Use SBOM for binary checksum when available #36
Labels
enhancement
New feature or request
ux
Ensures a good time when using the product
workflow/verification
Binary / archive verification workflow
Milestone
Comments
wilsonehusin
added
enhancement
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
(Credit to @puerco for this idea)
As part of lockfile creation, we currently assert checksum for archive being downloaded (e.g. tarball) and on success, calculate the checksum of binary.
In the event that SBOM is available, we should consider using SBOM-declared checksum for assertion of binary.
{ "SPDXID": "SPDXRef-44d63059769f8e23", "licenseConcluded": "NOASSERTION", "checksums": [ { "algorithm": "SHA256", "checksumValue": "490dc2bc75e4c67f3fb096d9a854e49439f6327c43602081aa55114650fceb10" } ], "fileName": "bindl", "fileTypes": [ "APPLICATION", "BINARY" ] }The text was updated successfully, but these errors were encountered: