[OE-core][PATCH 0/2] spdx: SHA 512 support

All of lore.kernel.org
 help / color / mirror / Atom feed

* [OE-core][PATCH 0/2] spdx: SHA 512 support
@ 2026-05-13 15:00 Joshua Watt
  2026-05-13 15:00 ` [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake Joshua Watt
  2026-05-13 15:00 ` [OE-core][PATCH 2/2] spdx: Add SHA 512 support Joshua Watt
  0 siblings, 2 replies; 3+ messages in thread
From: Joshua Watt @ 2026-05-13 15:00 UTC (permalink / raw)
  To: openembedded-core; +Cc: Joshua Watt

Add SHA 512 support for compliance with BSI TR-03183

Joshua Watt (2):
  spdx: Use checksum list from bitbake
  spdx: Add SHA 512 support

 meta/lib/oe/sbom30.py       |  7 +++++++
 meta/lib/oe/spdx30_tasks.py | 10 ++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

-- 
2.54.0



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake
  2026-05-13 15:00 [OE-core][PATCH 0/2] spdx: SHA 512 support Joshua Watt
@ 2026-05-13 15:00 ` Joshua Watt
  2026-05-13 15:00 ` [OE-core][PATCH 2/2] spdx: Add SHA 512 support Joshua Watt
  1 sibling, 0 replies; 3+ messages in thread
From: Joshua Watt @ 2026-05-13 15:00 UTC (permalink / raw)
  To: openembedded-core; +Cc: Joshua Watt

Instead of manually curating a hardcoded list of checksums, use the same
list that bitbake uses.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/lib/oe/spdx30_tasks.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 1821dd7de4..0a30be5767 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -547,8 +547,10 @@ def add_download_files(d, objset):
             _enrich_source_package(d, dl, fd, file_name, primary_purpose)
 
             if fd.method.supports_checksum(fd):
-                # TODO Need something better than hard coding this
-                for checksum_id in ["sha256", "sha1"]:
+                for checksum_id in bb.fetch2.CHECKSUM_LIST:
+                    if checksum_id not in oe.spdx30.HashAlgorithm.NAMED_INDIVIDUALS:
+                        continue
+
                     expected_checksum = getattr(fd, "%s_expected" % checksum_id, None)
                     if expected_checksum is None:
                         continue
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [OE-core][PATCH 2/2] spdx: Add SHA 512 support
  2026-05-13 15:00 [OE-core][PATCH 0/2] spdx: SHA 512 support Joshua Watt
  2026-05-13 15:00 ` [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake Joshua Watt
@ 2026-05-13 15:00 ` Joshua Watt
  1 sibling, 0 replies; 3+ messages in thread
From: Joshua Watt @ 2026-05-13 15:00 UTC (permalink / raw)
  To: openembedded-core; +Cc: Joshua Watt

Adds support for adding SHA-512 hashes (where possible). This is to
improve compliance with SBoM standards, in particular BSI TR-03181 [1].

SHA 256 hashes are still included for each file, and still used to index
files in the database. Also, while SHA 512 is supported as a hash for
downloads, most recipes are still using SHA 256 and would need to be
upgraded for full compliance with BSI TR-03183

[1]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/lib/oe/sbom30.py       | 7 +++++++
 meta/lib/oe/spdx30_tasks.py | 4 ++++
 2 files changed, 11 insertions(+)

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 0f1f9281ad..b379ff947c 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -638,6 +638,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
     def new_file(self, _id, name, path, *, purposes=[], hashfile=True):
         if hashfile:
             sha256_hash = bb.utils.sha256_file(path)
+            sha512_hash = bb.utils.sha512_file(path)
 
             for f in self.by_sha256_hash.get(sha256_hash, []):
                 if not isinstance(f, oe.spdx30.software_File):
@@ -684,6 +685,12 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
                     hashValue=sha256_hash,
                 )
             )
+            spdx_file.verifiedUsing.append(
+                oe.spdx30.Hash(
+                    algorithm=oe.spdx30.HashAlgorithm.sha512,
+                    hashValue=sha512_hash,
+                )
+            )
 
         return self.add(spdx_file)
 
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 0a30be5767..7cc46d579b 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -1478,6 +1478,10 @@ def create_image_spdx(d):
                             oe.spdx30.Hash(
                                 algorithm=oe.spdx30.HashAlgorithm.sha256,
                                 hashValue=bb.utils.sha256_file(image_path),
+                            ),
+                            oe.spdx30.Hash(
+                                algorithm=oe.spdx30.HashAlgorithm.sha512,
+                                hashValue=bb.utils.sha512_file(image_path),
                             )
                         ],
                     )
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-13 15:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-13 15:00 [OE-core][PATCH 0/2] spdx: SHA 512 support Joshua Watt
2026-05-13 15:00 ` [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake Joshua Watt
2026-05-13 15:00 ` [OE-core][PATCH 2/2] spdx: Add SHA 512 support Joshua Watt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.