diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
index 06bdaf8170..3f20bfd137 100644
--- a/.github/workflows/make-release.yml
+++ b/.github/workflows/make-release.yml
@@ -18,6 +18,12 @@ jobs:
   release:
     runs-on: "releaser"
     steps:
+    - name: "Install syft"
+      run: |
+        export SYFT_VERSION=1.37.0
+        export SYFT_PACKAGE=syft_$SYFT_VERSION_linux_amd64.deb
+        sudo curl -L --output=./$SYFT_PACKAGE https://github.com/anchore/syft/releases/download/v$SYFT_VERSION/$SYFT_PACKAGE
+        sudo apt-get install -y ./$SYFT_PACKAGE
     - name: "Checkout"
       uses: "actions/checkout@v5"
       with:
@@ -38,6 +44,24 @@ jobs:
         openssl sha1 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha1"
         openssl sha256 -r "$GITHUB_REF_NAME.tar.gz" > "$GITHUB_REF_NAME.tar.gz.sha256"
         gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.tar.gz.asc" -sba "$GITHUB_REF_NAME.tar.gz"
+    - name: "Build SBOM"
+      run: |
+        VERSION="$(echo "$GITHUB_REF_NAME" | cut -d '-' -f 2-)"
+        cd "$GITHUB_REF_NAME"
+        # extract the generated tarball
+        mkdir sbom
+        cd sbom
+        tar xvf ../assets/$GITHUB_REF_NAME.tar.gz
+        cd ../assets
+        # build our sbom based on the tarball contents
+        export SYFT_FILE_METADATA_SELECTION=all
+        export SYFT_LICENSE_CONTENT=all
+        syft scan --select-catalogers +sbom-cataloger,+file-contents-cataloger --source-name OpenSSL --source-version $VERSION --source-supplier OpenSSL --base-path ../sbom/$GITHUB_REF_NAME/ --output spdx-json=./$GITHUB_REF_NAME.sbom --from dir ../sbom/$GITHUB_REF_NAME/
+
+        # fixup license info
+        sed -i -e "s/\"licenseDeclared\":\"NOASSERTION\"/\"licenseDeclared\":\"Apache-2.0\"/g" ./$GITHUB_REF_NAME-sbom.json
+        sed -i -e "s/\"licenseConcluded\":\"NOASSERTION\"/\"licenseConcluded\":\"Apache-2.0\"/g" ./$GITHUB_REF_NAME-sbom.json
+        gpg -u "$SIGNING_KEY_UID" -o "$GITHUB_REF_NAME.sbom.asc" -sba "$GITHUB_REF_NAME.sbom"
     - name: "Create release"
       env:
         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
diff --git a/doc/sbom.cdx.json b/doc/sbom.cdx.json
deleted file mode 100644
index f34094243e..0000000000
--- a/doc/sbom.cdx.json
+++ /dev/null
@@ -1,48 +0,0 @@
-{
-  "bomFormat": "CycloneDX",
-  "specVersion": "1.6",
-  "version": 1,
-  "metadata": {
-    "authors": [
-      {
-        "name": "@VCS_SBOM_AUTHORS@"
-      }
-    ]
-  },
-  "components": [
-    {
-      "type": "library",
-      "bom-ref": "pkg:github/openssl/openssl@@VCS_TAG@",
-      "cpe": "cpe:2.3:a:openssl:openssl:@VCS_TAG@:*:*:*:*:*:*:*",
-      "name": "OpenSSL",
-      "version": "@VCS_VERSION@",
-      "description": "TLS/SSL and crypto library",
-      "authors": [
-        {
-          "name": "@VCS_AUTHORS@",
-          "url": "https://raw.githubusercontent.com/openssl/openssl/refs/heads/master/AUTHORS.md"
-        }
-      ],
-      "supplier": {
-        "name": "The OpenSSL Project"
-      },
-      "licenses": [
-        {
-          "license": {
-            "id": "Apache-2.0"
-          }
-        }
-      ],
-      "externalReferences": [
-        {
-          "type": "website",
-          "url": "https://www.openssl.org/"
-        },
-        {
-          "type": "vcs",
-          "url": "https://github.com/openssl/openssl"
-        }
-      ]
-    }
-  ]
-}