Verify Component Versions

You’ll end up with#

• Confidence that a component version is authentic and hasn’t been tampered with

Estimated time: ~3 minutes

Prerequisites#

• OCM CLI installed
• Verification credentials configured with the public key
• A signed component version to verify in your current directory, e.g. the helloworld component version from the getting started guide that you’ve signed in the How-To: Sign Component Versions guide.

Steps#

1. Verify the component version#

   Run the verify command against your signed component:

   ocm verify cv <repository>//<component>:<version>

   Local CTF Archive:

   ocm verify cv ./transport-archive//github.com/acme.org/helloworld:1.0.0

   Remote OCI Registry:

   ocm verify cv ghcr.io/myorg/components//github.com/acme.org/helloworld:1.0.0

   Expected output

   time=2025-11-19T15:58:22.431+01:00 level=INFO msg="verifying signature" name=default
   time=2025-11-19T15:58:22.435+01:00 level=INFO msg="signature verification completed" name=default duration=4.287541ms
   time=2025-11-19T15:58:22.435+01:00 level=INFO msg="SIGNATURE VERIFICATION SUCCESSFUL"

   The command exits with status code 0 on success.

2. Verify a specific signature (optional)#

   If the component has multiple signatures, specify which one to verify:

   ocm verify cv --signature prod ghcr.io/myorg/components//github.com/acme.org/helloworld:1.0.0

   👉 Without the --signature flag, OCM uses the configuration named default.

3. List available signatures (optional)#

   View all signatures in a component version:

   ocm get cv ./transport-archive//github.com/acme.org/helloworld:1.0.0 -o yaml | grep -A 10 signatures:

Troubleshooting#

Symptom: “signature verification failed”#

Cause: Public key doesn’t match the signing private key, or the component was modified after signing.

Fix: Ensure you’re using the correct public key that corresponds to the private key used for signing:

# Check which signature names exist
ocm get cv ./transport-archive//github.com/acme.org/helloworld:1.0.0 -o yaml | grep -A 3 "signatures:"

# Verify with the correct signature name
ocm verify cv --signature <name> ./transport-archive//github.com/acme.org/helloworld:1.0.0

Symptom: “no public key found”#

Cause: OCM cannot find a matching verification configuration in .ocmconfig.

Fix: Ensure your .ocmconfig has a consumer entry with the matching signature name and public_key_pem_file path.

See Configure Signing Credentials.

Symptom: “invalid key format”#

Cause: The public key file is not in PEM format.

Fix: Verify the key starts with -----BEGIN PUBLIC KEY-----:

head -n 1 /tmp/keys/public-key.pem

CLI Reference#

Next Steps#

• How-to: Sign Component Versions - Add signatures to your components
• Tutorial: Signing and Verification - Learn how to sign and verify components in a complete tutorial

Related Documentation#

• Concept: Signing and Verification - Understand how OCM signing works