SBOM & Supply Chain Security
HDDS ships a signed Software Bill of Materials (SBOM) in CycloneDX format, covering all 501 dependencies with full license and provenance information. Both GPG and Sigstore/cosign signatures are provided for independent verification.
Available Formats
| File | Format | Description |
|---|---|---|
sbom/hdds-1.0.8.cdx.json | CycloneDX JSON | Machine-readable, integrates with dependency-track, Grype, etc. |
sbom/hdds-1.0.8.cdx.xml | CycloneDX XML | Alternative format for XML-based toolchains |
Signature Verification
All signing is performed manually by the maintainer (human-only, no automation).
1. Pre-sign Checksum Verification
cd sbom/
sha256sum -c SHA256SUMS
# Expected: hdds-1.0.8.cdx.json: OK
# Expected: hdds-1.0.8.cdx.xml: OK
2. GPG Verification
# Verify detached GPG signatures
gpg --verify hdds-1.0.8.cdx.json.asc hdds-1.0.8.cdx.json
gpg --verify hdds-1.0.8.cdx.xml.asc hdds-1.0.8.cdx.xml
# Expected output:
# gpg: Good signature from "..."
3. Sigstore/cosign Verification
cosign verify-blob \
--signature hdds-1.0.8.cdx.json.sig \
--certificate hdds-1.0.8.cdx.json.cert \
--certificate-identity "olivier@naskel.com" \
--certificate-oidc-issuer "https://accounts.google.com" \
hdds-1.0.8.cdx.json
# Expected: Verified OK
Repeat for the XML file:
cosign verify-blob \
--signature hdds-1.0.8.cdx.xml.sig \
--certificate hdds-1.0.8.cdx.xml.cert \
--certificate-identity "olivier@naskel.com" \
--certificate-oidc-issuer "https://accounts.google.com" \
hdds-1.0.8.cdx.xml
4. SHA256 Verification
After signing, the full SHA256SUMS file covers all 8 artifacts (2 SBOMs + 2 .asc + 2 .sig + 2 .cert):
sha256sum -c SHA256SUMS
# All 8 files should report: OK
Contents
The SBOM includes:
- 501 dependencies with full metadata (name, version, license, purl)
- All direct and transitive Cargo dependencies
- License breakdown across the dependency tree
- Package URLs (purl) for automated vulnerability scanning
Verification Checklist
- Download SBOM files and signatures from the release
- Verify SHA256 checksums match
- Verify GPG signature (requires maintainer public key)
- Verify cosign signature (keyless, uses Sigstore transparency log)
- Import SBOM into your dependency-track or vulnerability scanner
- Cross-reference with
cargo auditoutput for known CVEs
Related
- Feature Flags -- build-time feature configuration
- Environment Variables -- runtime configuration