From: Joshua Watt <jpewhacker@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Joshua Watt <JPEWhacker@gmail.com>
Subject: [OE-core][PATCH 2/2] spdx: Add SHA 512 support
Date: Wed, 13 May 2026 09:00:58 -0600 [thread overview]
Message-ID: <20260513150334.925178-3-JPEWhacker@gmail.com> (raw)
In-Reply-To: <20260513150334.925178-1-JPEWhacker@gmail.com>
Adds support for adding SHA-512 hashes (where possible). This is to
improve compliance with SBoM standards, in particular BSI TR-03181 [1].
SHA 256 hashes are still included for each file, and still used to index
files in the database. Also, while SHA 512 is supported as a hash for
downloads, most recipes are still using SHA 256 and would need to be
upgraded for full compliance with BSI TR-03183
[1]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
meta/lib/oe/sbom30.py | 7 +++++++
meta/lib/oe/spdx30_tasks.py | 4 ++++
2 files changed, 11 insertions(+)
diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 0f1f9281ad..b379ff947c 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -638,6 +638,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
def new_file(self, _id, name, path, *, purposes=[], hashfile=True):
if hashfile:
sha256_hash = bb.utils.sha256_file(path)
+ sha512_hash = bb.utils.sha512_file(path)
for f in self.by_sha256_hash.get(sha256_hash, []):
if not isinstance(f, oe.spdx30.software_File):
@@ -684,6 +685,12 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
hashValue=sha256_hash,
)
)
+ spdx_file.verifiedUsing.append(
+ oe.spdx30.Hash(
+ algorithm=oe.spdx30.HashAlgorithm.sha512,
+ hashValue=sha512_hash,
+ )
+ )
return self.add(spdx_file)
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 0a30be5767..7cc46d579b 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -1478,6 +1478,10 @@ def create_image_spdx(d):
oe.spdx30.Hash(
algorithm=oe.spdx30.HashAlgorithm.sha256,
hashValue=bb.utils.sha256_file(image_path),
+ ),
+ oe.spdx30.Hash(
+ algorithm=oe.spdx30.HashAlgorithm.sha512,
+ hashValue=bb.utils.sha512_file(image_path),
)
],
)
--
2.54.0
prev parent reply other threads:[~2026-05-13 15:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 15:00 [OE-core][PATCH 0/2] spdx: SHA 512 support Joshua Watt
2026-05-13 15:00 ` [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake Joshua Watt
2026-05-13 15:00 ` Joshua Watt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260513150334.925178-3-JPEWhacker@gmail.com \
--to=jpewhacker@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.