[OE-core][PATCH 0/2] spdx: SHA 512 support

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [OE-core][PATCH 0/2] spdx: SHA 512 support
@ 2026-05-13 15:00 Joshua Watt
  2026-05-13 15:00 ` [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake Joshua Watt
  2026-05-13 15:00 ` [OE-core][PATCH 2/2] spdx: Add SHA 512 support Joshua Watt
  0 siblings, 2 replies; 3+ messages in thread
From: Joshua Watt @ 2026-05-13 15:00 UTC (permalink / raw)
  To: openembedded-core; +Cc: Joshua Watt

Add SHA 512 support for compliance with BSI TR-03183

Joshua Watt (2):
  spdx: Use checksum list from bitbake
  spdx: Add SHA 512 support

 meta/lib/oe/sbom30.py       |  7 +++++++
 meta/lib/oe/spdx30_tasks.py | 10 ++++++++--
 2 files changed, 15 insertions(+), 2 deletions(-)

-- 
2.54.0



^ permalink raw reply	[flat|nested] 3+ messages in thread

* [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake
  2026-05-13 15:00 [OE-core][PATCH 0/2] spdx: SHA 512 support Joshua Watt
@ 2026-05-13 15:00 ` Joshua Watt
  2026-05-13 15:00 ` [OE-core][PATCH 2/2] spdx: Add SHA 512 support Joshua Watt
  1 sibling, 0 replies; 3+ messages in thread
From: Joshua Watt @ 2026-05-13 15:00 UTC (permalink / raw)
  To: openembedded-core; +Cc: Joshua Watt

Instead of manually curating a hardcoded list of checksums, use the same
list that bitbake uses.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/lib/oe/spdx30_tasks.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 1821dd7de4..0a30be5767 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -547,8 +547,10 @@ def add_download_files(d, objset):
             _enrich_source_package(d, dl, fd, file_name, primary_purpose)
 
             if fd.method.supports_checksum(fd):
-                # TODO Need something better than hard coding this
-                for checksum_id in ["sha256", "sha1"]:
+                for checksum_id in bb.fetch2.CHECKSUM_LIST:
+                    if checksum_id not in oe.spdx30.HashAlgorithm.NAMED_INDIVIDUALS:
+                        continue
+
                     expected_checksum = getattr(fd, "%s_expected" % checksum_id, None)
                     if expected_checksum is None:
                         continue
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [OE-core][PATCH 2/2] spdx: Add SHA 512 support
  2026-05-13 15:00 [OE-core][PATCH 0/2] spdx: SHA 512 support Joshua Watt
  2026-05-13 15:00 ` [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake Joshua Watt
@ 2026-05-13 15:00 ` Joshua Watt
  1 sibling, 0 replies; 3+ messages in thread
From: Joshua Watt @ 2026-05-13 15:00 UTC (permalink / raw)
  To: openembedded-core; +Cc: Joshua Watt

Adds support for adding SHA-512 hashes (where possible). This is to
improve compliance with SBoM standards, in particular BSI TR-03181 [1].

SHA 256 hashes are still included for each file, and still used to index
files in the database. Also, while SHA 512 is supported as a hash for
downloads, most recipes are still using SHA 256 and would need to be
upgraded for full compliance with BSI TR-03183

[1]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/lib/oe/sbom30.py       | 7 +++++++
 meta/lib/oe/spdx30_tasks.py | 4 ++++
 2 files changed, 11 insertions(+)

diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
index 0f1f9281ad..b379ff947c 100644
--- a/meta/lib/oe/sbom30.py
+++ b/meta/lib/oe/sbom30.py
@@ -638,6 +638,7 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
     def new_file(self, _id, name, path, *, purposes=[], hashfile=True):
         if hashfile:
             sha256_hash = bb.utils.sha256_file(path)
+            sha512_hash = bb.utils.sha512_file(path)
 
             for f in self.by_sha256_hash.get(sha256_hash, []):
                 if not isinstance(f, oe.spdx30.software_File):
@@ -684,6 +685,12 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
                     hashValue=sha256_hash,
                 )
             )
+            spdx_file.verifiedUsing.append(
+                oe.spdx30.Hash(
+                    algorithm=oe.spdx30.HashAlgorithm.sha512,
+                    hashValue=sha512_hash,
+                )
+            )
 
         return self.add(spdx_file)
 
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 0a30be5767..7cc46d579b 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -1478,6 +1478,10 @@ def create_image_spdx(d):
                             oe.spdx30.Hash(
                                 algorithm=oe.spdx30.HashAlgorithm.sha256,
                                 hashValue=bb.utils.sha256_file(image_path),
+                            ),
+                            oe.spdx30.Hash(
+                                algorithm=oe.spdx30.HashAlgorithm.sha512,
+                                hashValue=bb.utils.sha512_file(image_path),
                             )
                         ],
                     )
-- 
2.54.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-05-13 15:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-13 15:00 [OE-core][PATCH 0/2] spdx: SHA 512 support Joshua Watt
2026-05-13 15:00 ` [OE-core][PATCH 1/2] spdx: Use checksum list from bitbake Joshua Watt
2026-05-13 15:00 ` [OE-core][PATCH 2/2] spdx: Add SHA 512 support Joshua Watt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox