The Open Component Model (OCM) is an open standard to describe software bills of delivery (SBOD). OCM is a technology-agnostic and machine-readable format focused on the software artifacts that must be delivered for software products.

Check out the the main OCM project web page to find out what OCM offers you for implementing a secure software supply chain. It is your central entry point to all kind of OCM related docs and guides, the OCM specification and all project github repositories. It also offers a Getting Started to quickly make your hands dirty with OCM, its toolset and concepts 😃

OCM describes delivery artifacts that can be accessed from many types of component repositories. It defines a set of semantic, formatting, and other types of specifications that can be found in the ocm-spec repository. Start learning about the core concepts of OCM elements here.

This project provides a Go library containing an API for interacting with the Open Component Model (OCM) elements and mechanisms.

The library currently supports the following repository mappings:

• OCI: Use the repository prefix path of an OCI repository to implement an OCM repository.
• CTF (Common Transport Format): Use a file-based binding to represent any set of component versions as filesystem content (directory, tar, tgz).
• Component Archive: Compose the content of a component version on the filesystem.

For the usage of the library to access OCM repositories, handle configuration and credentials see the examples section.

Additionally, OCM provides a generic solution for how to:

• Sign component versions in any supported OCM repository implementation.
• Verify signatures based on public keys or verified certificates.
• Transport component versions, per reference or as values to any of the repository implementations.

The ocm CLI may also be used to interact with OCM mechanisms. It makes it easy to create component versions and embed them in build processes.

The ocm CLI documentation can be found here.

The code for the CLI can be found in package cmds/ocm.

The OCI and OCM support can be found in packages pkg/contexts/oci and pkg/contexts/ocm.

Install the latest release via Homebrew, Nix, Docker/Podman or directly from GitHub Releases.

To install with bash for macOS or Linux execute the following command:

curl -s https://ocm.software/install.sh | sudo bash

# Homebrew (macOS and Linux)
brew install open-component-model/tap/ocm

# Nix (macOS, Linux, and Windows)
# ad hoc cmd execution
nix run github:open-component-model/ocm -- --help
nix run github:open-component-model/ocm#helminstaller -- --help

# install development version
nix profile install github:open-component-model/ocm
# or release <version>
nix profile install github:open-component-model/ocm/<version>

#check installation
nix profile list | grep ocm

# optionally, open a new shell and verify that cmd completion works
ocm --help

podman run -t ghcr.io/open-component-model/ocm:latest --help

podman build -t ocm .
podman run --rm -t ocm --loglevel debug --help

or interactively:

podman run --rm -it ocm /bin/sh

You can pass in the following arguments to override the predefined defaults:

• GO_VERSION: The golang version to be used for compiling.
• ALPINE_VERSION: The alpine version to be used as the base image.
• GO_PROXY: Your go proxy to be used for fetching dependencies.

Please check hub.docker.com for possible version combinations.

podman build -t ocm --build-arg GO_VERSION=1.22 --build-arg ALPINE_VERSION=3.19 --build-arg GO_PROXY=https://proxy.golang.org .

An example of how to use the ocm CLI in a Makefile can be found in examples/make.

More comprehensive examples can be taken from the components contained in this repository. Here a complete component build including a multi-arch image is done and finally packaged into a CTF archive which can be tranported into an OCI repository. See the readme files for details.

Code contributions, feature requests, bug reports, and help requests are very welcome. Please refer to the Contributing Guide in the Community repository for more information on how to contribute to OCM.

OCM follows the CNCF Code of Conduct.

Copyright 2024 SAP SE or an SAP affiliate company and Open Component Model contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.