The Open Component Model (OCM) is an open standard to describe software bills of delivery (SBOD). OCM is a technology-agnostic and machine-readable format focused on the software artifacts that must be delivered for software products.
Check out the the main OCM project web page to find out what OCM offers you for implementing a secure software supply chain. It is your central entry point to all kind of OCM related docs and guides, the OCM specification and all project github repositories. It also offers a Getting Started to quickly make your hands dirty with OCM, its toolset and concepts 😃
OCM describes delivery artifacts that can be accessed from many types of component repositories. It defines a set of semantic, formatting, and other types of specifications that can be found in the ocm-spec
repository. Start learning about the core concepts of OCM elements here.
This project provides a Go library containing an API for interacting with the Open Component Model (OCM) elements and mechanisms.
The library currently supports the following repository mappings:
- OCI: Use the repository prefix path of an OCI repository to implement an OCM repository.
- CTF (Common Transport Format): Use a file-based binding to represent any set of component versions as filesystem content (directory, tar, tgz).
- Component Archive: Compose the content of a component version on the filesystem.
For the usage of the library to access OCM repositories, handle configuration and credentials see the examples section.
Additionally, OCM provides a generic solution for how to:
- Sign component versions in any supported OCM repository implementation.
- Verify signatures based on public keys or verified certificates.
- Transport component versions, per reference or as values to any of the repository implementations.
The ocm
CLI may also be used to interact with OCM mechanisms. It makes it easy to create component versions and embed them in build processes.
The code for the CLI can be found in package cmds/ocm
.
The OCI and OCM support can be found in packages
api/oci
and api/ocm
.
Install the latest release with
To install with bash
for macOS or Linux execute the following command:
curl -s https://ocm.software/install.sh | sudo bash
Install using Homebrew
# Homebrew (macOS and Linux)
brew install open-component-model/tap/ocm
Install using Nix (with Flakes)
# Nix (macOS, Linux, and Windows)
# ad-hoc cmd execution
nix run github:open-component-model/ocm -- --help
nix run github:open-component-model/ocm#helminstaller -- --help
# install development version
nix profile install github:open-component-model/ocm
# or release <version>
nix profile install github:open-component-model/ocm/<version>
#check installation
nix profile list | grep ocm
# optionally, open a new shell and verify that cmd completion works
ocm --help
Install from AUR (Arch Linux User Repository)
package-url: aur.archlinux.org/packages/ocm-cli
# if not using a helper util
git clone https://aur.archlinux.org/ocm-cli.git
cd ocm-cli
makepkg -i
docker run -t ghcr.io/open-component-model/ocm:latest --help
podman run -t ghcr.io/open-component-model/ocm:latest --help
podman build -t ocm .
podman run --rm -t ocm --loglevel debug --help
or interactively:
podman run --rm -it ocm /bin/sh
You can pass in the following arguments to override the predefined defaults:
GO_VERSION
: The golang version to be used for compiling.ALPINE_VERSION
: The alpine version to be used as the base image.GO_PROXY
: Your go proxy to be used for fetching dependencies.
Please check hub.docker.com for possible version combinations.
podman build -t ocm --build-arg GO_VERSION=1.23 --build-arg ALPINE_VERSION=3.20 --build-arg GO_PROXY=https://proxy.golang.org .
choco install ocm-cli
see: chocolatey community package: ocm-cli
winget install ocm-cli
see: microsoft/winget-packages: Open-Component-Model
An example of how to use the ocm
CLI in a Makefile can be found in examples/make
.
More comprehensive examples can be taken from the components
contained in this repository. Here a complete component build including a multi-arch image is done and finally packaged into a CTF archive which can be transported into an OCI repository. See the readme files for details.
The authenticity of released packages that have been uploaded to public repositories can be verified using our GPG public key. You can find the current key in the file OCM-RELEASES-PUBLIC-CURRENT.gpg on our website. You can find the old keys in the website github repository here.
Code contributions, feature requests, bug reports, and help requests are very welcome. Please refer to the Contributing Guide in the Community repository for more information on how to contribute to OCM.
OCM follows the CNCF Code of Conduct.
The release process is automated through a github action workflow. Please refer to the Release Process Documentation for more information.
Copyright 2024 SAP SE or an SAP affiliate company and Open Component Model contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.