@@ -487,13 +487,6 @@ BOMSH_SPDX_OUT = omnibor.wolfssl-$(PACKAGE_VERSION).spdx.json
487487# the on-disk gitoid disagrees, so the install-time relink remains
488488# visible.
489489BOMSH_ARTEFACT_MANIFEST = $(abs_builddir ) /_bomsh.artefact
490- # Byte-identical copy of the traced library, captured BEFORE `make sbom`
491- # runs `make install` (during which libtool relinks src/.libs/lib*.so*
492- # in place to fix RPATH). bomsh_sbom.py hashes the file at -f at call
493- # time rather than reading the ADG, so pointing -f at this snapshot keeps
494- # the SPDX externalRef pinned to the bomsh-traced gitoid -- otherwise it
495- # would hash the post-relink bytes and disagree with the manifest.
496- BOMSH_ARTEFACT_SNAPSHOT = $(abs_builddir ) /_bomsh.snapshot
497490bomshdir = $(datadir ) /doc/$(PACKAGE )
498491
499492.PHONY : bomsh install-bomsh uninstall-bomsh
@@ -522,10 +515,15 @@ bomsh:
522515 @printf ' raw_logfile=%s\n' ' $(BOMSH_RAWLOG_BASE)' > ' $(BOMSH_CONF)'
523516 $(BOMTRACE3 ) -c ' $(BOMSH_CONF)' $(MAKE )
524517 $(BOMSH_CREATE_BOM ) -r ' $(BOMSH_RAWLOG)' -b ' $(BOMSH_OMNIBORDIR)'
525- @# Snapshot the traced library before `make sbom`'s install-time
526- @# libtool relink rewrites it (RPATH fix). -f points at the snapshot
527- @# so bomsh_sbom.py emits the bomsh-traced gitoid; the manifest's path
528- @# field stays on the live library so the verifier's NOTE keeps firing.
518+ @# Capture the ArtifactID (file gitoid) of the bomtrace3-traced
519+ @# library and record it in the manifest. Below we feed this gitoid
520+ @# to bomsh_sbom.py via -g (NOT -f): with -f, bomsh_sbom.py hashes
521+ @# the file then maps that hash through omnibor/metadata/bomsh/
522+ @# bomsh_omnibor_doc_mapping to a bom_id (the gitoid of the
523+ @# artefact's OmniBOR document) -- a different sha1 than the
524+ @# artefact's own content gitoid, which never matches what the
525+ @# verifier records. -g inserts our gitoid verbatim, so
526+ @# SPDX externalRef == manifest gitoid == artefact ArtifactID.
529527 @bomsh_artifact=" " ; \
530528 for lib in \
531529 $(addprefix "$(abs_builddir ) /src/.libs"/,$(WOLFSSL_LIB_DSO_BASENAMES ) ) \
@@ -534,8 +532,7 @@ bomsh:
534532 if test -f " $$ lib" ; then bomsh_artifact=" $$ lib" ; break ; fi ; \
535533 done ; \
536534 if test -n " $$ bomsh_artifact" ; then \
537- cp " $$ bomsh_artifact" ' $(BOMSH_ARTEFACT_SNAPSHOT)' ; \
538- bomsh_artifact_gid=` $( PYTHON3) -c ' import hashlib,sys;d=open(sys.argv[1],"rb").read();h=hashlib.sha1();h.update(("blob %d\0"%len(d)).encode());h.update(d);print(h.hexdigest())' ' $(BOMSH_ARTEFACT_SNAPSHOT)' ` ; \
535+ bomsh_artifact_gid=` $( PYTHON3) -c ' import hashlib,sys;d=open(sys.argv[1],"rb").read();h=hashlib.sha1();h.update(("blob %d\0"%len(d)).encode());h.update(d);print(h.hexdigest())' " $$ bomsh_artifact" ` ; \
539536 printf ' %s\t%s\n' " $$ bomsh_artifact" " $$ bomsh_artifact_gid" \
540537 > ' $(BOMSH_ARTEFACT_MANIFEST)' ; \
541538 fi
@@ -545,18 +542,22 @@ bomsh:
545542 echo " The OmniBOR graph in $( BOMSH_OMNIBORDIR) is still produced." ; \
546543 exit 0; \
547544 fi ; \
548- if test ! -f ' $(BOMSH_ARTEFACT_MANIFEST)' \
549- || test ! -f ' $(BOMSH_ARTEFACT_SNAPSHOT)' ; then \
545+ if test ! -f ' $(BOMSH_ARTEFACT_MANIFEST)' ; then \
550546 echo " NOTE: no built libwolfssl artifact found in $( abs_builddir) /src/.libs/" ; \
551547 echo " OmniBOR graph produced; SPDX enrichment skipped." ; \
552548 exit 0; \
553549 fi ; \
554550 bomsh_artifact=` awk ' NR==1 {print $$1}' ' $(BOMSH_ARTEFACT_MANIFEST)' ` ; \
555- echo " Enriching SPDX with OmniBOR ExternalRefs (artifact: $$ bomsh_artifact, snapshot: $( BOMSH_ARTEFACT_SNAPSHOT) )..." ; \
551+ bomsh_artifact_gid=` awk ' NR==1 {print $$2}' ' $(BOMSH_ARTEFACT_MANIFEST)' ` ; \
552+ if test -z " $$ bomsh_artifact_gid" ; then \
553+ echo " ERROR: $( BOMSH_ARTEFACT_MANIFEST) is missing the gitoid field" ; \
554+ exit 1; \
555+ fi ; \
556+ echo " Enriching SPDX with OmniBOR ExternalRefs (artifact: $$ bomsh_artifact, gitoid: $$ bomsh_artifact_gid)..." ; \
556557 $(BOMSH_SBOM ) \
557558 -b ' $(BOMSH_OMNIBORDIR)' \
558559 -i ' $(abs_builddir)/$(SBOM_SPDX)' \
559- -f ' $(BOMSH_ARTEFACT_SNAPSHOT) ' \
560+ -g " $$ bomsh_artifact_gid " \
560561 -s spdx-json \
561562 -O ' $(abs_builddir)'
562563
@@ -573,7 +574,7 @@ uninstall-bomsh:
573574 -rm -rf ' $(DESTDIR)$(bomshdir)/omnibor'
574575 -rm -f ' $(DESTDIR)$(bomshdir)/$(BOMSH_SPDX_OUT)'
575576
576- CLEANFILES += $(BOMSH_RAWLOG ) $(BOMSH_RAWLOG_BASE ) .sha256 $(BOMSH_CONF ) $(BOMSH_SPDX_OUT ) $(BOMSH_ARTEFACT_MANIFEST ) $( BOMSH_ARTEFACT_SNAPSHOT )
577+ CLEANFILES += $(BOMSH_RAWLOG ) $(BOMSH_RAWLOG_BASE ) .sha256 $(BOMSH_CONF ) $(BOMSH_SPDX_OUT ) $(BOMSH_ARTEFACT_MANIFEST )
577578
578579# Hook SBOM/Bomsh cleanup into `make uninstall` so packagers don't leave
579580# stale artefacts behind after install-sbom/install-bomsh. uninstall-sbom
0 commit comments