Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Sign sbom-tool releases
See original GitHub issueWould be nice to be able to verify that releases of sbom-tool are build by CI by using e.g sigstore to sign binaries
Issue Analytics
- State:
- Created a year ago
- Reactions:1
- Comments:10 (1 by maintainers)
Top Results From Across the Web
Releases · microsoft/sbom-tool
The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts. -...
Read more >microsoft/sbom-tool
We distribute executables and SBOM files of the tool in GitHub Releases page. You can go and download binaries manually or use commands...
Read more >How to Sign an SBOM with Cosign
You will sign the SBOM in a similar way to signing other software artifacts. Make sure you are in the correct local directory...
Read more >Microsoft open sources its software bill of materials (SBOM) ...
Our SBOM tool is a general purpose, enterprise-proven, build-time SBOM generator. It works across platforms including Windows, Linux, and Mac, ...
Read more >How to Generate an SBOM With Microsoft's Open-Source ...
Precompiled binaries are available on the releases page. Select the right download for your system, then make the binary executable and move it ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Apologize for a little miscommunication. Right now only windows binary is signed and we’re working on providing integrity validation for the rest of binaries and SBOM files. Release assets are going to be produced in the private pipeline from now on and will be signed by Microsoft certificates.
I’ll keep this opened until we figure out signing process for unix binaries
@cmaclaughlin to clarify: Releases of this tool should be signed