Skip to content
This repository was archived by the owner on Jun 26, 2024. It is now read-only.

Use SBOM for binary checksum when available #36

Open
wilsonehusin opened this issue Mar 22, 2022 · 0 comments
Open

Use SBOM for binary checksum when available #36

wilsonehusin opened this issue Mar 22, 2022 · 0 comments
Labels
enhancement New feature or request ux Ensures a good time when using the product workflow/verification Binary / archive verification workflow
Milestone
v0.1.0

Comments

@wilsonehusin
Copy link
Member

wilsonehusin commented Mar 22, 2022
edited
Loading

(Credit to @puerco for this idea)

As part of lockfile creation, we currently assert checksum for archive being downloaded (e.g. tarball) and on success, calculate the checksum of binary.

In the event that SBOM is available, we should consider using SBOM-declared checksum for assertion of binary.

{
 "SPDXID": "SPDXRef-44d63059769f8e23",
 "licenseConcluded": "NOASSERTION",
 "checksums": [
  {
   "algorithm": "SHA256",
   "checksumValue": "490dc2bc75e4c67f3fb096d9a854e49439f6327c43602081aa55114650fceb10"
  }
 ],
 "fileName": "bindl",
 "fileTypes": [
  "APPLICATION",
  "BINARY"
 ]
}
@wilsonehusin wilsonehusin added enhancement New feature or request ux Ensures a good time when using the product workflow/verification Binary / archive verification workflow labels Mar 22, 2022
@wilsonehusin wilsonehusin added this to the v0.1.0 milestone Mar 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request ux Ensures a good time when using the product workflow/verification Binary / archive verification workflow
Projects
None yet
Milestone
v0.1.0
Development

No branches or pull requests
1 participant
@wilsonehusin