Generate Signing Keys
Goal
Generate a key pair that can be used to sign and verify OCM component versions. Pick the tab that matches the algorithm you want to use.
You’ll end up with
- A private key file for signing component versions
- A public key file for sharing with consumers who need to verify signatures
Estimated time: ~2 minutes
Prerequisites
- OpenSSL installed on your system (typically pre-installed on Linux/macOS)
Generate an RSA key pair
To be able to use the keys across all How-to guides, we’ll create them in /tmp/keys.
You can choose a different location if you prefer, just make sure to update the file paths in your .ocmconfig accordingly.
Generate the private key
Create a folder
/tmp/keysand create a 4096-bit RSA private key in it:mkdir /tmp/keys && cd /tmp/keys openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:4096Verify the private key file was created:
ls -la /tmp/keys⚠️ Keep your private key secure! ⚠️
Anyone with access to this file can sign components as you. Store it in a secure location and never commit it to version control.Extract the public key
Derive the public key from your private key:
openssl rsa -in private-key.pem -pubout -out public-key.pemThis creates
public-key.pemwhich you can safely share with others.Verify the keys were created
ls -la *.pemYou should see both files:
-rw------- 1 user group 3272 Jan 15 10:00 private-key.pem -rw-r--r-- 1 user group 800 Jan 15 10:00 public-key.pem
Prerequisites
- GnuPG installed (
gpgbinary available in$PATH)
Generate a GPG key pair
If you already use a GPG key for signing Git tags or release artifacts, that key works as-is for OCM — skip ahead and just export it (Step 2). Otherwise, generate a new one in /tmp/keys so the file paths line up with the rest of the how-tos.
Generate the key pair
Create a folder
/tmp/keysand generate an RSA 4096 GPG key non-interactively (no expiry, no passphrase — fine for tutorials; for production, drop%no-protectionto be prompted for one):mkdir -p /tmp/keys && cd /tmp/keys gpg --batch --gen-key << 'EOF' %no-protection Key-Type: RSA Key-Length: 4096 Subkey-Type: RSA Subkey-Length: 4096 Name-Real: OCM Signing Key Name-Email: ocm-signer@example.com Expire-Date: 0 %commit EOFList the key and note its fingerprint (the 40-character hex string under
sec):gpg --list-secret-keys --keyid-format=longExpected output
sec rsa4096/167C7102F8AC81E4 2026-06-15 [SCEAR] B118BE3A32BE4AF28E37E881167C7102F8AC81E4 uid [ ultimate ] OCM Signing Key <ocm-signer@example.com> ssb rsa4096/23F18B76957B0A91 2026-06-15 [SEA] 26C11231549F81AF2AAC4F7723F18B76957B0A91⚠️ Keep your private key secure! ⚠️
Never commit it to version control or share it. For production use, prefer a hardware token (YubiKey, OpenPGP card) or a passphrase-protected key.Export the keys to ASCII-armored files
OCM loads GPG keys from ASCII-armored files (
.asc). Export both — replace<key fingerprint>with the value from the previous step:gpg --export-secret-keys --armor <key fingerprint> > /tmp/keys/signing-key.asc gpg --export --armor <key fingerprint> > /tmp/keys/verify-key.asc chmod 600 /tmp/keys/signing-key.ascVerify the keys were created
ls -la /tmp/keys/*.ascYou should see both files:
-rw------- 1 user group 7487 Jun 15 12:00 signing-key.asc -rw-r--r-- 1 user group 3988 Jun 15 12:00 verify-key.asc
Key management tips
| Key | Who has it | Purpose |
|---|---|---|
| Private key | Only you (the signer) | Sign component versions |
| Public key | Anyone who needs to verify | Verify signatures |
- Use different key pairs for different environments (dev, staging, production)
- Document which public key corresponds to which signing identity
- Consider key rotation policies for long-lived projects
Troubleshooting
Symptom: “command not found: openssl”
Fix: Install OpenSSL:
- macOS:
brew install openssl - Ubuntu/Debian:
sudo apt-get install openssl - RHEL/CentOS:
sudo dnf install openssl
Symptom: “command not found: gpg”
Fix: Install GnuPG:
- macOS:
brew install gnupg - Ubuntu/Debian:
sudo apt-get install gnupg - RHEL/CentOS:
sudo dnf install gnupg2
Symptom: Permission denied when creating files
Fix: Ensure you have write permissions in the current directory, or specify a full path where you have access.
Next Steps
- How-to: Configure Signing Credentials - Set up OCM to use your keys for signing and verification
- How-to: Sign a Component Version - Use your private key to sign components
- How-to: Verify a Component Version - Share your public key and verify signatures
Related documentation
- Concept: Signing and Verification - Understand how OCM signing and verification works
- Tutorial: Sign Your First Component - A hands-on tutorial for signing components end-to-end
- Tutorial: GPG Signatures - End-to-end GPG signing tutorial