Skip to main content

Signed, Verifiable SBOM Reports

Download an SBOM from Vibgrate Cloud wrapped in a signed attestation, so a consumer can prove it came from Vibgrate and has not been altered — and see its verified status in the dashboard.

Vibgrate Docs

Vibgrate Help

An unsigned SBOM is just a file. It lists your components, but it proves nothing about who produced it or whether it was changed on the way to you. Vibgrate Cloud can sign the SBOM you export so a downstream consumer — a customer, an auditor, a regulator — can confirm it genuinely came from Vibgrate and has not been tampered with. This guide explains what the signed bundle contains, how to download it, and how verification works. It is for security engineers, release owners, and compliance teams.

What "signed" means here

Vibgrate does not embed a signature inside the SBOM. Instead it wraps the SBOM in a signed attestation — the standard, tool-interoperable pattern for this. The attestation is an in-toto Statement inside a DSSE envelope:

  • The subject is the SBOM's cryptographic digest, so the attestation is bound to that exact document.
  • The predicate is the SBOM itself, so the bundle is self-contained.
  • The whole statement is signed, so any change to it is detectable.

This is the same shape used across the software supply-chain ecosystem, so the bundle verifies with the tools your team already uses for attestations.

Download a signed bundle

In Vibgrate Cloud, open the SBOM Hub and go to the Reports tab. Each report row has a download control:

  1. Click the caret next to Download to open the format menu.
  2. Choose Download signed bundle.

You get the signed attestation as an .intoto.jsonl bundle alongside the report. When the signature checks out, the row shows a Verified badge; if signing is not configured for your deployment, the report stays plainly marked as unsigned rather than pretending otherwise.

How verification works

Vibgrate Cloud verifies a bundle before it shows the Verified badge. Two things must hold:

  1. The signature verifies against Vibgrate's signing key.
  2. The SBOM's digest matches the subject the attestation commits to.

If either check fails, the report is not shown as verified. Because the bundle is a standard in-toto attestation in a DSSE envelope, you can also verify it yourself, offline, with the same supply-chain tooling you already run — the dashboard's badge is a convenience, not the only route.

Why it matters

Most supply-chain risk lives in the path between "we produced this" and "you received this." A signed SBOM closes that gap: instead of trusting that a file came from Vibgrate, a consumer can check it. That is what auditors and enterprise buyers increasingly ask for, and it turns your SBOM from a claim into evidence.

Related

  • "vg sbom — Export, Compare & Attest SBOMs" covers producing the SBOM you sign.
  • "SBOM for Compliance and Audit Evidence" explains retention and audit use.
  • See the glossary for attestation, provenance, and DSSE.

Related Commands