Explain new Supply Chain characteristics in the docs (#665)

Signed-off-by: Juan Cruz Viotti <[email protected]>

Author: jviotti

docs/commercial.md

@@ -24,11 +24,56 @@ Sourcemeta One is available in two editions:
   hosting solution that competes with Sourcemeta. After four years from each
   release, the code transitions to AGPL-3.0.
 
-- **Enterprise**: Includes additional features not available in the Community
-  edition. Requires a [commercial
+- **Enterprise**: Includes additional features and supply chain security
+  capabilities not available in the Community edition. Requires a [commercial
   license](https://github.com/sourcemeta/one/blob/main/LICENSE-COMMERCIAL)
   from Sourcemeta.
 
+## Supply Chain Security
+
+Starting with v4.2.2, the Enterprise container image ships with built-in
+supply chain security and regulatory compliance capabilities:
+
+- **Signed Container Images.** Every Enterprise image is cryptographically
+  signed using [Cosign](https://github.com/sigstore/cosign) and the
+  [Sigstore](https://www.sigstore.dev/) transparency log, allowing you to
+  verify image authenticity and integrity before deployment.
+
+- **Software Bill of Materials (SBOM).** Each release includes an SPDX SBOM
+  attached as a signed attestation to the container image, providing full
+  visibility into all vendored, npm, and system-level dependencies for
+  vulnerability management and audit purposes.
+
+- **FIPS-Ready Cryptography.** The Enterprise image is built with the OpenSSL
+  FIPS provider (`openssl-provider-fips`) for all cryptographic operations,
+  supporting organizations that require FIPS 140 compliance.
+
+### Verifying Image Signatures
+
+You can verify that an Enterprise container image was built and signed by
+Sourcemeta's official GitHub Actions pipeline using
+[Cosign](https://github.com/sigstore/cosign). For example:
+
+```sh
+cosign verify \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --certificate-identity-regexp "^https://github.com/sourcemeta/one/" \
+  ghcr.io/sourcemeta/one-enterprise:v4.2.2
+```
+
+### Retrieving the SBOM
+
+The SPDX SBOM is attached as a signed in-toto attestation. You can verify and
+extract it using Cosign. For example:
+
+```sh
+cosign verify-attestation --type spdx \
+  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+  --certificate-identity-regexp "^https://github.com/sourcemeta/one/" \
+  ghcr.io/sourcemeta/one-enterprise:v4.2.2 \
+  | jq -r '.payload' | base64 -d | jq '.predicate'
+```
+
 ## Our Commitment to Excellence
 
 Sourcemeta is led by a member of the JSON Schema Technical Steering Committee,

docs/index.md

@@ -103,6 +103,10 @@ concerns and ensuring no vendor lock-in. If Sourcemeta would ever cease
 operations, you retain full access to continue running and maintaining your
 instances.
 
+**Supply chain security**: The Enterprise container image is cryptographically
+signed with Cosign/Sigstore, includes a signed SPDX Software Bill of Materials
+(SBOM), and ships with the OpenSSL FIPS provider for FIPS-ready cryptography.
+
 **Expert commercial support & training**: [Commercial
 Licenses](./commercial.md) give you access to world-class JSON Schema expertise
 whenever you need it. Upon request, we provide managed hosting, and we also

enterprise/scripts/cosign.sh

@@ -43,7 +43,7 @@ cosign verify \
 echo "Cosign: Signature verified successfully" 1>&2
 
 echo "Cosign: Verifying SBOM attestation for ${IMAGE}@${DIGEST}" 1>&2
-cosign verify-attestation --type spdxjson \
+cosign verify-attestation --type spdx \
   --certificate-oidc-issuer "$CERTIFICATE_OIDC_ISSUER" \
   --certificate-identity "$CERTIFICATE_IDENTITY" \
   "${IMAGE}@${DIGEST}"