Title here
Summary here
Sign and Verify
Guides for cryptographically signing and verifying OCM component versions.
Protect the integrity and authenticity of your component versions through cryptographic signing and verification.
These guides walk you through the complete signing workflow — covering both keyed (RSA) and keyless (Sigstore) algorithms, from generating keys or trusting identities to verifying signatures in production.
Guides in This Section
- Generate Signing Keys — Create RSA key pairs for signing and verification
- Configure Signing Credentials — Set up OCM to use your keys
- Sign Component Versions — Attach cryptographic signatures to component versions, using either RSA or Sigstore (keyless)
- Verify Component Versions — Validate signatures to ensure authenticity and integrity, for either RSA or Sigstore (keyless)
Generate Signing Keys
Create an RSA or GPG key pair for signing and verifying OCM component versions.
Configure Credentials for Signing
Configure OCM signing and verification keys using .ocmconfig or signer specification files.
Sign Component Versions
Cryptographically sign a component version using key-based or keyless signing algorithms.
Verify Component Versions
Validate component version signatures using key-based or keyless verification methods.