Verify Component Versions

Goal

Validate a component version signature to ensure it is authentic and has not been tampered with. OCM supports multiple verification algorithms. Pick the tab that matches the algorithm the signature was made with β€” each tab is a self-contained walkthrough.

Verify an RSA signature using the matching public key configured in .ocmconfig.

To run this you need the signer’s public key on disk and pointed at by .ocmconfig (see prerequisites). With Sigstore (other tab) you don’t install a public key at all β€” you just declare which identity you trust.

You’ll end up with

  • Confidence that a component version is authentic and hasn’t been tampered with

Estimated time: ~3 minutes

Prerequisites

Steps

  1. Verify the component version

    Run the verify command against your signed component:

    ocm verify cv <repository>//<component>:<version>

    Local CTF Archive:

    ocm verify cv /tmp/helloworld/transport-archive//github.com/acme.org/helloworld:1.0.0

    Remote OCI Registry:

    ocm verify cv ghcr.io/<your-namespace>//github.com/acme.org/helloworld:1.0.0
    Expected output
    time=2025-11-19T15:58:22.431+01:00 level=INFO msg="verifying signature" name=default
time=2025-11-19T15:58:22.435+01:00 level=INFO msg="signature verification completed" name=default duration=4.287541ms
time=2025-11-19T15:58:22.435+01:00 level=INFO msg="SIGNATURE VERIFICATION SUCCESSFUL"

    The command exits with status code 0 on success.

  2. Verify a specific signature (optional)

    If the component has multiple signatures, specify which one to verify:

    ocm verify cv --signature prod ghcr.io/<your-namespace>//github.com/acme.org/helloworld:1.0.0

    πŸ‘‰ Without the --signature flag, OCM uses the configuration named default.

  3. List available signatures (optional)

    View all signatures in a component version:

    ocm get cv ./tmp/helloworld/transport-archive//github.com/acme.org/helloworld:1.0.0 -o yaml | grep -A 10 signatures:

Troubleshooting (RSA)

Symptom: “signature verification failed”

Cause: Public key doesn’t match the signing private key, or the component was modified after signing.

Fix: Ensure you’re using the correct public key that corresponds to the private key used for signing:

# Check which signature names exist
ocm get cv /tmp/helloworld/transport-archive//github.com/acme.org/helloworld:1.0.0 -o yaml | grep -A 3 "signatures:"

# Verify with the correct signature name
ocm verify cv --signature <name> /tmp/helloworld/transport-archive//github.com/acme.org/helloworld:1.0.0

Symptom: “no public key found”

Cause: OCM cannot find a matching verification configuration in .ocmconfig.

Fix: Ensure your .ocmconfig has a consumer entry with the matching signature name and public_key_pem_file path.

See Configure Signing Credentials.

Symptom: “invalid key format”

Cause: The public key file is not in PEM format.

Fix: Verify the key starts with -----BEGIN PUBLIC KEY-----:

head -n 1 /tmp/keys/public-key.pem

Verify a Sigstore keyless signature. There’s no public key to install on this side either β€” you tell OCM which identity you trust, and it checks the signature was made by that identity.

If you’ve done classical key-based verification, here’s what changes:

AspectRSASigstore
Before you verifyObtain the signer’s public key, configure .ocmconfigNothing β€” declare expected identity in a verifier spec file
What proves trustSignature decrypts with the public key you haveSignature ties back to an OIDC identity you’ve decided to trust
Key rotation problemYou re-distribute the new public keyDoesn’t apply β€” there’s no long-lived key

Mental model: instead of asking “does this signature match the public key I was handed?” you ask “was this signed by jane.doe@example.com logging in via GitHub?” The verifier only needs to know who to trust.

You’ll end up with

  • Confidence that a component version was signed by an identity you trust

Estimated time: ~3 minutes

Prerequisites

Want the full picture of how Sigstore verification works behind the scenes (Fulcio certificate validation, Rekor inclusion proofs, TUF trust roots)? A dedicated Sigstore tutorial is in the works. For now, ADR 0017: Sigstore Integration covers the design.

Steps

  1. Declare which identity you trust

    In Sigstore, the verifier’s only job is to decide whose signatures to accept. You do that with a small spec file.

    Two values matter:

    • certificateIdentity β€” the email or workload identity of whoever signed (e.g. jane.doe@example.com)
    • certificateOIDCIssuer β€” which OIDC provider they logged in with (e.g. GitHub vs. Google β€” both could have a jane.doe@example.com)

    Create sigstore-verify.yaml:

    # sigstore-verify.yaml
type: SigstoreVerificationConfiguration/v1alpha1
certificateOIDCIssuer: https://github.com/login/oauth
certificateIdentity: jane.doe@example.com

    That’s the entire trust configuration. No public key to fetch, no certificate to install.

    Pick the right certificateOIDCIssuer value

    On public Sigstore (oauth2.sigstore.dev), the issuer recorded in the signing certificate is the upstream identity provider’s issuer URL β€” not the Sigstore Dex endpoint. Pick the one matching the provider the signer logged in with:

    Signer logged in viacertificateOIDCIssuer value
    Googlehttps://accounts.google.com
    GitHubhttps://github.com/login/oauth
    Microsofthttps://login.microsoftonline.com

    Both certificateOIDCIssuer and certificateIdentity are required. They’re what makes the signature meaningful β€” without them you’d be accepting any Sigstore signature from anyone.

  2. Verify the component version

    Run the verify command with the verifier spec:

    ocm verify cv \
  --verifier-spec ./sigstore-verify.yaml \
  /tmp/helloworld/transport-archive//github.com/acme.org/helloworld:1.0.0
    ocm verify cv \
  --verifier-spec ./sigstore-verify.yaml \
  ghcr.io/<my-namespace>//github.com/acme.org/helloworld:1.0.0
    Expected output
    time=2026-05-19T18:49:13.316+02:00 level=INFO msg="verifying signature" name=default
time=2026-05-19T18:49:13.856+02:00 level=INFO msg="signature verification completed" name=default duration=539.512209ms
time=2026-05-19T18:49:13.856+02:00 level=INFO msg="SIGNATURE VERIFICATION SUCCESSFUL"

  3. Verify a specific signature

    If the component carries multiple signatures (e.g. an RSA signature and a Sigstore signature), select one with --signature:

    ocm verify cv \
  --verifier-spec ./sigstore-verify.yaml \
  --signature sigstore \
  ghcr.io/<your namespace>//github.com/acme.org/helloworld:1.0.0

    The verifier spec’s type field decides which verifier handles the signature. The --signature flag picks which signature on the component to verify.

Inspect the recorded identity (optional)

If verification fails because of an identity mismatch, you can read the identity directly from the signature to see what to put in your spec:

ocm get cv /tmp/helloworld/transport-archive//github.com/acme.org/helloworld:1.0.0 -o yaml \
  | yq '.[0].signatures[] | select(.signature.algorithm == "sigstore")'

Look for the signer email and the OIDC issuer URL. Those are exactly what certificateIdentity and certificateOIDCIssuer are matched against.

Troubleshooting

Symptom: “no matching CertificateIdentity found”

Cause: The signature was made by a different identity than what your spec expects β€” or the same identity but via a different OIDC provider.

The full error names which side did not match. For an identity mismatch:

Error: SIGNATURE VERIFICATION FAILED: cosign verify-blob failed: exit status 1
stderr: Error: failed to verify certificate identity: no matching CertificateIdentity found, last error: expected SAN value "nobody@nowhere.invalid", got "john.doe@gmail.com"

For an issuer mismatch:

Error: SIGNATURE VERIFICATION FAILED: cosign verify-blob failed: exit status 1
stderr: Error: failed to verify certificate identity: no matching CertificateIdentity found, last error: expected issuer value "https://accounts.google.com", got "https://github.com/login/oauth"

Fix: Inspect the signature (see above) to read the actual identity, and update certificateIdentity / certificateOIDCIssuer to match. Watch for trailing slashes and capitalization.

Symptom: “keyless verification requires both an issuer constraint … and an identity constraint”

Cause: Your verifier spec is missing certificateIdentity, certificateOIDCIssuer, or both.

The full error:

Error: SIGNATURE VERIFICATION FAILED: invalid verification config: keyless verification requires both an issuer constraint (CertificateOIDCIssuer or CertificateOIDCIssuerRegexp) and an identity constraint (CertificateIdentity or CertificateIdentityRegexp)

Fix: Both are mandatory β€” they’re how Sigstore knows whose signatures to accept. See Step 1 above.

CLI Reference

CommandDescription
ocm verify component-versionVerify a component version signature
ocm get component-versionView component with signatures

Next Steps

Prev
Plugin System
Next
Download Resources from Component Versions