Title here
Summary here
Signing and Verification
Tutorials covering cryptographic signing and verification of OCM component versions, from basic key-pair signing to keyless approaches using Sigstore.
OCM supports four signing approaches. Pick the tutorial that matches the trust model you want to use.
| Tutorial | Algorithm | Trust anchor | When to choose it |
|---|---|---|---|
| Plain Signatures | RSA key pair | Public key the verifier holds | Small teams, self-signed workflows, no PKI |
| Certificate Chains (PEM) | RSA + X.509 chain | Root CA the verifier holds | Existing PKI, organizational delegation, key rotation without verifier reconfiguration |
| GPG Signatures | GPG key pair | Public key the verifier holds | Existing GPG-based signing workflows, small teams, no PKI |
| Sigstore (Keyless) | Sigstore (ECDSA, ephemeral) | OIDC identity the verifier trusts | Skip key management entirely; built-in audit trail via the Rekor transparency log |
For the conceptual background and a side-by-side comparison of the three trust models, see Concept: Signing and Verification — Trust Models.
Plain Signatures
Learn to cryptographically sign a component version and verify its authenticity.
Certificate Chains (PEM)
Sign and verify component versions using PEM-encoded signatures with an X.509 certificate chain and a dedicated trust anchor.
GPG Signatures
Learn to cryptographically sign a component version with a GPG key and verify its authenticity.
Sigstore (Keyless)
Sign and verify a component version with your OIDC identity — no key pair to generate, no public key to distribute.