Generate Signing Keys

Goal

Generate a key pair that can be used to sign and verify OCM component versions. Pick the tab that matches the algorithm you want to use.

You’ll end up with

  • A private key file for signing component versions
  • A public key file for sharing with consumers who need to verify signatures

Estimated time: ~2 minutes

Prerequisites

  • OpenSSL installed on your system (typically pre-installed on Linux/macOS)

Generate an RSA key pair

To be able to use the keys across all How-to guides, we’ll create them in /tmp/keys. You can choose a different location if you prefer, just make sure to update the file paths in your .ocmconfig accordingly.

  1. Generate the private key

    Create a folder /tmp/keys and create a 4096-bit RSA private key in it:

    mkdir /tmp/keys && cd /tmp/keys
    openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:4096

    Verify the private key file was created:

    ls -la /tmp/keys

    ⚠️ Keep your private key secure! ⚠️
    Anyone with access to this file can sign components as you. Store it in a secure location and never commit it to version control.

  2. Extract the public key

    Derive the public key from your private key:

    openssl rsa -in private-key.pem -pubout -out public-key.pem

    This creates public-key.pem which you can safely share with others.

  3. Verify the keys were created

    ls -la *.pem

    You should see both files:

    -rw-------  1 user  group  3272 Jan 15 10:00 private-key.pem
    -rw-r--r--  1 user  group   800 Jan 15 10:00 public-key.pem

Prerequisites

  • GnuPG installed (gpg binary available in $PATH)

Generate a GPG key pair

If you already use a GPG key for signing Git tags or release artifacts, that key works as-is for OCM — skip ahead and just export it (Step 2). Otherwise, generate a new one in /tmp/keys so the file paths line up with the rest of the how-tos.

  1. Generate the key pair

    Create a folder /tmp/keys and generate an RSA 4096 GPG key non-interactively (no expiry, no passphrase — fine for tutorials; for production, drop %no-protection to be prompted for one):

    mkdir -p /tmp/keys && cd /tmp/keys
    
    gpg --batch --gen-key << 'EOF'
    %no-protection
    Key-Type: RSA
    Key-Length: 4096
    Subkey-Type: RSA
    Subkey-Length: 4096
    Name-Real: OCM Signing Key
    Name-Email: ocm-signer@example.com
    Expire-Date: 0
    %commit
    EOF

    List the key and note its fingerprint (the 40-character hex string under sec):

    gpg --list-secret-keys --keyid-format=long
    Expected output
    sec   rsa4096/167C7102F8AC81E4 2026-06-15 [SCEAR]
          B118BE3A32BE4AF28E37E881167C7102F8AC81E4
    uid           [ ultimate ] OCM Signing Key <ocm-signer@example.com>
    ssb   rsa4096/23F18B76957B0A91 2026-06-15 [SEA]
          26C11231549F81AF2AAC4F7723F18B76957B0A91

    ⚠️ Keep your private key secure! ⚠️
    Never commit it to version control or share it. For production use, prefer a hardware token (YubiKey, OpenPGP card) or a passphrase-protected key.

  2. Export the keys to ASCII-armored files

    OCM loads GPG keys from ASCII-armored files (.asc). Export both — replace <key fingerprint> with the value from the previous step:

    gpg --export-secret-keys --armor <key fingerprint> > /tmp/keys/signing-key.asc
    gpg --export --armor <key fingerprint> > /tmp/keys/verify-key.asc
    
    chmod 600 /tmp/keys/signing-key.asc
  3. Verify the keys were created

    ls -la /tmp/keys/*.asc

    You should see both files:

    -rw-------  1 user  group  7487 Jun 15 12:00 signing-key.asc
    -rw-r--r--  1 user  group  3988 Jun 15 12:00 verify-key.asc

Key management tips

KeyWho has itPurpose
Private keyOnly you (the signer)Sign component versions
Public keyAnyone who needs to verifyVerify signatures
  • Use different key pairs for different environments (dev, staging, production)
  • Document which public key corresponds to which signing identity
  • Consider key rotation policies for long-lived projects

Troubleshooting

Symptom: “command not found: openssl”

Fix: Install OpenSSL:

  • macOS: brew install openssl
  • Ubuntu/Debian: sudo apt-get install openssl
  • RHEL/CentOS: sudo dnf install openssl

Symptom: “command not found: gpg”

Fix: Install GnuPG:

  • macOS: brew install gnupg
  • Ubuntu/Debian: sudo apt-get install gnupg
  • RHEL/CentOS: sudo dnf install gnupg2

Symptom: Permission denied when creating files

Fix: Ensure you have write permissions in the current directory, or specify a full path where you have access.

Next Steps