Transfer Components across an Air Gap

Goal

Transfer a signed component version from a source registry into an air-gapped target registry using a CTF archive as the transport medium. An air-gapped environment is a network that is physically isolated from untrusted networks such as the public internet.

You’ll end up with

A verified, signed component version available in your air-gapped registry
All resource artifacts (container images, Helm charts) copied into the target registry

Estimated time: ~10 minutes

Prerequisites

OCM CLI installed
A signed component version in a source registry or CTF archive
The public key used to sign the component version, configured in .ocmconfig (see Signing and Verification for setup)
Write access to the target registry in the air-gapped environment

Steps

Verify the source component
Confirm integrity and provenance before transferring. The OCM CLI resolves verification credentials from your .ocmconfig automatically. For background on how signing works, see Signing and Verification.
```
ocm verify cv <source-repository>//<component-name>:<version>
```
To verify a specific signature by name:
```
ocm verify cv --signature <signature-name> <source-repository>//<component-name>:<version>
```
You should see: SIGNATURE VERIFICATION SUCCESSFUL and exit code 0. For detailed verification options, see Signing and Verification.
Tip: CTF as source
If your source is a CTF archive rather than a registry, use the archive path:
ocm verify cv ctf::<path/to/source.ctf>//<component-name>:<version>
Transfer to a CTF archive
Create a self-contained CTF archive that bundles all resource artifacts and transitively referenced component versions. See Transfer and Transport for details on the --copy-resources flag.
```
ocm transfer cv \
  --copy-resources \
  --recursive \
  <source-repository>//<component-name>:<version> \
  ctf::<path/to/airgap-transport.ctf>
```
You should see:
- A progress bar while artifacts are downloaded
- Exit code 0 and the CTF archive created at the specified path
Tip: Working with the archive directly
The CTF archive is a fully functional OCM repository. You can inspect component versions or download resources directly from it without importing into a registry first:
ocm get cv ctf::<path/to/airgap-transport.ctf> ocm download resource ctf::<path/to/airgap-transport.ctf>//<component-name>:<version> \ --identity name=<resource-name> --output <output-path>

Move the archive across the air gap

Move the CTF archive to the air-gapped environment using whatever mechanism is available. This step does not involve the OCM CLI.

# Examples - use whatever method your environment allows:
scp -r airgap-transport.ctf user@jumphost:/transfer/
# or copy to USB media
cp -r airgap-transport.ctf /media/usb-drive/
# or create a compressed archive first
tar czf airgap-transport.ctf.tar.gz airgap-transport.ctf

Import into the target registry
On the air-gapped side, transfer the CTF archive into the target registry. The target registry must have credentials configured in your .ocmconfig.
```
ocm transfer cv \
  --copy-resources \
  --recursive \
  ctf::<path/to/airgap-transport.ctf>//<component-name>:<version> \
  <target-registry>
```
You should see:
- A progress bar while artifacts are uploaded
- Exit code 0 and the component available in the target registry
Verify in the target registry
Confirm the component version is available in the target registry:
```
ocm get cv <target-registry>//<component-name>:<version>
```
Expected output
COMPONENT VERSION PROVIDER <component-name> <version> <provider>
Then verify the signature to confirm it survived the transfer intact:
```
ocm verify cv <target-registry>//<component-name>:<version>
```
You should see: SIGNATURE VERIFICATION SUCCESSFUL.

Troubleshooting

If you encounter authentication or credential errors during transfer or verification, see Credentials in .ocmconfig and Configuring Credentials for Controllers.

If signature verification fails after transfer, ensure the public key in your .ocmconfig matches the key used to sign the component. See Signing and Verification.

Cleanup

Remove the temporary CTF archive after successful transfer and verification:

rm -rf airgap-transport.ctf

Caution

Only delete the archive after you have verified the component in the target registry. The archive is your only copy of the artifacts until the import is confirmed.

Next steps

Transfer and Transport – Understand the transfer model, resource handling, and signature preservation
Signing and Verification – Learn how to sign and verify component versions
Deploy a Helm Chart (Bootstrap) – Deploy component resources into a Kubernetes cluster

Resolver Configuration

Configure Credentials for OCM Controllers

Transfer Components across an Air Gap

Goal#

You’ll end up with#

Prerequisites#

Steps#

Verify the source component#

Transfer to a CTF archive#

Move the archive across the air gap#

Import into the target registry#

Verify in the target registry#

Troubleshooting#

Cleanup#

Next steps#

Goal

You’ll end up with

Prerequisites

Steps

Verify the source component

Transfer to a CTF archive

Move the archive across the air gap

Import into the target registry

Verify in the target registry

Troubleshooting

Cleanup

Next steps