SBOMs report all-zero SHA1 hash for release binaries

[hidde-jan]

Description

When inspecting the SBOMs attached to the latest release of rekor, the reported SHA1 hashes are all-zero. For example:

{
  //...
    "files": [
        {
            "fileName": "/rekor-cli-linux-amd64",
            "SPDXID": "SPDXRef-File-rekor-cli-linux-amd64-364aab0fbaf403d4",
            "checksums": [
                {
                    "algorithm": "SHA1",
                    "checksumValue": "0000000000000000000000000000000000000000"
                }
            ],
            "licenseConcluded": "NOASSERTION",
            "copyrightText": ""
        }
    ],
  //...
}

A quick inspection seems to indicate these SBOMs are generated by goreleaser.

Ideally, the sbom would include a proper hash of the binary.

Version

Not applicable

[haydentherapper]

@cpanato any idea why? At a glance at documentation, I don’t see anything about configuring checksums

[cpanato]

I've reproduced the issue, and it is not in the goreleaser, it is in the syft tool that is used to generate the sbom

and seems there is an issue already for this anchore/syft#2307