ocm-cli logo

ocm-cli SAP SE

ocm open-component-model
Use this command to install ocm-cli:
winget install --id=Open-Component-Model.ocm-cli -e

Open Component Model Command Line Interface (ocm-cli)

The Open Component Model Command Line Interface (ocm-cli) is a tool designed to interact with the Open Component Model (OCM), an open standard for describing Software Bills of Delivery (SBOD). This toolset enables developers and organizations to manage, create, and transport component versions across various repository types.

Key Features:

  • Component Versioning: Create and manage software component versions in adherence to OCM specifications.
  • Repository Support: Interact with multiple repository types, including OCI registries and file-based bindings (CTF).
  • Signing & Verification: Sign components using GPG keys and verify their authenticity, ensuring secure supply chains.
  • Integration Capabilities: Embed component versioning into build processes through CLI commands or scripting.
  • Extensibility: Leverage the OCM library for custom integrations with diverse repository implementations.

Audience & Benefit: Ideal for software developers, DevOps engineers, and security professionals seeking to implement secure software supply chains. ocm-cli simplifies component versioning, streamlines delivery processes, enhances transparency through SBODs, and supports DevSecOps practices. It also facilitates the creation of reproducible builds, ensuring consistency across environments.

The tool is available for installation via winget, making it accessible to integrate into existing workflows without additional setup complexity.

README

Open Component Model

OpenSSF Best Practices REUSE status OCM Integration Tests Go Report Card

The Open Component Model (OCM) is an open standard to describe software bills of delivery (SBOD). OCM is a technology-agnostic and machine-readable format focused on the software artifacts that must be delivered for software products.

Check out the the main OCM project web page to find out what OCM offers you for implementing a secure software supply chain. It is your central entry point to all kind of OCM related docs and guides, the OCM specification and all project github repositories. It also offers a Getting Started to quickly make your hands dirty with OCM, its toolset and concepts :smiley:

OCM Specifications

OCM describes delivery artifacts that can be accessed from many types of component repositories. It defines a set of semantic, formatting, and other types of specifications that can be found in the ocm-spec repository. Start learning about the core concepts of OCM elements here.

OCM Library

This project provides a Go library containing an API for interacting with the Open Component Model (OCM) elements and mechanisms.

The library currently supports the following repository mappings:

  • OCI: Use the repository prefix path of an OCI repository to implement an OCM repository.
  • CTF (Common Transport Format): Use a file-based binding to represent any set of component versions as filesystem content (directory, tar, tgz).
  • Component Archive: Compose the content of a component version on the filesystem.

For the usage of the library to access OCM repositories, handle configuration and credentials see the examples section.

Additionally, OCM provides a generic solution for how to:

  • Sign component versions in any supported OCM repository implementation.
  • Verify signatures based on public keys or verified certificates.
  • Transport component versions, per reference or as values to any of the repository implementations.

OCM CLI

The ocm CLI may also be used to interact with OCM mechanisms. It makes it easy to create component versions and embed them in build processes.

The code for the CLI can be found in package cmds/ocm.

The OCI and OCM support can be found in packages api/oci and api/ocm.

Installation

Install the latest release with

Bash

To install with bash for macOS or Linux execute the following command:

curl -s https://ocm.software/install.sh | sudo bash

Homebrew

Install using Homebrew

# Homebrew (macOS and Linux)
brew install open-component-model/tap/ocm

NixOS

Install using Nix (with Flakes)

# Nix (macOS, Linux, and Windows)
# ad-hoc cmd execution
nix run github:open-component-model/ocm -- --help
nix run github:open-component-model/ocm#helminstaller -- --help

# install development version
nix profile install github:open-component-model/ocm
# or release 
nix profile install github:open-component-model/ocm/

#check installation
nix profile list | grep ocm

# optionally, open a new shell and verify that cmd completion works
ocm --help

AUR

Install from AUR (Arch Linux User Repository)

package-url: aur.archlinux.org/packages/ocm-cli

# if not using a helper util
git clone https://aur.archlinux.org/ocm-cli.git
cd ocm-cli
makepkg -i

AUR Documentation

Container

Usage via Docker / Podman

docker run -t ghcr.io/open-component-model/ocm:latest --help

podman run -t ghcr.io/open-component-model/ocm:latest --help

Build and run it yourself

podman build -t ocm .
podman run --rm -t ocm --loglevel debug --help

or interactively:

podman run --rm -it ocm /bin/sh

You can pass in the following arguments to override the predefined defaults:

  • GO_VERSION: The golang version to be used for compiling.
  • ALPINE_VERSION: The alpine version to be used as the base image.
  • GO_PROXY: Your go proxy to be used for fetching dependencies.

Please check hub.docker.com for possible version combinations.

podman build -t ocm --build-arg GO_VERSION=1.24 --build-arg ALPINE_VERSION=3.21 --build-arg GO_PROXY=https://proxy.golang.org .

Chocolatey

choco install ocm-cli

see: chocolatey community package: ocm-cli

Examples

An example of how to use the ocm CLI in a Makefile can be found in examples/make.

More comprehensive examples can be taken from the components contained in this repository. Here a complete component build including a multi-arch image is done and finally packaged into a CTF archive which can be transported into an OCI repository. See the readme files for details.

GPG Public Key

The authenticity of released packages that have been uploaded to public repositories can be verified using our GPG public key. You can find the current key in the file OCM-RELEASES-PUBLIC-CURRENT.gpg on our website. You can find the old keys in the website github repository here.

Contributing

Code contributions, feature requests, bug reports, and help requests are very welcome. Please refer to the Contributing Guide in the Community repository for more information on how to contribute to OCM.

OCM follows the CNCF Code of Conduct.

Release Process

The release process is automated through a github action workflow. Please refer to the Release Process Documentation for more information.

Licensing

Copyright 2025 SAP SE or an SAP affiliate company and Open Component Model contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.

Versions
0.24.0
0.23.0
0.22.1
0.21.0
0.20.1
0.20.0
0.19.1
0.19.0
0.18.0
0.17.0
show 1 more
Website
github.com
License