Skip to content

Wire sigstore handler and OIDC credential plugin into the OCM CLI #998

Closed
Task
open-component-model/open-component-model
#2346
Closed
Wire sigstore handler and OIDC credential plugin into the OCM CLI#998
Task
open-component-model/open-component-model
#2346
Labels
area/ipceiImportant Project of Common European Interestkind/tasksmall task, normally part of feature or epic
@morri-son

Description

@morri-son
morri-son
opened on Apr 1, 2026

Description

Wire the bindings/go/sigstore handler and an OIDC credential plugin into the CLI.

Scope:

  • Register ComponentSignatureHandler in the CLI's signing handler registry
  • Implement SigstoreOIDC/v1alpha1 credential plugin in cli/internal/plugin/builtin/sigstore/:
    • Checks SIGSTORE_ID_TOKEN env var first (CI/automation path)
    • Falls back to interactive browser-based OIDC flow
    • Default issuer: https://oauth2.sigstore.dev/auth, client ID: sigstore
  • Wire plugin into CredentialPluginProvider in cli/cmd/setup/
  • Add bindings/go/sigstore to cli/go.mod

Done Criteria

  • ocm sign componentversion --signer sigstore works for keyless and key-based credentials
  • ocm verify componentversion --verifier sigstore works with and without explicit trusted root
  • OIDC credential plugin resolves token from env var and interactive browser flow
  • Unit tests cover plugin resolution and handler registration
  • Code reviewed by other team members
  • Enduser documentation updated (if applicable)
  • Successful demonstration in Review

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/ipceiImportant Project of Common European Interestkind/tasksmall task, normally part of feature or epic

    Type

    Task

    Fields

    No fields configured for Task.

    Projects

    OCM Backlog Board
    Status
    🔍 Review

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions