mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 16:33:21 +01:00
b369b02f4f
* feat: expose rpm signature information This helps with more confident identification of an rpm. In theory, two rpms can be built that have the same purl string, and otherwise look identical in syft's output, but the PGP information would distinguish them as signed either by different keys, or signed at different times. In practice, this usually makes no difference since rpms tend to have unique name/version/release strings. This just gives increased confidence about the identity of the rpm found in the db. Signed-off-by: Ralph Bean <rbean@redhat.com> * chore: generate json schema Signed-off-by: Ralph Bean <rbean@redhat.com> * re-generate json schema Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * rename to a more generic signature field Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * rename rpm.pgp to rpm.signatures Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * split out signature fields Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * bump json schema Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * include RPM archives Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * update json schema Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> * dont fail on unknown signature type Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> --------- Signed-off-by: Ralph Bean <rbean@redhat.com> Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com> Co-authored-by: Alex Goodman <wagoodman@users.noreply.github.com>