From 8dd138604921cd236aa542dbb90efe8876dad807 Mon Sep 17 00:00:00 2001 From: Bernd Ritter Date: Fri, 26 Jun 2026 10:09:40 +0200 Subject: [PATCH] Checking syft checksums offline, Documentation Signed-off-by: Bernd Ritter On-behalf-of: SAP --- Dockerfile | 17 ++++++++++++++--- README.md | 4 ++++ syft_1.45.1_checksums.txt | 28 ++++++++++++++++++++++++++++ syft_1.45.1_checksums.txt.pem | 1 + syft_1.45.1_checksums.txt.sig | 1 + 5 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 syft_1.45.1_checksums.txt create mode 100644 syft_1.45.1_checksums.txt.pem create mode 100644 syft_1.45.1_checksums.txt.sig diff --git a/Dockerfile b/Dockerfile index bfd4a34..7007dc1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,11 +14,22 @@ RUN git clone https://github.com/gardenlinux/resizefat32 RUN make -C resizefat32 install FROM debian:testing AS syft -ARG SYFT_RELEASE="1.44.0" +ARG SYFT_RELEASE="1.45.1" RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates wget jq -RUN wget --quiet https://github.com/anchore/syft/releases/download/v${SYFT_RELEASE}/syft_${SYFT_RELEASE}_checksums.txt +# getting checksums and signatures and unpack +COPY syft_${SYFT_RELEASE}_checksums.txt /syft_${SYFT_RELEASE}_checksums.txt +COPY syft_${SYFT_RELEASE}_checksums.txt.sig /syft_${SYFT_RELEASE}_checksums.txt.sig +COPY syft_${SYFT_RELEASE}_checksums.txt.pem /syft_${SYFT_RELEASE}_checksums.txt.pem +# unpack +RUN base64 -d /syft_${SYFT_RELEASE}_checksums.txt.sig > /syft_${SYFT_RELEASE}_checksums.txt.sig.unpacked +RUN base64 -d syft_${SYFT_RELEASE}_checksums.txt.pem | openssl x509 -pubkey > /syft_${SYFT_RELEASE}_checksums.txt.pem.unpacked +# verify +RUN openssl dgst -verify /syft_${SYFT_RELEASE}_checksums.txt.pem.unpacked -signature /syft_${SYFT_RELEASE}_checksums.txt.sig.unpacked syft_${SYFT_RELEASE}_checksums.txt +# get syft RUN wget --quiet https://github.com/anchore/syft/releases/download/v${SYFT_RELEASE}/syft_${SYFT_RELEASE}_linux_$(dpkg --print-architecture).deb -RUN sha256sum --ignore-missing --check syft_${SYFT_RELEASE}_checksums.txt +# verify checksum +RUN sha256sum --ignore-missing --check /syft_${SYFT_RELEASE}_checksums.txt +# install RUN DEBIAN_FRONTEND=noninteractive apt-get install --yes --no-install-recommends ./syft_${SYFT_RELEASE}_linux_$(dpkg --print-architecture).deb FROM debian:testing diff --git a/README.md b/README.md index 5e20e20..b2ef956 100644 --- a/README.md +++ b/README.md @@ -73,6 +73,10 @@ cd gardenlinux ./build --container-image localhost/builder aws-gardener_prod ``` +## SBOM Generation + +After image build time a Software Bill of Materials (SBOM) is created in CycloneDX JSON-format. To produce the SBOM a tool called `syft` is downloaded during build container time. To verify the integrity the offloaded checksums file is included in the builder's directory. To update to a newer syft-release update the container ARG in the `Dockerfile` and update the checksums-file for this release as well. + ## Licensing Copyright 2025 SAP SE or an SAP affiliate company and GardenLinux contributors. Please see our [LICENSE](LICENSE) for diff --git a/syft_1.45.1_checksums.txt b/syft_1.45.1_checksums.txt new file mode 100644 index 0000000..a28a24b --- /dev/null +++ b/syft_1.45.1_checksums.txt @@ -0,0 +1,28 @@ +4ea6177d63c44bd6e17e8c1fdf9850e91193f01e553af58a8da8018bb967240c syft_1.45.1_darwin_amd64.sbom +abe6e73b819f433b69ece755dc180a19c7694896062bf806f89d0e3ca5db710a syft_1.45.1_darwin_amd64.tar.gz +546f6923369b6b83273c57df14026a71eb291d2cf709908b1bd34fc4e0d3e34d syft_1.45.1_darwin_arm64.sbom +2f79ccbba6236636125d1ece60a6dc71d4e4f91b9f580cc2afbbafc763ff353d syft_1.45.1_darwin_arm64.tar.gz +a4e518a12a3f81cf94919e3fe93d6749d29763547decda2244420aa56830200d syft_1.45.1_linux_amd64.deb +8f7d1ac6ca562b0ea9bd2719d3f2b76835a69c4b36a04cd4147ffe9f77af6b5e syft_1.45.1_linux_amd64.rpm +14afde8577155267618f8a13dc5ec680c1a66a5577b185c727f68d2cee7c1a14 syft_1.45.1_linux_amd64.sbom +20c84195e24927f50a3b2269946be51f4c4abc9d2f145fee7388b4199149f716 syft_1.45.1_linux_amd64.tar.gz +7db925f42c406edeb51a7f5ab3cd337e273bed16d632787921a10e1bc0b74214 syft_1.45.1_linux_arm64.deb +9d5f85820e53f0c111134dc8b841dac60ab206a2e02c1a09c0019013623dfec0 syft_1.45.1_linux_arm64.rpm +ea420dbee05812935946c1065e6e402bad6dfbeccad355a56cea11e881059961 syft_1.45.1_linux_arm64.sbom +7df9f45cba1f6358ecfc7fac349d43b4605137001f9646b41267abe15a7c6cd7 syft_1.45.1_linux_arm64.tar.gz +77d989363d4f49cdfddf98a7d16ed68087692d7c299ffe08f2d9e79eea097228 syft_1.45.1_linux_ppc64le.deb +857d79c315a1b749d4ea8a26a56696753d062104d7b89fe74ac175dd4625eed8 syft_1.45.1_linux_ppc64le.rpm +9c98d7f302c8725efbd21b018bfac41f7025329a9e898314a981d33f98bbd747 syft_1.45.1_linux_ppc64le.sbom +5712ac2c2b732d3d777e1734617a5887414493941f34d92efa1cf102c0aa50f4 syft_1.45.1_linux_ppc64le.tar.gz +5727f3052dc7828512485e61a798194bbf1d0b2148eaf5bf8dca9e71c5e5f2d5 syft_1.45.1_linux_riscv64.deb +232e59c04813a7390172d6ea33f80a43cbfe252d6852cd5649a5ecb4462e41d7 syft_1.45.1_linux_riscv64.rpm +2981697f6489f9c48f3b12d9ed653e0f1ad8a753d16fa2f44102973c94181d0e syft_1.45.1_linux_riscv64.sbom +504e0c8f7bae364d1056b0976ffdbda4998eb38364cdd643c8221b4cedcd4083 syft_1.45.1_linux_riscv64.tar.gz +cdb6fc765d44e20b628abc6711f9c4a1bd8164ea9bb99c674600ce1ae76f732f syft_1.45.1_linux_s390x.deb +9ed1a909785302ccb46aa3663c27188960a8deb337a305b7b683e2db16654113 syft_1.45.1_linux_s390x.rpm +6161fd742ba20efab281ed1c990d6d72f10146d83d7ec21e31c8490c96c926b0 syft_1.45.1_linux_s390x.sbom +08f053fc6da6e382a555da2d5c049e998c8bbe6d6b5476a57af0b97fffd5215d syft_1.45.1_linux_s390x.tar.gz +d36b782081c21c07c73412323e6090427baf7ec4ef5dfdbb77e521bd86b979fd syft_1.45.1_windows_amd64.sbom +a9d12c26521e09213745884b8b7dc361dff83188c3a1ada0da1af71012dbcd52 syft_1.45.1_windows_amd64.zip +2fcb08c05e79da47a3567c1ae79b016db3851f836404f169e963abdb4ffb94b2 syft_1.45.1_windows_arm64.sbom +a95befd77b590a8c4a83adc7edac538a8fab5d23793bf678f4bc7f603e6a4cad syft_1.45.1_windows_arm64.zip diff --git a/syft_1.45.1_checksums.txt.pem b/syft_1.45.1_checksums.txt.pem new file mode 100644 index 0000000..8378e76 --- /dev/null +++ b/syft_1.45.1_checksums.txt.pem @@ -0,0 +1 @@ +LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUc4VENDQm5hZ0F3SUJBZ0lVTEhSZ29yREJCaEpSNVJUcThSeUhFVjUyZTdJd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpZd05qQTFNVFF5TkRNd1doY05Nall3TmpBMU1UUXpORE13V2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUV5dXE5eW5VamNEcmFJNFVnMzJ6NUFxV2RwNkg5WmpNVnRGQnAKS09uVUVMUU1UTnhwVXNFRUVJeEpCZTFQSThuTVB6enhLMFFRR3Z0MVNpWThZbjFkR2FPQ0JaVXdnZ1dSTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVIUFJKClRJaG5CWVRQcVVOQWhZWU1ZWGh0NVkwd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d1hBWURWUjBSQVFIL0JGSXdVSVpPYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJGdVkyaHZjbVV2YzNsbQpkQzh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTl5Wld4bFlYTmxMbmxoYld4QWNtVm1jeTlvWldGa2N5OXRZV2x1Ck1Ea0dDaXNHQVFRQmc3OHdBUUVFSzJoMGRIQnpPaTh2ZEc5clpXNHVZV04wYVc5dWN5NW5hWFJvZFdKMWMyVnkKWTI5dWRHVnVkQzVqYjIwd0h3WUtLd1lCQkFHRHZ6QUJBZ1FSZDI5eWEyWnNiM2RmWkdsemNHRjBZMmd3TmdZSwpLd1lCQkFHRHZ6QUJBd1FvWkRRME9UWmlNRFZoWVdJeVpEUTRPV0UxWXpKbFl6WXdOamMxTldJMk5UY3lNamxpCk9Ea3lOVEFWQmdvckJnRUVBWU8vTUFFRUJBZFNaV3hsWVhObE1Cb0dDaXNHQVFRQmc3OHdBUVVFREdGdVkyaHYKY21VdmMzbG1kREFkQmdvckJnRUVBWU8vTUFFR0JBOXlaV1p6TDJobFlXUnpMMjFoYVc0d093WUtLd1lCQkFHRAp2ekFCQ0FRdERDdG9kSFJ3Y3pvdkwzUnZhMlZ1TG1GamRHbHZibk11WjJsMGFIVmlkWE5sY21OdmJuUmxiblF1ClkyOXRNRjRHQ2lzR0FRUUJnNzh3QVFrRVVBeE9hSFIwY0hNNkx5OW5hWFJvZFdJdVkyOXRMMkZ1WTJodmNtVXYKYzNsbWRDOHVaMmwwYUhWaUwzZHZjbXRtYkc5M2N5OXlaV3hsWVhObExubGhiV3hBY21WbWN5OW9aV0ZrY3k5dApZV2x1TURnR0Npc0dBUVFCZzc4d0FRb0VLZ3dvWkRRME9UWmlNRFZoWVdJeVpEUTRPV0UxWXpKbFl6WXdOamMxCk5XSTJOVGN5TWpsaU9Ea3lOVEFiQmdvckJnRUVBWU8vTUFFTEJBME1DM05sYkdZdGFHOXpkR1ZrTUM4R0Npc0cKQVFRQmc3OHdBUXdFSVF3ZmFIUjBjSE02THk5bmFYUm9kV0l1WTI5dEwyRnVZMmh2Y21VdmMzbG1kREE0QmdvcgpCZ0VFQVlPL01BRU5CQ29NS0dRME5EazJZakExWVdGaU1tUTBPRGxoTldNeVpXTTJNRFkzTlRWaU5qVTNNakk1CllqZzVNalV3SHdZS0t3WUJCQUdEdnpBQkRnUVJEQTl5WldaekwyaGxZV1J6TDIxaGFXNHdHUVlLS3dZQkJBR0QKdnpBQkR3UUxEQWt5TmpJeE1qWTBPVGN3S2dZS0t3WUJCQUdEdnpBQkVBUWNEQnBvZEhSd2N6b3ZMMmRwZEdoMQpZaTVqYjIwdllXNWphRzl5WlRBWUJnb3JCZ0VFQVlPL01BRVJCQW9NQ0RFMk1qQTRORGczTUY0R0Npc0dBUVFCCmc3OHdBUklFVUF4T2FIUjBjSE02THk5bmFYUm9kV0l1WTI5dEwyRnVZMmh2Y21VdmMzbG1kQzh1WjJsMGFIVmkKTDNkdmNtdG1iRzkzY3k5eVpXeGxZWE5sTG5saGJXeEFjbVZtY3k5b1pXRmtjeTl0WVdsdU1EZ0dDaXNHQVFRQgpnNzh3QVJNRUtnd29aRFEwT1RaaU1EVmhZV0l5WkRRNE9XRTFZekpsWXpZd05qYzFOV0kyTlRjeU1qbGlPRGt5Ck5UQWhCZ29yQmdFRUFZTy9NQUVVQkJNTUVYZHZjbXRtYkc5M1gyUnBjM0JoZEdOb01GTUdDaXNHQVFRQmc3OHcKQVJVRVJReERhSFIwY0hNNkx5OW5hWFJvZFdJdVkyOXRMMkZ1WTJodmNtVXZjM2xtZEM5aFkzUnBiMjV6TDNKMQpibk12TWpjd01Ua3lPVE0xTlRVdllYUjBaVzF3ZEhNdk1qQVdCZ29yQmdFRUFZTy9NQUVXQkFnTUJuQjFZbXhwCll6QVhCZ29yQmdFRUFZTy9NQUVYQkFrTUIzSmxiR1ZoYzJVd05RWUtLd1lCQkFHRHZ6QUJHQVFuRENWeVpYQnYKT21GdVkyaHZjbVV2YzNsbWREcGxiblpwY205dWJXVnVkRHB5Wld4bFlYTmxNSUdLQmdvckJnRUVBZFo1QWdRQwpCSHdFZWdCNEFIWUEzVDB3YXNiSEVUSmpHUjRjbVdjM0FxSktYcmplUEszL2g0cHlnQzhwN280QUFBR2VtQ3ZYCkRBQUFCQU1BUnpCRkFpQXFJQkdBcDE1a3dnTVRwc1Q1N3NvWDMzSnIvcEtlK01mbEE2UDFvYkNoMmdJaEFNTHMKcFR4UndSajRZbE81VVZ0SUlzU016dEoxU1RnYlQyRXllRHZVRVZTUE1Bb0dDQ3FHU000OUJBTURBMmtBTUdZQwpNUUNsTnJYQlJMeHNjRXZIQmZNUW1zZDFCdi9aL2NnSXMrNkZFVEI5WDA3cm1nYnFLYnpnNWtEZVJ2cEVOOXlXCm0yY0NNUURNQjV0SFU3VjJ2V3Zad1BvY0xheHQ0eHZlRHZFWXY0aDZFL0JQZlpXaE9NL3lUNkxrNVdabStiWS8KTzBmdy85UT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= \ No newline at end of file diff --git a/syft_1.45.1_checksums.txt.sig b/syft_1.45.1_checksums.txt.sig new file mode 100644 index 0000000..be99faa --- /dev/null +++ b/syft_1.45.1_checksums.txt.sig @@ -0,0 +1 @@ +MEUCIFHNp2Fo+5kNxxERsd8rIbGS7WYzpO9icNwB47OSKc+UAiEA06TTss1jf6i2djPuX/JlSuPq8Kgv0M0fVeYFLLVBZ1o= \ No newline at end of file