Sign and Verify on Open Component Model

Generate Signing Keys

Mon, 01 Jan 0001 00:00:00 +0000

Goal

Generate an RSA key pair that can be used to sign and verify OCM component versions.

You’ll end up with

A private key file for signing component versions
A public key file for sharing with consumers who need to verify signatures

Estimated time: ~2 minutes

Configure Credentials for Signing

Mon, 01 Jan 0001 00:00:00 +0000

Set up credential configuration so OCM can find your signing keys when signing or verifying component versions.

You’ll end up with

A configured .ocmconfig file that OCM uses to locate your signing keys
Ability to sign and verify component versions without specifying key paths manually

Estimated time: ~3 minutes

Sign Component Versions

Mon, 01 Jan 0001 00:00:00 +0000

Goal

Sign a component version to certify its authenticity and enable downstream verification. OCM supports multiple signing algorithms. Pick the tab that matches the algorithm you want to use — each tab is a self-contained walkthrough.

Verify Component Versions

Mon, 01 Jan 0001 00:00:00 +0000

Goal

Validate a component version signature to ensure it is authentic and has not been tampered with. OCM supports multiple verification algorithms. Pick the tab that matches the algorithm the signature was made with — each tab is a self-contained walkthrough.