A software bill of materials (SBOM) is a list of components that make up a software product. Most all software products use a combination of open-source and commercial software components from third-party vendors. Because each element has potential security implications, awareness of these sometimes hidden components is critical to understanding any software's current and future cybersecurity vulnerabilities.
Replicated has been delivering SBOMs alongside every KOTS, kURL, and Troubleshoot release for some time now. We have recently updated our documentation and processes to make it easier to validate SBOMs on releases.
Regardless if you're using KOTS, kURL, or Troubleshoot, we have grouped the detailed SBOM validation directions into a single source in the documentation.
Generally speaking, you can download the SBOM, the public key, and the signature from the respective release for all three products. Once you have the files locally, a cosign verify-blob command will allow you to verify the signature.
For example, when verifying the KOTS release, your command will look like the following:
[.pre] cosign verify-blob --key
sbom/key.pub --signature sbom/kots-sbom.tgz.sig sbom/kots-sbom.tgz [.pre]
You may have noticed that we are using the Cosign command from the Sigstore project. This is because we are big proponents of Sigstore and employ tools that help to create greater trust in the software supply chain.