QSBOM

Quantum-Safe Build Attestation

What is QSBOM?

QSBOM creates quantum-safe build attestations for your software supply chain. It hashes your SBOM and build artifacts with SHA3-256, computes a Merkle Root, and stamps it on QAN Blockchain.

You get a tamper-proof, verifiable record that your build is exactly what you shipped. Useful for NIS2 compliance, supply chain security, and audit trails.

Privacy by Design — No data is stored on our servers. Only the Merkle Root hash goes on-chain. Your project name, files, and metadata never leave your CI/CD pipeline.

How it works

Your CI/CD ──► sbom.qverax.eu/attest ──► QSTAMP ──► QAN Blockchain │ │ ├── SHA3-256 hashes all artifacts │ ├── Merkle Root over SBOM + hashes │ └── Returns build_hash SHA3 + Dilithium (PQC)
  1. You send your SBOM + build artifacts (or pre-computed hashes) to sbom.qverax.eu
  2. QSBOM hashes everything with SHA3-256, computes a Merkle Root
  3. The Merkle Root is stamped on QAN Blockchain
  4. You get back a build_hash for verification
  5. To verify: re-submit the same data — same inputs produce the same hash

You never interact with the blockchain. Our relayer handles all on-chain transactions. No account, no wallet, no API key needed.

Quick Start — curl

# Attest with SBOM + artifacts
curl -X POST https://sbom.qverax.eu/attest/upload \
  -F "project=acme/payment-service" \
  -F "version=v2.4.1" \
  -F "git_commit=a3f7b2c" \
  -F "sbom=@sbom.cdx.json" \
  -F "artifacts=@dist/app.tar.gz" \
  -F "memo=Release v2.4.1"

# Attest with pre-computed hashes (no file upload)
curl -X POST https://sbom.qverax.eu/attest \
  -H "Content-Type: application/json" \
  -d '{
    "project": "acme/payment-service",
    "version": "v2.4.1",
    "git_commit": "a3f7b2c9",
    "artifact_hashes": {
      "app-linux-amd64": "<sha3-256>",
      "app-darwin-arm64": "<sha3-256>"
    }
  }'

GitHub Actions

Full workflow — generates SBOM, attests build, shows result in job summary:

# .github/workflows/qsbom.yml
name: QSBOM Build Attestation
on:
  push:
    branches: [main]

jobs:
  attest:
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4

      - name: Generate SBOM (optional)
        uses: anchore/sbom-action@v0
        with:
          format: cyclonedx-json
          output-file: sbom.json

      - name: Attest Build
        run: |
          HTTP_CODE=$(curl -s -w "%{http_code}" \
            -o /tmp/qsbom.json \
            -X POST https://sbom.qverax.eu/attest/upload \
            -F "project=${{ github.repository }}" \
            -F "version=${{ github.ref_name }}" \
            -F "git_commit=${{ github.sha }}" \
            -F "memo=Release ${{ github.ref_name }}" \
            -F "sbom=@sbom.json")

          cat /tmp/qsbom.json | python3 -m json.tool

          if [ "$HTTP_CODE" = "200" ] || \
             [ "$HTTP_CODE" = "201" ]; then
            BUILD_HASH=$(python3 -c "import json; \
              print(json.load(open('/tmp/qsbom.json'))\
              .get('build_hash',''))")
            echo "BUILD_HASH=$BUILD_HASH" >> $GITHUB_ENV
            echo "## QSBOM Attestation" \
              >> $GITHUB_STEP_SUMMARY
            echo "- **Hash:** \`$BUILD_HASH\`" \
              >> $GITHUB_STEP_SUMMARY
            echo "- **Verify:** https://sbom.qverax.eu\
/verify/$BUILD_HASH" >> $GITHUB_STEP_SUMMARY
          else
            echo "::warning::QSBOM: HTTP $HTTP_CODE"
          fi

      # Optional: annotate commit with build hash
      - name: Git Notes
        if: env.BUILD_HASH != ''
        run: |
          git config user.name "github-actions[bot]"
          git config user.email \
            "github-actions[bot]@users.noreply.github.com"
          git fetch origin "refs/notes/*:refs/notes/*" \
            || true
          git notes add -m "qsbom: $BUILD_HASH" \
            ${{ github.sha }} || \
            git notes append -m "qsbom: $BUILD_HASH" \
            ${{ github.sha }}
          git push origin refs/notes/commits || true

Verify

# Check if hash exists on-chain
curl https://sbom.qverax.eu/verify/<build_hash>

# Or re-submit the same data to re-compute and verify
curl -X POST https://sbom.qverax.eu/verify \
  -H "Content-Type: application/json" \
  -d '{"project":"acme/my-app","version":"v2.4.1",
       "artifact_hashes":{"app":"..."}}'

Example Response

{
  "status": "attested",
  "build_hash": "428cc8382ee36dc1...a5db2bb",
  "tx_hash": "0x8929de53f4654895...18f63b",
  "block_number": 597943,
  "stamped_at": "2026-03-12T22:03:38+00:00",
  "verify_url": "https://sbom.qverax.eu/verify/428cc83...",
  "sbom": { "format": "CycloneDX", "components": 142 },
  "artifact_count": 3
}

Save your build hash

No data is stored on our servers. Save the build_hash for instant future verification:

  • Git Notesgit notes add -m "qsbom: $HASH" — visible via git log --show-notes
  • Release Notes — include hash + verify URL in your GitHub Release

Even without the hash, you can always re-verify by re-submitting the same data.

Memo

Optional plaintext stored in the blockchain transaction (visible on the block explorer). Use for labels like "Release v2.4.1". Do not include confidential information.

Supported SBOM Formats

FormatVersions
CycloneDX1.4, 1.5, 1.6
SPDX2.2, 2.3

API Reference

EndpointMethodDescription
/attestPOSTJSON attestation (pre-computed hashes)
/attest/uploadPOSTFile upload (SBOM + artifacts)
/verify/{hash}GETCheck hash on-chain
/verifyPOSTRe-submit data to verify
/healthGETService health
/docsGETOpenAPI docs

NIS2 Compliance

NIS2 ArticleRequirementQSBOM Coverage
Art. 21(2)(d)Supply chain securitySBOM integrity attestation
Art. 21(2)(e)Security in IT acquisitionBuild artifact integrity
Art. 21(2)(h)CryptographySHA3-256 + Dilithium
Post-Quantum — SHA3-256 (NIST FIPS 202) + CRYSTALS-Dilithium block signing (NIST FIPS 204) on QAN Blockchain. Secured at consensus level.

Verification Result

On-chain verification — checks if the hash exists on the QAN Blockchain. To prove a specific build produced this hash, re-submit the same data via the API.