FAQ resource for How do I prove an SBOM from Vibgrate is authentic?.
Answer
In Vibgrate Cloud, the SBOM Hub can export your SBOM wrapped in a signed attestation — an in-toto Statement in a DSSE envelope whose subject is the SBOM's cryptographic digest — so a consumer can confirm it came from Vibgrate and has not been altered. Download it from the SBOM Hub Reports tab with "Download signed bundle". The dashboard shows a Verified badge once the signature and the SBOM's digest both check out, and leaves the report plainly marked as unsigned when they do not. Because it is a standard in-toto and DSSE attestation, you can also verify it offline with the supply-chain tooling you already use.