Migrate enveloped signature support from JSF to JSS

[stevespringett]

Migrate enveloped signature support from JSF to JSS (ITU-T X.590)

Summary

• Replaced legacy JSON Signature Format (JSF) with JSON Signature Scheme (JSS) per ITU-T X.590 (10/2023). Added CycloneDX 2.0 model schema that implements JSS
• Updated all schema files referencing signatures to use the new signatures array (JSS) instead of singular signature object (JSF)
• Removed old JSF test (valid-signatures-2.0.json) and added 18 targeted JSS test cases (8 valid, 10 invalid)

This PR closes #851

All tests are structural validations only. Keys, certificates, thumbprints, and signature values are illustrative and may not be cryptographically valid. No content validation is performed.

[j28smith]

I took a quick look at this @stevespringett and it looks good at a high level. I noted a number of places where the descriptions still reference JSF instead of the updated JSS.

For the core change/update, is this the main file to look more closely at to ensure it references the JSS spec correctly?

schema/2.0/model/cyclonedx-jss_X590_2023_10-2.0.schema.json

[j28smith]

@jordan2175 if possible, would you be able to take a look at this PR? Or perhaps you can suggest someone else who worked closely on the JSS technical standardization process that could lend assistance with a review of Steve's PR here?

Note the key thing to look at is the schema definition for JSS in this file:

schema/2.0/model/cyclonedx-jss_X590_2023_10-2.0.schema.json

Thanks.

[j28smith]

@jordan2175, here is the PR that I mentioned on our call today. Would appreciate your review if you could also take a look.

Thanks!

[jkowalleck]

RFC notice sent on May 04, 2026

• https://groups.io/g/CycloneDX/topic/119149389
• https://cyclonedx.slack.com/archives/CVA0G10FN/p1777922813922089

Public RFC period ends June 01, 2026