Document manifest for PowerShell packages

[TravisEz13]

Summary of the new document or enhancement

• List of articles that need to be updated:

• New articles that need to be created:

• Link(s) to related code PR(s) in the PowerShell/PowerShell repo:
  Add Software Bill of Materials to the main packages PowerShell/PowerShell#16202

• Link(s) to related issue(s) in the PowerShell/PowerShell repo:

Description of what changed

All 7.2 packages should have a _manifest\spdx_2.2\manifest.spdx.json in them which has a sha1 and sha256 hash of all files. This can be used to verify the integrity of a package.

the spec for the format is here:
https://spdx.github.io/spdx-spec/introduction/

[sdwheeler]

• What does the end user need to know about this manifest?
• How do they use it?
• Why do they care?
• Does it get installed on the system? If so, where?

[TravisEz13]

• What does the end user need to know about this manifest?
  • It's available
  • It's in this format: https://spdx.github.io/spdx-spec/introduction/
  • Work to sign the JSON is pending
• How do they use it?
  • No solution to use it is currently provided
• Why do they care?
  • See: https://www.linuxfoundation.org/blog/spdx-its-already-in-use-for-global-software-bill-of-materials-sbom-and-supply-chain-security/
  • TL;DR: It provides the ability to verify the integrity
• Does it get installed on the system? If so, where?
  • In container packages such as zip and tar.gz packages it is in _manifest\spdx_2.2\manifest.spdx.json
  • In MSI, MSIX and other installers we will follow system standards as those become available. Until then, we will install in the same location as container packages.

[sdwheeler]

Public blog post - https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/