Key-Usage: encrypt
    Serial: random
    Name-DN: CN=example.com
    Name-Email: [email protected]

Proceed with creation? (y/N) y
Now creating self-signed certificate.  This may take a while ...
gpgsm: about to sign the certificate for key: &211E8665FE5F9D4069D14D80DDFAC72128164322
gpgsm: certificate created
Ready.
weguo@weguo-mac ~ % gpgsm --import temporary.cert 
gpgsm: total number processed: 1
gpgsm:               imported: 1
weguo@weguo-mac ~ % gpgsm --list-keys
/Users/weguo/.gnupg/pubring.kbx
-------------------------------
           ID: 0x3F73CC5E
          S/N: 435B8C9E72EBFC7F
        (dec): 4853627635582631039
       Issuer: /CN=example.com
      Subject: /CN=example.com
          aka: [email protected]
     validity: 2023-08-09 02:54:13 through 2063-04-05 17:00:00
     key type: rsa2048
    key usage: digitalSignature nonRepudiation keyEncipherment dataEncipherment
 chain length: unlimited
     sha1 fpr: EF:97:32:BC:B5:FB:DF:32:65:FF:D0:25:5F:23:14:9D:3F:73:CC:5E
     sha2 fpr: 21:D2:18:65:BC:AF:46:12:1A:53:91:2C:42:8A:A1:53:88:C1:72:50:59:05:8D:8E:12:E6:2C:31:0B:E0:91:71

           ID: 0x0F91D53A
          S/N: 5FE0078AECE6B0A8
        (dec): 6908530121647763624
       Issuer: /CN=example.com
      Subject: /CN=example.com
          aka: [email protected]
     validity: 2023-10-04 18:58:49 through 2063-04-05 17:00:00
     key type: rsa2048
    key usage: keyEncipherment dataEncipherment
 chain length: unlimited
     sha1 fpr: 0F:4B:FF:EE:4E:47:34:FC:8C:56:A4:DF:59:55:99:F3:0F:91:D5:3A
     sha2 fpr: D1:8E:C0:F8:80:1E:D1:6E:A4:87:CF:95:6E:3F:D2:0E:41:76:B0:2E:AB:D1:04:1D:72:85:2E:5D:21:09:73:10

2. gpgsm export to pcks12 file

weguo@weguo-mac ~ % gpgsm -o gpgcer.p12 --export-secret-key-p12 0x0F91D53A

3. openssl split and transform p12 file to pem files with --nodes flag

certificate: openssl pkcs12 -in "gpgcer.p12" -clcerts -nokeys -passin pass:123456 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > gpgcersimple.pem
publickey: openssl x509 -pubkey -noout -in gpgcersimple.pem > pubkeyCert.pem
privatekey:  openssl pkcs12 -in "gpgcer.p12" -nocerts -nodes -passin pass:123456  | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > privateKeyCer.pem

4. tested locally, sign and verify succeed.

[sophia-guo]

Feels like it is a quite tedious process to convert gpg to pem could we just convert the gpg to pem and store in the specific agent as the temurin gpg is created and stored in https://ci.adoptium.net/label/gpgsign/ ? Or may need to double check if cyclonedx support sign with gpg directly? I did an investigation and found the answer is "no". But maybe I'm wrong.

[smlambert]

As discussed, let's look at generating the pem file once and store it as an artifact that can be used for the purpose of signing the SBOM.

[andrew-m-leonard]

Created EF issue:https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/3835