Questions About Generating Component Checksums for SPDX Compliance

[agustingroh]

Hello,

Our team is developing a tool to produce a valid SPDX output that complies with the OpenChain Telco Guide.

We have some questions about the checksums field:

1. How can we obtain the checksum for each component?
2. What should we do for components that are custom-created or not hosted on GitLab or GitHub? How can we generate their checksum?

Regards, Agustin

[vargenau]

Hi @agustingroh You will find in https://github.com/spdx/spdx-spec/blob/support/2.3.1/chapters/how-to-use.md#k3-verifying-spdx-packages some information on how to compute the checksum. In any case, you will need some access to the package code to be able to compute the checksum.

I will include this topic in our next meeting of the OpenChain Telco work group in December. You are welcome to join.