Skip to content

Checking syft checksums offline #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
commel merged 1 commit into from
Jun 26, 2026
+48 −3
Merged

Checking syft checksums offline #152

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 14 additions & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,22 @@ RUN git clone https://github.com/gardenlinux/resizefat32
RUN make -C resizefat32 install

FROM debian:testing AS syft
ARG SYFT_RELEASE="1.44.0"
ARG SYFT_RELEASE="1.45.1"
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ca-certificates wget jq
RUN wget --quiet https://github.com/anchore/syft/releases/download/v${SYFT_RELEASE}/syft_${SYFT_RELEASE}_checksums.txt
# getting checksums and signatures and unpack
COPY syft_${SYFT_RELEASE}_checksums.txt /syft_${SYFT_RELEASE}_checksums.txt
COPY syft_${SYFT_RELEASE}_checksums.txt.sig /syft_${SYFT_RELEASE}_checksums.txt.sig
COPY syft_${SYFT_RELEASE}_checksums.txt.pem /syft_${SYFT_RELEASE}_checksums.txt.pem
# unpack
RUN base64 -d /syft_${SYFT_RELEASE}_checksums.txt.sig > /syft_${SYFT_RELEASE}_checksums.txt.sig.unpacked
RUN base64 -d syft_${SYFT_RELEASE}_checksums.txt.pem | openssl x509 -pubkey > /syft_${SYFT_RELEASE}_checksums.txt.pem.unpacked
# verify
RUN openssl dgst -verify /syft_${SYFT_RELEASE}_checksums.txt.pem.unpacked -signature /syft_${SYFT_RELEASE}_checksums.txt.sig.unpacked syft_${SYFT_RELEASE}_checksums.txt
# get syft
RUN wget --quiet https://github.com/anchore/syft/releases/download/v${SYFT_RELEASE}/syft_${SYFT_RELEASE}_linux_$(dpkg --print-architecture).deb
RUN sha256sum --ignore-missing --check syft_${SYFT_RELEASE}_checksums.txt
# verify checksum
RUN sha256sum --ignore-missing --check /syft_${SYFT_RELEASE}_checksums.txt
# install
RUN DEBIAN_FRONTEND=noninteractive apt-get install --yes --no-install-recommends ./syft_${SYFT_RELEASE}_linux_$(dpkg --print-architecture).deb

FROM debian:testing
Expand Down
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,10 @@ cd gardenlinux
./build --container-image localhost/builder aws-gardener_prod
```

## SBOM Generation

After image build time a Software Bill of Materials (SBOM) is created in CycloneDX JSON-format. To produce the SBOM a tool called `syft` is downloaded during build container time. To verify the integrity the offloaded checksums file is included in the builder's directory. To update to a newer syft-release update the container ARG in the `Dockerfile` and update the checksums-file for this release as well.

## Licensing

Copyright 2025 SAP SE or an SAP affiliate company and GardenLinux contributors. Please see our [LICENSE](LICENSE) for
Expand Down
28 changes: 28 additions & 0 deletions syft_1.45.1_checksums.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
4ea6177d63c44bd6e17e8c1fdf9850e91193f01e553af58a8da8018bb967240c syft_1.45.1_darwin_amd64.sbom
abe6e73b819f433b69ece755dc180a19c7694896062bf806f89d0e3ca5db710a syft_1.45.1_darwin_amd64.tar.gz
546f6923369b6b83273c57df14026a71eb291d2cf709908b1bd34fc4e0d3e34d syft_1.45.1_darwin_arm64.sbom
2f79ccbba6236636125d1ece60a6dc71d4e4f91b9f580cc2afbbafc763ff353d syft_1.45.1_darwin_arm64.tar.gz
a4e518a12a3f81cf94919e3fe93d6749d29763547decda2244420aa56830200d syft_1.45.1_linux_amd64.deb
8f7d1ac6ca562b0ea9bd2719d3f2b76835a69c4b36a04cd4147ffe9f77af6b5e syft_1.45.1_linux_amd64.rpm
14afde8577155267618f8a13dc5ec680c1a66a5577b185c727f68d2cee7c1a14 syft_1.45.1_linux_amd64.sbom
20c84195e24927f50a3b2269946be51f4c4abc9d2f145fee7388b4199149f716 syft_1.45.1_linux_amd64.tar.gz
7db925f42c406edeb51a7f5ab3cd337e273bed16d632787921a10e1bc0b74214 syft_1.45.1_linux_arm64.deb
9d5f85820e53f0c111134dc8b841dac60ab206a2e02c1a09c0019013623dfec0 syft_1.45.1_linux_arm64.rpm
ea420dbee05812935946c1065e6e402bad6dfbeccad355a56cea11e881059961 syft_1.45.1_linux_arm64.sbom
7df9f45cba1f6358ecfc7fac349d43b4605137001f9646b41267abe15a7c6cd7 syft_1.45.1_linux_arm64.tar.gz
77d989363d4f49cdfddf98a7d16ed68087692d7c299ffe08f2d9e79eea097228 syft_1.45.1_linux_ppc64le.deb
857d79c315a1b749d4ea8a26a56696753d062104d7b89fe74ac175dd4625eed8 syft_1.45.1_linux_ppc64le.rpm
9c98d7f302c8725efbd21b018bfac41f7025329a9e898314a981d33f98bbd747 syft_1.45.1_linux_ppc64le.sbom
5712ac2c2b732d3d777e1734617a5887414493941f34d92efa1cf102c0aa50f4 syft_1.45.1_linux_ppc64le.tar.gz
5727f3052dc7828512485e61a798194bbf1d0b2148eaf5bf8dca9e71c5e5f2d5 syft_1.45.1_linux_riscv64.deb
232e59c04813a7390172d6ea33f80a43cbfe252d6852cd5649a5ecb4462e41d7 syft_1.45.1_linux_riscv64.rpm
2981697f6489f9c48f3b12d9ed653e0f1ad8a753d16fa2f44102973c94181d0e syft_1.45.1_linux_riscv64.sbom
504e0c8f7bae364d1056b0976ffdbda4998eb38364cdd643c8221b4cedcd4083 syft_1.45.1_linux_riscv64.tar.gz
cdb6fc765d44e20b628abc6711f9c4a1bd8164ea9bb99c674600ce1ae76f732f syft_1.45.1_linux_s390x.deb
9ed1a909785302ccb46aa3663c27188960a8deb337a305b7b683e2db16654113 syft_1.45.1_linux_s390x.rpm
6161fd742ba20efab281ed1c990d6d72f10146d83d7ec21e31c8490c96c926b0 syft_1.45.1_linux_s390x.sbom
08f053fc6da6e382a555da2d5c049e998c8bbe6d6b5476a57af0b97fffd5215d syft_1.45.1_linux_s390x.tar.gz
d36b782081c21c07c73412323e6090427baf7ec4ef5dfdbb77e521bd86b979fd syft_1.45.1_windows_amd64.sbom
a9d12c26521e09213745884b8b7dc361dff83188c3a1ada0da1af71012dbcd52 syft_1.45.1_windows_amd64.zip
2fcb08c05e79da47a3567c1ae79b016db3851f836404f169e963abdb4ffb94b2 syft_1.45.1_windows_arm64.sbom
a95befd77b590a8c4a83adc7edac538a8fab5d23793bf678f4bc7f603e6a4cad syft_1.45.1_windows_arm64.zip
1 change: 1 addition & 0 deletions syft_1.45.1_checksums.txt.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUc4VENDQm5hZ0F3SUJBZ0lVTEhSZ29yREJCaEpSNVJUcThSeUhFVjUyZTdJd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpZd05qQTFNVFF5TkRNd1doY05Nall3TmpBMU1UUXpORE13V2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUV5dXE5eW5VamNEcmFJNFVnMzJ6NUFxV2RwNkg5WmpNVnRGQnAKS09uVUVMUU1UTnhwVXNFRUVJeEpCZTFQSThuTVB6enhLMFFRR3Z0MVNpWThZbjFkR2FPQ0JaVXdnZ1dSTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVVIUFJKClRJaG5CWVRQcVVOQWhZWU1ZWGh0NVkwd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d1hBWURWUjBSQVFIL0JGSXdVSVpPYUhSMGNITTZMeTluYVhSb2RXSXVZMjl0TDJGdVkyaHZjbVV2YzNsbQpkQzh1WjJsMGFIVmlMM2R2Y210bWJHOTNjeTl5Wld4bFlYTmxMbmxoYld4QWNtVm1jeTlvWldGa2N5OXRZV2x1Ck1Ea0dDaXNHQVFRQmc3OHdBUUVFSzJoMGRIQnpPaTh2ZEc5clpXNHVZV04wYVc5dWN5NW5hWFJvZFdKMWMyVnkKWTI5dWRHVnVkQzVqYjIwd0h3WUtLd1lCQkFHRHZ6QUJBZ1FSZDI5eWEyWnNiM2RmWkdsemNHRjBZMmd3TmdZSwpLd1lCQkFHRHZ6QUJBd1FvWkRRME9UWmlNRFZoWVdJeVpEUTRPV0UxWXpKbFl6WXdOamMxTldJMk5UY3lNamxpCk9Ea3lOVEFWQmdvckJnRUVBWU8vTUFFRUJBZFNaV3hsWVhObE1Cb0dDaXNHQVFRQmc3OHdBUVVFREdGdVkyaHYKY21VdmMzbG1kREFkQmdvckJnRUVBWU8vTUFFR0JBOXlaV1p6TDJobFlXUnpMMjFoYVc0d093WUtLd1lCQkFHRAp2ekFCQ0FRdERDdG9kSFJ3Y3pvdkwzUnZhMlZ1TG1GamRHbHZibk11WjJsMGFIVmlkWE5sY21OdmJuUmxiblF1ClkyOXRNRjRHQ2lzR0FRUUJnNzh3QVFrRVVBeE9hSFIwY0hNNkx5OW5hWFJvZFdJdVkyOXRMMkZ1WTJodmNtVXYKYzNsbWRDOHVaMmwwYUhWaUwzZHZjbXRtYkc5M2N5OXlaV3hsWVhObExubGhiV3hBY21WbWN5OW9aV0ZrY3k5dApZV2x1TURnR0Npc0dBUVFCZzc4d0FRb0VLZ3dvWkRRME9UWmlNRFZoWVdJeVpEUTRPV0UxWXpKbFl6WXdOamMxCk5XSTJOVGN5TWpsaU9Ea3lOVEFiQmdvckJnRUVBWU8vTUFFTEJBME1DM05sYkdZdGFHOXpkR1ZrTUM4R0Npc0cKQVFRQmc3OHdBUXdFSVF3ZmFIUjBjSE02THk5bmFYUm9kV0l1WTI5dEwyRnVZMmh2Y21VdmMzbG1kREE0QmdvcgpCZ0VFQVlPL01BRU5CQ29NS0dRME5EazJZakExWVdGaU1tUTBPRGxoTldNeVpXTTJNRFkzTlRWaU5qVTNNakk1CllqZzVNalV3SHdZS0t3WUJCQUdEdnpBQkRnUVJEQTl5WldaekwyaGxZV1J6TDIxaGFXNHdHUVlLS3dZQkJBR0QKdnpBQkR3UUxEQWt5TmpJeE1qWTBPVGN3S2dZS0t3WUJCQUdEdnpBQkVBUWNEQnBvZEhSd2N6b3ZMMmRwZEdoMQpZaTVqYjIwdllXNWphRzl5WlRBWUJnb3JCZ0VFQVlPL01BRVJCQW9NQ0RFMk1qQTRORGczTUY0R0Npc0dBUVFCCmc3OHdBUklFVUF4T2FIUjBjSE02THk5bmFYUm9kV0l1WTI5dEwyRnVZMmh2Y21VdmMzbG1kQzh1WjJsMGFIVmkKTDNkdmNtdG1iRzkzY3k5eVpXeGxZWE5sTG5saGJXeEFjbVZtY3k5b1pXRmtjeTl0WVdsdU1EZ0dDaXNHQVFRQgpnNzh3QVJNRUtnd29aRFEwT1RaaU1EVmhZV0l5WkRRNE9XRTFZekpsWXpZd05qYzFOV0kyTlRjeU1qbGlPRGt5Ck5UQWhCZ29yQmdFRUFZTy9NQUVVQkJNTUVYZHZjbXRtYkc5M1gyUnBjM0JoZEdOb01GTUdDaXNHQVFRQmc3OHcKQVJVRVJReERhSFIwY0hNNkx5OW5hWFJvZFdJdVkyOXRMMkZ1WTJodmNtVXZjM2xtZEM5aFkzUnBiMjV6TDNKMQpibk12TWpjd01Ua3lPVE0xTlRVdllYUjBaVzF3ZEhNdk1qQVdCZ29yQmdFRUFZTy9NQUVXQkFnTUJuQjFZbXhwCll6QVhCZ29yQmdFRUFZTy9NQUVYQkFrTUIzSmxiR1ZoYzJVd05RWUtLd1lCQkFHRHZ6QUJHQVFuRENWeVpYQnYKT21GdVkyaHZjbVV2YzNsbWREcGxiblpwY205dWJXVnVkRHB5Wld4bFlYTmxNSUdLQmdvckJnRUVBZFo1QWdRQwpCSHdFZWdCNEFIWUEzVDB3YXNiSEVUSmpHUjRjbVdjM0FxSktYcmplUEszL2g0cHlnQzhwN280QUFBR2VtQ3ZYCkRBQUFCQU1BUnpCRkFpQXFJQkdBcDE1a3dnTVRwc1Q1N3NvWDMzSnIvcEtlK01mbEE2UDFvYkNoMmdJaEFNTHMKcFR4UndSajRZbE81VVZ0SUlzU016dEoxU1RnYlQyRXllRHZVRVZTUE1Bb0dDQ3FHU000OUJBTURBMmtBTUdZQwpNUUNsTnJYQlJMeHNjRXZIQmZNUW1zZDFCdi9aL2NnSXMrNkZFVEI5WDA3cm1nYnFLYnpnNWtEZVJ2cEVOOXlXCm0yY0NNUURNQjV0SFU3VjJ2V3Zad1BvY0xheHQ0eHZlRHZFWXY0aDZFL0JQZlpXaE9NL3lUNkxrNVdabStiWS8KTzBmdy85UT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
1 change: 1 addition & 0 deletions syft_1.45.1_checksums.txt.sig
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
MEUCIFHNp2Fo+5kNxxERsd8rIbGS7WYzpO9icNwB47OSKc+UAiEA06TTss1jf6i2djPuX/JlSuPq8Kgv0M0fVeYFLLVBZ1o=
Loading