fix(bomsh): snapshot traced library before make sbom's libtool relink

bomsh_sbom.py hashes -f at call time, so without the pre-install
snapshot it hashes the post-relink bytes and the SPDX externalRef
gitoid stops matching the manifest, failing verifier check (C).

Signed-off-by: Sameeh Jubran <sameeh@wolfssl.com>

Author: sameehj

.github/workflows/sbom.yml

@@ -1077,9 +1077,14 @@ jobs:
       - name: Upload bomsh trace diagnostics
         # Diagnostic-only, short retention.  Kept separate so the
         # provenance bundle above stays slim for downstream consumers
-        # who don't need to debug ptrace gaps.  `_bomsh.artefact` is
-        # included here (not in the provenance bundle) because it is
-        # a CI-internal pointer file, not part of the SBOM contract.
+        # who don't need to debug ptrace gaps.  `_bomsh.artefact` and
+        # `_bomsh.snapshot` are included here (not in the provenance
+        # bundle) because they are CI-internal: the manifest is a
+        # pointer file, and the snapshot is the byte-identical copy
+        # of the bomtrace3-traced library taken before `make sbom`'s
+        # libtool relink.  Bundling the snapshot lets a reviewer
+        # reproduce check (C) by hand (`sha1("blob "+len+"\\0"+bytes)`)
+        # to confirm the SPDX externalRef gitoid is honest.
         if: always()
         uses: actions/upload-artifact@v4
         with:
@@ -1088,6 +1093,7 @@ jobs:
             bomsh_raw_logfile.sha1
             _bomsh.conf
             _bomsh.artefact
+            _bomsh.snapshot
           if-no-files-found: warn
           retention-days: 14
 
@@ -1104,3 +1110,5 @@ jobs:
           test ! -d omnibor || (echo "omnibor/ not cleaned"; exit 1)
           test ! -f _bomsh.artefact \
             || (echo "_bomsh.artefact not cleaned"; exit 1)
+          test ! -f _bomsh.snapshot \
+            || (echo "_bomsh.snapshot not cleaned"; exit 1)

Makefile.am

@@ -486,6 +486,13 @@ BOMSH_SPDX_OUT         = omnibor.wolfssl-$(PACKAGE_VERSION).spdx.json
 # the on-disk gitoid disagrees, so the install-time relink remains
 # visible.
 BOMSH_ARTEFACT_MANIFEST = $(abs_builddir)/_bomsh.artefact
+# Byte-identical copy of the traced library, captured BEFORE `make sbom`
+# runs `make install` (during which libtool relinks src/.libs/lib*.so*
+# in place to fix RPATH).  bomsh_sbom.py hashes the file at -f at call
+# time rather than reading the ADG, so pointing -f at this snapshot keeps
+# the SPDX externalRef pinned to the bomsh-traced gitoid -- otherwise it
+# would hash the post-relink bytes and disagree with the manifest.
+BOMSH_ARTEFACT_SNAPSHOT = $(abs_builddir)/_bomsh.snapshot
 bomshdir          = $(datadir)/doc/$(PACKAGE)
 
 .PHONY: bomsh install-bomsh uninstall-bomsh
@@ -514,15 +521,10 @@ bomsh:
 	@printf 'raw_logfile=%s\n' '$(BOMSH_RAWLOG_BASE)' > '$(BOMSH_CONF)'
 	$(BOMTRACE3) -c '$(BOMSH_CONF)' $(MAKE)
 	$(BOMSH_CREATE_BOM) -r '$(BOMSH_RAWLOG)' -b '$(BOMSH_OMNIBORDIR)'
-	@# Capture the gitoid of the bomtrace3-traced library BEFORE the
-	@# `make sbom` below, which calls `make install DESTDIR=...` --
-	@# libtool's --mode=install relinks src/.libs/lib*.so* in place
-	@# to fix RPATH, mutating the bytes that bomsh recorded in the
-	@# ADG via bomsh_create_bom above.  Capturing here pins the
-	@# verifier's check (C) to the bomsh-traced gitoid (so SPDX <->
-	@# manifest agree even though the on-disk bytes diverge after
-	@# install).  The on-disk divergence is surfaced as a verifier
-	@# warning, not a failure.
+	@# Snapshot the traced library before `make sbom`'s install-time
+	@# libtool relink rewrites it (RPATH fix).  -f points at the snapshot
+	@# so bomsh_sbom.py emits the bomsh-traced gitoid; the manifest's path
+	@# field stays on the live library so the verifier's NOTE keeps firing.
 	@bomsh_artifact=""; \
 	for lib in \
 	    $(addprefix "$(abs_builddir)/src/.libs"/,$(WOLFSSL_LIB_DSO_BASENAMES)) \
@@ -531,7 +533,8 @@ bomsh:
 	    if test -f "$$lib"; then bomsh_artifact="$$lib"; break; fi; \
 	done; \
 	if test -n "$$bomsh_artifact"; then \
-	    bomsh_artifact_gid=`$(PYTHON3) -c 'import hashlib,sys;d=open(sys.argv[1],"rb").read();h=hashlib.sha1();h.update(("blob %d\0"%len(d)).encode());h.update(d);print(h.hexdigest())' "$$bomsh_artifact"`; \
+	    cp "$$bomsh_artifact" '$(BOMSH_ARTEFACT_SNAPSHOT)'; \
+	    bomsh_artifact_gid=`$(PYTHON3) -c 'import hashlib,sys;d=open(sys.argv[1],"rb").read();h=hashlib.sha1();h.update(("blob %d\0"%len(d)).encode());h.update(d);print(h.hexdigest())' '$(BOMSH_ARTEFACT_SNAPSHOT)'`; \
 	    printf '%s\t%s\n' "$$bomsh_artifact" "$$bomsh_artifact_gid" \
 	        > '$(BOMSH_ARTEFACT_MANIFEST)'; \
 	fi
@@ -541,17 +544,18 @@ bomsh:
 	    echo "      The OmniBOR graph in $(BOMSH_OMNIBORDIR) is still produced."; \
 	    exit 0; \
 	fi; \
-	if test ! -f '$(BOMSH_ARTEFACT_MANIFEST)'; then \
+	if test ! -f '$(BOMSH_ARTEFACT_MANIFEST)' \
+	    || test ! -f '$(BOMSH_ARTEFACT_SNAPSHOT)'; then \
 	    echo "NOTE: no built libwolfssl artifact found in $(abs_builddir)/src/.libs/"; \
 	    echo "      OmniBOR graph produced; SPDX enrichment skipped."; \
 	    exit 0; \
 	fi; \
 	bomsh_artifact=`awk 'NR==1 {print $$1}' '$(BOMSH_ARTEFACT_MANIFEST)'`; \
-	echo "Enriching SPDX with OmniBOR ExternalRefs (artifact: $$bomsh_artifact)..."; \
+	echo "Enriching SPDX with OmniBOR ExternalRefs (artifact: $$bomsh_artifact, snapshot: $(BOMSH_ARTEFACT_SNAPSHOT))..."; \
 	$(BOMSH_SBOM) \
 	    -b '$(BOMSH_OMNIBORDIR)' \
 	    -i '$(abs_builddir)/$(SBOM_SPDX)' \
-	    -f "$$bomsh_artifact" \
+	    -f '$(BOMSH_ARTEFACT_SNAPSHOT)' \
 	    -s spdx-json \
 	    -O '$(abs_builddir)'
 
@@ -568,7 +572,7 @@ uninstall-bomsh:
 	-rm -rf '$(DESTDIR)$(bomshdir)/omnibor'
 	-rm -f '$(DESTDIR)$(bomshdir)/$(BOMSH_SPDX_OUT)'
 
-CLEANFILES += $(BOMSH_RAWLOG) $(BOMSH_RAWLOG_BASE).sha256 $(BOMSH_CONF) $(BOMSH_SPDX_OUT) $(BOMSH_ARTEFACT_MANIFEST)
+CLEANFILES += $(BOMSH_RAWLOG) $(BOMSH_RAWLOG_BASE).sha256 $(BOMSH_CONF) $(BOMSH_SPDX_OUT) $(BOMSH_ARTEFACT_MANIFEST) $(BOMSH_ARTEFACT_SNAPSHOT)
 
 # Hook SBOM/Bomsh cleanup into `make uninstall` so packagers don't leave
 # stale artefacts behind after install-sbom/install-bomsh.  uninstall-sbom