CycloneDX
diff --git a/‎.github/workflows/dotnetcore.yml
+8-19 b/‎.github/workflows/dotnetcore.yml
+8-19
diff --git a/‎README.md
+96-7 b/‎README.md
+96-7
diff --git a/‎cyclonedx.tests/Resources/bom-1.3.xml.invalid.sig
256 Bytes b/‎cyclonedx.tests/Resources/bom-1.3.xml.invalid.sig
256 Bytes
diff --git a/‎cyclonedx.tests/Resources/bom-1.3.xml.valid.sig
256 Bytes b/‎cyclonedx.tests/Resources/bom-1.3.xml.valid.sig
256 Bytes
diff --git a/‎cyclonedx.tests/Resources/private.key
+27 b/‎cyclonedx.tests/Resources/private.key
+27
diff --git a/‎cyclonedx.tests/Resources/public.key
+27 b/‎cyclonedx.tests/Resources/public.key
+27
diff --git a/‎cyclonedx.tests/Resources/signed-bom-modified.xml
+23 b/‎cyclonedx.tests/Resources/signed-bom-modified.xml
+23
diff --git a/‎cyclonedx.tests/Resources/signed-bom.xml
+23 b/‎cyclonedx.tests/Resources/signed-bom.xml
+23
diff --git a/‎cyclonedx.tests/SignBomTests.cs
+51 b/‎cyclonedx.tests/SignBomTests.cs
+51
diff --git a/‎cyclonedx.tests/SignFileTests.cs
+56 b/‎cyclonedx.tests/SignFileTests.cs
+56
@@ -6,23 +6,18 @@ on: [pull_request, workflow_dispatch]
 jobs:
   # Fail if there are build warnings
   #
-  # As a general code quality check we use FxCop analyzers.
-  #
   # To check for build warnings locally you may need to run a clean build.
   #
   # This can be done by running `dotnet clean` before running `dotnet build`
-  # build-warnings:
-  #   name: Build warnings check
-  #   runs-on: ubuntu-20.04
-  #   timeout-minutes: 30
-  #   steps:
-  #     - uses: actions/[email protected]
-  #     - uses: actions/[email protected]
-  #       with:
-  #         dotnet-version: '5.0.100-rc.2.20479.15'
+  build-warnings:
+    name: Build warnings check
+    runs-on: ubuntu-20.04
+    timeout-minutes: 30
+    steps:
+      - uses: actions/[email protected]
 
-  #     - name: Build
-  #       run: dotnet build /WarnAsError
+      - name: Build
+        run: dotnet build /WarnAsError
 
   # We end up targeting a range of runtimes, make sure they all build
   build:
@@ -34,9 +29,6 @@ jobs:
     timeout-minutes: 30
     steps:
       - uses: actions/[email protected]
-      - uses: actions/[email protected]
-        with:
-          dotnet-version: '5.0.100-rc.2.20479.15'
 
       - name: Build
         run: dotnet build cyclonedx/cyclonedx.csproj -r ${{ matrix.runtime }}
@@ -56,9 +48,6 @@ jobs:
 
     steps:
     - uses: actions/[email protected]
-    - uses: actions/[email protected]
-      with:
-        dotnet-version: '5.0.100-rc.2.20479.15'
 
     - name: Tests
       run: |
 
@@ -21,15 +21,18 @@ Options:
   -?, -h, --help    Show help and usage information
 
 Commands:
-  add                           Add information to a BOM (currently supports files)
-  analyze                       Analyze a BOM file
-  convert                       Convert between different BOM formats
-  diff <from-file> <to-file>    Generate a BOM diff
-  merge                         Merge two or more BOMs
-  validate                      Validate a BOM
+  add                         Add information to a BOM (currently supports files)
+  analyze                     Analyze a BOM file
+  convert                     Convert between different BOM formats
+  diff <from-file> <to-file>  Generate a BOM diff
+  keygen                      Generates an RSA public/private key pair for BOM signing
+  merge                       Merge two or more BOMs
+  sign                        Sign a BOM or file
+  validate                    Validate a BOM
+  verify                      Verify signatures in a BOM
 ```
 
-The CycloneDX CLI tool currently supports BOM analysis, diffing, merging and format conversions.
+The CycloneDX CLI tool currently supports BOM analysis, modification, diffing, merging, format conversion, signing and verification.
 
 Conversion from all CycloneDX BOM versions and CSV is supported.
 
@@ -157,6 +160,19 @@ Options:
 Reporting on components with version changes:  
 `cyclonedx-cli diff sbom-from.xml sbom-to.xml --component-versions`
 
+## Keygen Command
+
+```
+keygen
+  Generates an RSA public/private key pair for BOM signing
+
+Usage:
+  cyclonedx [options] keygen
+
+Options:
+  --private-key-file <private-key-file>  Filename for generated private key file (defaults to "private.key")
+  --public-key-file <public-key-file>    Filename for generated public key file (defaults to "public.key")
+```
 
 ## Merge Command
 
@@ -189,6 +205,42 @@ Merge two XML formatted BOMs:
 Merging two BOMs and piping output to additional tools:  
 `cyclonedx-cli merge --input-files sbom1.xml sbom2.xml --output-format json | grep "something"`
 
+## Sign Command
+
+Sign a BOM or file
+
+### Sign Bom Subcommand
+
+```
+bom
+  Sign the entire BOM document
+
+Usage:
+  cyclonedx [options] sign bom <bom-file>
+
+Arguments:
+  <bom-file>  BOM filename
+
+Options:
+  --key-file <key-file>  Signing key filename (RSA private key in PEM format, defaults to "private.key")
+```
+
+### Sign File Subcommand
+
+```
+file
+  Sign arbitrary files and generate a PKCS1 RSA SHA256 signature file
+
+Usage:
+  cyclonedx [options] sign file <file>
+
+Arguments:
+  <file>  Filename of the file the signature will be created for
+
+Options:
+  --key-file <key-file>              Signing key filename (RSA private key in PEM format, defaults to "private.key")
+  --signature-file <signature-file>  Filename of the generated signature file (defaults to the filename with ".sig" appended)
+```
 
 ## Validate Command
 
@@ -210,6 +262,43 @@ Options:
 Validate BOM and return non-zero exit code (handy for automatically "breaking" a build, etc)  
 `cyclonedx-cli validate --input-file sbom.xml --fail-on-errors`
 
+## Verify Command
+
+Verify signatures for BOMs and files
+
+### Verify All Subcommand
+
+```
+all
+  Verify all signatures in a BOM
+
+Usage:
+  cyclonedx [options] verify all <bom-file>
+
+Arguments:
+  <bom-file>  BOM filename
+
+Options:
+  --key-file <key-file>  Public key filename (RSA public key in PEM format, defaults to "public.key")
+```
+
+### Verify File Subcommand
+
+```
+file
+  Verifies a PKCS1 RSA SHA256 signature file for an abritrary file
+
+Usage:
+  cyclonedx [options] verify file <file>
+
+Arguments:
+  <file>  File the signature file is for
+
+Options:
+  --key-file <key-file>              Public key filename (RSA public key in PEM format, defaults to "public.key")
+  --signature-file <signature-file>  Signature file to be verified (defaults to the filename with ".sig" appended)
+```
+
 # Docker Image
 
 The CycloneDX CLI tool can also be run using docker `docker run cyclonedx/cyclonedx-cli`.
 
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArEVXY6FwqCMWq7HID0rLGs8gym5prQLzlQIdJSBIJjN5X/Uw
+UTwy30vEKc2ENgmHrek1rOtiNLxXzmPC2KWyDSUKt4BUdjVWm/PlAduBZP2ZLKlX
+WORVu6g3+S0/uCXP66c7u1jGdHaLdGAoMGWLFcQi+lmPIEFLXOAkxSX58tVrDYgt
+u6RaOQGeeuV8cYmy3Db6flMbT6/bI7tsXwMoYQ7vjTN2U+MxrSlflfqri2q+R616
+oxgvIRbAz4BYJgxK3xw7IZFBC/hr6fwKJ/frvUD7tLzYR4Ap91pjB0x8FPR3tUEN
+dR8EyMU48vUr3xNWROpIsrCOdmiRVm0Xkdc+3wIDAQABAoIBAGG3O2iiDDrzHErr
+nuU9sZNVZe4tTvf6MpyVBF8ovoQcsn5Bn9SUZu7OFUj48EOOiE2XeQDKy3vKUawa
+Xk1xP1vBZSDNRBuBCc2QPJgfIHheeOIidA9SBWdaddV7WydjG1s6EuGj633oOBYc
+7O72yjvgc066Ojs7jjnyUikZ73tTsIo110wKGR/LhvIhwW4FERfTzlaHYP/iiMbO
+oFxLqS6gb3Rv4QoPa5gQTmLBeusFKSoy9hzSVAy5u7wq/9EA/yTpFTzGupJVvt+q
+CW4uFUNvF/KpX2WgeJu38KS6x1qUvvk+3j3xGNBFyB/SkBIg8h5psn6JQD4BAqz7
+JN3lJQECgYEA4LaGYRiG40sUsV4V1OdqhtXpje6IcXUwcS76834GmH2irRuTv2jB
+T0SzTuDUe77Ga9x5F+lU3e0ohkO9UOeMv0RAM912fePShHIJkZs0KiDWwg7RPl5v
+q6fqWSzmt8+6Y8kbAWMSVZyxctCVUU0fpHhx4PTt718UhLesjsGIix8CgYEAxEGd
+Zagh9dlUjLeaEQPmWbQnVyRrNKLRAECXKKFv/2uyPWyoCX0Kg452NrM/2SLDqw2I
+e1p2zUNtQShezUJuhVM13nwluu1OrYsHxTILefsIkItJssqc8xO6RdgPYaVZMbo4
+63bN2Kk3GWGkpqeYoBPC0JuXTL9BM/vN3iiClEECgYArgSrjAWyb9J08+Yogfe0R
+zbg50kR4Msf+IapUGcINI8Wq3fvswssqHZLZYo3Ap16i4zxOdM4JaTC/Tb4JO8rz
+/LKxV97o4IKRQcK4fePLhDAPwe6gtIfKI+gq+5ZvX7gmOXkQ+61BBeUU5W0DIHtP
+zEG/26t0/GNsjmLKAI3+4QKBgQCuzx8quFsfiCi2eqfBti6NAln0Vd0j8k6loeLC
+byG6aixGaC043mbqDZAgYwNhHoUZLKG/9jFR3lhHrHTc8epN2XNnLD/TQ6NME0Wl
+kVEFouPbFCZeGfk4zv6hTbVNraFIGO6wVY8/CGKquf2V8DyTgWaKt7xJwSWL7yNN
+WdoNwQKBgQDWkg2qvuRUbXtc696FkCdhfNqmSLD+py+ZihsrHcp0HyETMWg+sNwu
++Nz6Bgcihm8GOwP5jOroD3oEkit/bvcG6FWpmxBajxsWfFU5Cpgp0DVxY/RzES+F
+wqIB7SN/nfcjeTCYM3Z0m3KvyflBgP6UO0dFJjJYGm16bd95VSOXrQ==
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEArEVXY6FwqCMWq7HID0rLGs8gym5prQLzlQIdJSBIJjN5X/Uw
+UTwy30vEKc2ENgmHrek1rOtiNLxXzmPC2KWyDSUKt4BUdjVWm/PlAduBZP2ZLKlX
+WORVu6g3+S0/uCXP66c7u1jGdHaLdGAoMGWLFcQi+lmPIEFLXOAkxSX58tVrDYgt
+u6RaOQGeeuV8cYmy3Db6flMbT6/bI7tsXwMoYQ7vjTN2U+MxrSlflfqri2q+R616
+oxgvIRbAz4BYJgxK3xw7IZFBC/hr6fwKJ/frvUD7tLzYR4Ap91pjB0x8FPR3tUEN
+dR8EyMU48vUr3xNWROpIsrCOdmiRVm0Xkdc+3wIDAQABAoIBAGG3O2iiDDrzHErr
+nuU9sZNVZe4tTvf6MpyVBF8ovoQcsn5Bn9SUZu7OFUj48EOOiE2XeQDKy3vKUawa
+Xk1xP1vBZSDNRBuBCc2QPJgfIHheeOIidA9SBWdaddV7WydjG1s6EuGj633oOBYc
+7O72yjvgc066Ojs7jjnyUikZ73tTsIo110wKGR/LhvIhwW4FERfTzlaHYP/iiMbO
+oFxLqS6gb3Rv4QoPa5gQTmLBeusFKSoy9hzSVAy5u7wq/9EA/yTpFTzGupJVvt+q
+CW4uFUNvF/KpX2WgeJu38KS6x1qUvvk+3j3xGNBFyB/SkBIg8h5psn6JQD4BAqz7
+JN3lJQECgYEA4LaGYRiG40sUsV4V1OdqhtXpje6IcXUwcS76834GmH2irRuTv2jB
+T0SzTuDUe77Ga9x5F+lU3e0ohkO9UOeMv0RAM912fePShHIJkZs0KiDWwg7RPl5v
+q6fqWSzmt8+6Y8kbAWMSVZyxctCVUU0fpHhx4PTt718UhLesjsGIix8CgYEAxEGd
+Zagh9dlUjLeaEQPmWbQnVyRrNKLRAECXKKFv/2uyPWyoCX0Kg452NrM/2SLDqw2I
+e1p2zUNtQShezUJuhVM13nwluu1OrYsHxTILefsIkItJssqc8xO6RdgPYaVZMbo4
+63bN2Kk3GWGkpqeYoBPC0JuXTL9BM/vN3iiClEECgYArgSrjAWyb9J08+Yogfe0R
+zbg50kR4Msf+IapUGcINI8Wq3fvswssqHZLZYo3Ap16i4zxOdM4JaTC/Tb4JO8rz
+/LKxV97o4IKRQcK4fePLhDAPwe6gtIfKI+gq+5ZvX7gmOXkQ+61BBeUU5W0DIHtP
+zEG/26t0/GNsjmLKAI3+4QKBgQCuzx8quFsfiCi2eqfBti6NAln0Vd0j8k6loeLC
+byG6aixGaC043mbqDZAgYwNhHoUZLKG/9jFR3lhHrHTc8epN2XNnLD/TQ6NME0Wl
+kVEFouPbFCZeGfk4zv6hTbVNraFIGO6wVY8/CGKquf2V8DyTgWaKt7xJwSWL7yNN
+WdoNwQKBgQDWkg2qvuRUbXtc696FkCdhfNqmSLD+py+ZihsrHcp0HyETMWg+sNwu
++Nz6Bgcihm8GOwP5jOroD3oEkit/bvcG6FWpmxBajxsWfFU5Cpgp0DVxY/RzES+F
+wqIB7SN/nfcjeTCYM3Z0m3KvyflBgP6UO0dFJjJYGm16bd95VSOXrQ==
+-----END RSA PRIVATE KEY-----
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
+    <components>
+        <component type="library">
+            <publisher>Not-Apache</publisher>
+            <group>org.apache.tomcat</group>
+            <name>tomcat-catalina</name>
+            <version>9.0.14</version>
+            <hashes>
+                <hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
+                <hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
+                <hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
+                <hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
+            </hashes>
+            <licenses>
+                <license>
+                    <id>Apache-2.0</id>
+                </license>
+            </licenses>
+            <purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
+        </component>
+    </components>
+<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>/dv/4234OrWJ3z0ytdv86AGtDFjiPYNSamZRRWrOFSQ=</DigestValue></Reference></SignedInfo><SignatureValue>lpUmguCCoJVe+AXaHarzR8l2Uvk7spE0L0yV/d54IGU7vn1dh2IFLrZvhxK2lVLlLV2qQtaFs89UWmXPKyRlzU0N/AEZTWHaxJh/5DTy3w7iyOcqKf1U4j9nSRkCtwiBF3rc8u/Oi4XdvmnzNDaIfIdu/vZlkWRvsh1HZZtKtb1ZFnRrmKr+HHzGqtA4nAI5yqzq0g28M9Q2x2Rqd5K0wFGAusWMNcLR6lAcglEg5I8CW9ILzhqXsu91+YMax41wyZ1FZEQwX+Jj4xsgf8xRMr1nGkO0+FV0km6zc0EWl7uJGFCVFXTChQJUZ53hWZVzsGs66UL4jxEF4DfnWIxMzA==</SignatureValue></Signature></bom>
@@ -0,0 +1,23 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
+    <components>
+        <component type="library">
+            <publisher>Apache</publisher>
+            <group>org.apache.tomcat</group>
+            <name>tomcat-catalina</name>
+            <version>9.0.14</version>
+            <hashes>
+                <hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
+                <hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
+                <hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
+                <hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
+            </hashes>
+            <licenses>
+                <license>
+                    <id>Apache-2.0</id>
+                </license>
+            </licenses>
+            <purl>pkg:maven/org.apache.tomcat/[email protected]</purl>
+        </component>
+    </components>
+<Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI=""><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>/dv/4234OrWJ3z0ytdv86AGtDFjiPYNSamZRRWrOFSQ=</DigestValue></Reference></SignedInfo><SignatureValue>lpUmguCCoJVe+AXaHarzR8l2Uvk7spE0L0yV/d54IGU7vn1dh2IFLrZvhxK2lVLlLV2qQtaFs89UWmXPKyRlzU0N/AEZTWHaxJh/5DTy3w7iyOcqKf1U4j9nSRkCtwiBF3rc8u/Oi4XdvmnzNDaIfIdu/vZlkWRvsh1HZZtKtb1ZFnRrmKr+HHzGqtA4nAI5yqzq0g28M9Q2x2Rqd5K0wFGAusWMNcLR6lAcglEg5I8CW9ILzhqXsu91+YMax41wyZ1FZEQwX+Jj4xsgf8xRMr1nGkO0+FV0km6zc0EWl7uJGFCVFXTChQJUZ53hWZVzsGs66UL4jxEF4DfnWIxMzA==</SignatureValue></Signature></bom>
@@ -0,0 +1,51 @@
+// This file is part of CycloneDX CLI Tool
+//
+// Licensed under the Apache License, Version 2.0 (the “License”);
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an “AS IS” BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) OWASP Foundation. All Rights Reserved.
+
+using System;
+using System.IO;
+using System.Threading.Tasks;
+using Xunit;
+using Snapshooter;
+using Snapshooter.Xunit;
+using CycloneDX.Cli.Commands.Sign;
+
+namespace CycloneDX.Cli.Tests
+{
+    public class SignBomTests
+    {
+        [Fact]
+        public async Task SignXmlBom()
+        {
+            using (var tempDirectory = new TempDirectory())
+            {
+                var testFilename = Path.Combine(tempDirectory.DirectoryPath, "bom.xml");
+                File.Copy(Path.Combine("Resources", "bom-1.3.xml"), testFilename);
+
+                var exitCode = await SignBomCommand.SignBom(new SignBomCommandOptions
+                {
+                    BomFile = testFilename,
+                    KeyFile = Path.Combine("Resources", "private.key"),
+                }).ConfigureAwait(false);
+                
+                Assert.Equal(ExitCode.Ok, (ExitCode)exitCode);
+
+                var bom = File.ReadAllText(testFilename);
+                Snapshot.Match(bom);
+            }
+        }
+    }
+}
@@ -0,0 +1,56 @@
+// This file is part of CycloneDX CLI Tool
+//
+// Licensed under the Apache License, Version 2.0 (the “License”);
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an “AS IS” BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) OWASP Foundation. All Rights Reserved.
+
+using System;
+using System.IO;
+using System.Threading.Tasks;
+using Xunit;
+using Snapshooter;
+using Snapshooter.Xunit;
+using CycloneDX.Cli.Commands.Sign;
+
+namespace CycloneDX.Cli.Tests
+{
+    public class SignFileTests
+    {
+        [Fact]
+        public async Task SignFile()
+        {
+            using (var tempDirectory = new TempDirectory())
+            {
+                var testFilename = Path.Combine(tempDirectory.DirectoryPath, "bom.xml");
+                var fileContents = await File.ReadAllTextAsync(Path.Combine("Resources", "bom-1.3.xml")).ConfigureAwait(false);
+                if (Environment.OSVersion.Platform == PlatformID.Win32NT)
+                {
+                    fileContents = fileContents.Replace("\r\n", "\n");
+                }
+                await File.WriteAllTextAsync(testFilename, fileContents).ConfigureAwait(false);
+
+                var exitCode = await SignFileCommand.SignFile(new SignFileCommandOptions
+                {
+                    File = testFilename,
+                    KeyFile = Path.Combine("Resources", "private.key"),
+                }).ConfigureAwait(false);
+                
+                Assert.Equal(ExitCode.Ok, (ExitCode)exitCode);
+
+                var signature = File.ReadAllText(testFilename + ".sig");
+                Snapshot.Match(signature);
+            }
+        }
+    }
+}