Phase 3: Add supply chain security (SBOM + Sigstore)

[RAprogramm]

Objective

Implement enterprise-grade supply chain security with Software Bill of Materials (SBOM) generation and artifact signing using Sigstore for transparency and integrity.

Implementation

1. SBOM Generation

Use cargo-cyclonedx to generate CycloneDX SBOM:

- name: Install cargo-cyclonedx
  uses: taiki-e/install-action@v2
  with:
    tool: cargo-cyclonedx

- name: Generate SBOM
  run: cargo cyclonedx --format json --output-file sbom.json

- name: Upload SBOM artifact
  uses: actions/upload-artifact@v4
  with:
    name: sbom-cyclonedx
    path: sbom.json
    retention-days: 90

SBOM Formats:

• CycloneDX (JSON) - primary format
• SPDX - optional for broader compatibility

2. Artifact Signing with Sigstore

Use cosign for keyless signing:

- name: Install cosign
  uses: sigstore/cosign-installer@v3

- name: Sign artifacts
  run: |
    cosign sign-blob \
      --bundle sbom.cosign.bundle \
      sbom.json

- name: Upload signature bundle
  uses: actions/upload-artifact@v4
  with:
    name: signatures
    path: |
      sbom.cosign.bundle
    retention-days: 90

3. Attestation Generation

Create provenance attestations:

- name: Generate attestation
  uses: actions/attest-build-provenance@v1
  with:
    subject-path: |
      sbom.json
      target/package/*.crate

4. SBOM Publishing

Options for SBOM distribution:

• Upload to GitHub Release assets
• Publish to package registry metadata
• Host on dedicated SBOM repository
• Include in crate documentation

Benefits

• Transparency: Full visibility into dependencies and build process
• Trust: Cryptographic proof of artifact authenticity
• Compliance: Meet enterprise security requirements
• Supply Chain Security: Detect and prevent tampering
• Auditability: Verifiable build provenance

Security Features

1. Keyless Signing: No secret management, uses OIDC tokens
2. Transparency Log: All signatures recorded in public Rekor log
3. Immutable Records: Tamper-proof audit trail
4. Verification: Anyone can verify artifact signatures

Verification Examples

Users can verify artifacts:

# Verify SBOM signature
cosign verify-blob \
  --bundle sbom.cosign.bundle \
  sbom.json

# Check SBOM dependencies
cyclonedx-cli validate --input-file sbom.json

Test Plan

• cargo-cyclonedx generates valid SBOM
• SBOM includes all dependencies (direct + transitive)
• cosign signs artifacts successfully
• Signatures verifiable with public key/certificate
• Attestations generated correctly
• SBOM uploaded to releases/artifacts
• Documentation updated with verification instructions

Acceptance Criteria

• SBOM generated for every release
• CycloneDX format validated
• Artifacts signed with Sigstore
• Signature bundles uploaded alongside artifacts
• Build provenance attestations created
• Verification instructions in documentation
• 90-day retention for security artifacts
• No secrets required (keyless signing)

Documentation Requirements

Add to README:

• SBOM availability and format
• Signature verification instructions
• Supply chain security practices
• Links to Rekor transparency log

Parent: #175