Software Bill of Materials — SPDX + CycloneDX
Killinchu ships a machine-readable SBOM in both SPDX and CycloneDX JSON, generated by Syft on every push and tag, then cosign-signed. This is the supply-chain transparency primitive required for UDS Core / Big Bang onboarding and aligned to NIST SP 800-218 (SSDF).
How the SBOM is produced (committed CI)
The pipeline .github/workflows/sbom.yml runs Syft to emit both formats,
runs a Trivy vulnerability scan, uploads both SBOMs as build artifacts, and attaches them to
every tagged release. Cosign signs the CycloneDX SBOM when the signing key is present —
no Fulcio/Rekor egress required for the blob signature (air-gap friendly).
syft scan dir:. -o cyclonedx-json=sbom.cyclonedx.json syft scan dir:. -o spdx-json=sbom.spdx.json trivy fs --format table . cosign sign-blob --key cosign.pub sbom.cyclonedx.json > sbom.cyclonedx.json.sig
Verify the SBOM (judge-reproducible)
cosign verify-blob \ --key szlholdings-cosign.pub \ --signature sbom.cyclonedx.json.sig \ sbom.cyclonedx.json # -> Verified OK
Public signing key fingerprint a4d73120c312d94bdd6cbdfa6f3d629cfff4b85e7addde5f9c3fd4c02341eb30 (keyid szlholdings-cosign,
ECDSA-P256-SHA256). The same key signs the air-gap bundle (see
/uds/sigstore) and every flagship /khipu/pubkey surface.
Live SBOM-diff endpoint
The Space exposes a deterministic package-level SBOM diff between release tags:
/api/killinchu/uds/v1/sbom/diff/v10/v11 (public, HTTP 200).
Verifiable evidence
- SBOM CI pipeline (concept): uds-bundles/.github/workflows/sbom.yml
- Public signing key: cosign.pub · checksum manifest bundle.tar.zst.sha256
- Release proof (all values executed, not asserted): releases/szl-warhacker-uds-v1.0.0/PROOF.md
- Live diff endpoint: /api/killinchu/uds/v1/sbom/diff/v10/v11
- Standard: NIST SP 800-218 Secure Software Development Framework