Skip to content
This repository was archived by the owner on Jun 26, 2024. It is now read-only.

Use SBOM for binary checksum when available #36

Open
Open
Use SBOM for binary checksum when available#36
Labels
enhancementNew feature or requestuxEnsures a good time when using the productworkflow/verificationBinary / archive verification workflow
Milestone
v0.1.0
@wilsonehusin

Description

@wilsonehusin
wilsonehusin
opened on Mar 22, 2022

(Credit to @puerco for this idea)

As part of lockfile creation, we currently assert checksum for archive being downloaded (e.g. tarball) and on success, calculate the checksum of binary.

In the event that SBOM is available, we should consider using SBOM-declared checksum for assertion of binary.

{
 "SPDXID": "SPDXRef-44d63059769f8e23",
 "licenseConcluded": "NOASSERTION",
 "checksums": [
  {
   "algorithm": "SHA256",
   "checksumValue": "490dc2bc75e4c67f3fb096d9a854e49439f6327c43602081aa55114650fceb10"
  }
 ],
 "fileName": "bindl",
 "fileTypes": [
  "APPLICATION",
  "BINARY"
 ]
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestuxEnsures a good time when using the productworkflow/verificationBinary / archive verification workflow

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions