Make our sbom generation useful

We currently have an SBOM file, but its not at all useful, in that its
just a template that downstream consumers might use to build their own
sboms, but thats not really what an SBOM is for.

SBOMs provide a level of assurance that the release production process
was done securely.  OpenSSL produces source releases, for which we
leverage git archive when done on a github CI runner, which we don't
have direct control over (at least not the contents of the runner
image), so what we really should be doing, is generating an SBOM on the
fly, for which we validate the computed SHA256 sum of each file in the
tarball against the SHA256 sum of the corresponding file from the source
git tree (to ensure that tooling local to the system didn't modify the
files during archive construction.

Replace the static sbom file with some additional ci work to do that,
and make the sbom part of the release process so that downstream users
can properly consume it.

Author: nhorman

.github/workflows/make-release.yml

@@ -18,6 +18,9 @@ jobs:
   release:
     runs-on: "releaser"
     steps:
+    - name: "Install syft"
+      run: |
+        sudo curl -sSfL https://get.anchore.io/syft | sudo sh -s -- -b /usr/local/bin
     - name: "Checkout"
       uses: "actions/checkout@v5"
       with:
@@ -38,6 +41,35 @@ jobs:
         openssl sha1 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha1"
         openssl sha256 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha256"
         gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.tar.gz.asc" -sba "$GITHUB_REF_NAME.tar.gz"
+    - name: "Build and validate SBOM against git tree"
+      run: |
+        cd "$GITHUB_REF_NAME"
+        # extract the generated tarball
+        mkdir sbom
+        cd sbom
+        tar xvf ../assets/$GITHUB_REF_NAME.tar.gz
+        cd ../assets
+        # build our sbom based on the tarball contents
+        export SYFT_FILE_METADATA_SELECTION=all
+        export SYFT_LICENSE_CONTENT=all
+        syft scan --select-catalogers +sbom-cataloger,+nix-cataloger --source-name OpenSSL --source-version $GITHUB_REF_NAME --source-supplier OpenSSL --base-path ../sbom/$GITHUB_REF_NAME/ --output spdx-json=./$GITHUB_REF_NAME-sbom.json --from dir ../sbom/$GITHUB_REF_NAME/
+
+        # Validate each file listed in the sbom against the corresponding git tree
+        for sbomfile in $(jq -r '.files[] | select(has("fileName")) | .fileName' ./$GITHUB_REF_NAME-sbom.json); do
+          if [ -d ../$sbomfile ]; then
+            continue
+          fi
+          GITSHA256=$(sha256sum i../$sbomfile | awk '{print $1}')
+          SBOM256=$(jq -r --arg sbfile "$sbomfile" '.files[] | select(has("fileName")) | select(.fileName==$sbfile) | .checksums[1].checksumValue' ./$GITHUB_REF_NAME-sbom.json)
+          if [ "$GITSHA256" != "$SBOM256" ]; then
+            echo "$sbomfile sha256sums don't match between git and release tarball!"
+            exit 1
+          fi
+        done
+        # fixup license info
+        sed -i -e "s/\"licenseDeclared\":\"NOASSERTION\"/\"licenseDeclared\":\"Apache-2.0\"/g" ./$GITHUB_REF_NAME-sbom.json
+        sed -i -e "s/\"licenseConcluded\":\"NOASSERTION\"/\"licenseConcluded\":\"Apache-2.0\"/g" ./$GITHUB_REF_NAME-sbom.json
+        gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME-sbom.json.asc" -sba "$GITHUB_REF_NAME-sbom.json"
     - name: "Create release"
       env:
         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}