The OCM library supports a set of attributes, which can be used to influence the behaviour of various functions. The CLI also supports setting of those attributes using the config file (see ocm configfile) or by command line options of the main command (see ocm).

The following options are available in the currently used version of the OCM library:

  • logconfig Logging config structure used for config forwarding

    This attribute is used to specify a logging configuration intended to be forwarded to other tools. (For example: TOI passes this config to the executor)

  • [cache]: string

    Filesystem folder to use for caching OCI blobs

  • [compat]: bool

    Compatibility mode: Avoid generic local access methods and prefer type specific ones.

  • JSON

    Preferred hash algorithm to calculate resource digests. The following digesters are supported:

    • SHA-256 (default)
    • SHA-512
  • [keeplocalblob]: bool

    Keep local blobs when importing OCI artifacts to OCI registries from localBlob access methods. By default, they will be expanded to OCI artifacts with the access method ociRegistry. If this option is set to true, they will be stored as local blobs, also. The access method will still be localBlob but with a nested ociRegistry access method for describing the global access.

  • [mapocirepo]: bool|YAML

    When uploading an OCI artifact blob to an OCI based OCM repository and the artifact is uploaded as OCI artifact, the repository path part is shortened, either by hashing all but the last repository name part or by executing some prefix based name mappings.

    If a boolean is given the short hash or none mode is enabled. The YAML flavor uses the following fields:

    • mode string: hash, shortHash, prefixMapping or none. If unset, no mapping is done.
    • prefixMappings: map[string]string repository path prefix mapping.
    • prefix: string repository prefix to use (replaces potential sub path of OCM repo). or none.
    • prefixMapping: map[string]string repository path prefix mapping.


    • The mapping only occurs in transfer commands and only when transferring to OCI registries (e.g. when transferring to a CTF archive this option will be ignored).
    • The mapping only happens for local resources. When external image references are transferred (with option –copy-resources) the mapping will be ignored.
    • The mapping in mode prefixMapping requires a full prefix of the composed final name. Partial matches are not supported. The host name of the target will be skipped.
    • The artifact name of the component-descriptor is not mapped.
    • If the mapping is provided on the command line it must be JSON format and needs to be properly escaped (see example below).


    Assume a component named and a chart name echo in the Charts.yaml of the chart archive. The following input to a resource.yaml creates a component version:

    name: mychart
    type: helmChart
      type: helm
      path: charts/mychart.tgz
    name: myimage
    type: ociImage
    version: 0.1.0
      type: ociImage
      repository: ocm/

    The following command:

    ocm "-X mapocirepo={\"mode\":\"mapping\",\"prefixMappings\":{\"acme/\":\"acme/cli\", \"acme/\":\"acme/mychart\"}}" transfer ctf -f --copy-resources ./ctf

    will result in the following artifacts in


    Note that the host name part of the transfer target is excluded from the prefix but the path acme is considered.

    The same using a config file .ocmconfig:

    - type:
    	  mode: mapping
    	    acme/\_org/myexamplewithalongname/ocm/ acme/cli
    		acme/\_org/myexamplewithalongnameabc123: acme/mychart
    ocm transfer ca -f --copy-resources ./ca
  • [ociuploadrepo]: oci base repository ref

    Upload local OCI artifact blobs to a dedicated repository.

  • [plugindir]: plugin directory

    Directory to look for OCM plugin executables.

  • JSON

    General root certificate settings given as JSON document with the following format:

      "rootCertificates"": [
           "data": ""<base64>"
           "path": ""<file path>"

    One of following data fields are possible:

    • data: base64 encoded binary data
    • stringdata: plain text data
    • path: a file path to read the data from
  • JSON

    Public and private Key settings given as JSON document with the following format:

      "publicKeys"": [
         "<provider>": {
           "data": ""<base64>"
      "privateKeys"": [
         "<provider>": {
           "path": ""<file path>"

    One of following data fields are possible:

    • data: base64 encoded binary data
    • stringdata: plain text data
    • path: a file path to read the data from
  • [blobcache]: string Foldername for temporary blob cache

    The temporary blob cache is used to accessing large blobs from remote sytems. The are temporarily stored in the filesystem, instead of the memory, to avoid blowing up the memory consumption.

  • [compositionmode]: bool (default: false

    Composition mode decouples a component version provided by a repository implemention from the backened persistence. Added local blobs will and other changes witll not be forwarded to the backend repository until an AddVersion is called on the component. If composition mode is disabled blobs will directly be forwarded to the backend and descriptor updated will be persisted on AddVersion or closing a provided existing component version.

  • [sigstore]: sigstore config Configuration to use for sigstore based signing.

    The following fields are used.

    • fulcioURL string default is
    • rekorURL string default is
    • OIDCIssuer string default is
    • OIDCClientID string default is sigstore

See Also