Skip to content

SBOMs report all-zero SHA1 hash for release binaries  #2175

Description

@hidde-jan

Description

When inspecting the SBOMs attached to the latest release of rekor, the reported SHA1 hashes are all-zero. For example:

{
  //...
    "files": [
        {
            "fileName": "/rekor-cli-linux-amd64",
            "SPDXID": "SPDXRef-File-rekor-cli-linux-amd64-364aab0fbaf403d4",
            "checksums": [
                {
                    "algorithm": "SHA1",
                    "checksumValue": "0000000000000000000000000000000000000000"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "copyrightText": ""
        }
    ],
  //...
}

A quick inspection seems to indicate these SBOMs are generated by goreleaser.

Ideally, the sbom would include a proper hash of the binary.

Version

Not applicable

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions