open-component-model
diff --git a/‎bindings/go/plugin/Taskfile.yml‎
Lines changed: 2 additions & 1 deletion b/‎bindings/go/plugin/Taskfile.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎bindings/go/plugin/go.mod‎
Lines changed: 7 additions & 5 deletions b/‎bindings/go/plugin/go.mod‎
Lines changed: 7 additions & 5 deletions
diff --git a/‎bindings/go/plugin/go.sum‎
Lines changed: 34 additions & 14 deletions b/‎bindings/go/plugin/go.sum‎
Lines changed: 34 additions & 14 deletions
diff --git a/‎bindings/go/plugin/internal/testplugin-signinghandler/main.go‎
Lines changed: 99 additions & 0 deletions b/‎bindings/go/plugin/internal/testplugin-signinghandler/main.go‎
Lines changed: 99 additions & 0 deletions
diff --git a/‎bindings/go/plugin/manager/contracts/signing/v1/contracts.go‎
Lines changed: 25 additions & 0 deletions b/‎bindings/go/plugin/manager/contracts/signing/v1/contracts.go‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎bindings/go/plugin/manager/contracts/signing/v1/doc.go‎
Lines changed: 12 additions & 0 deletions b/‎bindings/go/plugin/manager/contracts/signing/v1/doc.go‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎bindings/go/plugin/manager/contracts/signing/v1/types.go‎
Lines changed: 35 additions & 0 deletions b/‎bindings/go/plugin/manager/contracts/signing/v1/types.go‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎bindings/go/plugin/manager/manager.go‎
Lines changed: 9 additions & 0 deletions b/‎bindings/go/plugin/manager/manager.go‎
Lines changed: 9 additions & 0 deletions
@@ -13,9 +13,10 @@ tasks:
       - go build -o tmp/testdata/test-plugin-input internal/testplugin-input/main.go
       - go build -o tmp/testdata/test-plugin-digester internal/testplugin-digester/main.go
       - go build -o tmp/testdata/test-plugin-blobtransformer internal/testplugin-blobtransformer/main.go
+      - go build -o tmp/testdata/test-plugin-signinghandler internal/testplugin-signinghandler/main.go
   test:
     cmds:
       - go test -v -coverprofile=tmp/coverage.out ./...
     deps:
       - tmp
-      - build
+      - build
@@ -9,12 +9,13 @@ require (
 	golang.org/x/sync v0.17.0
 	ocm.software/open-component-model/bindings/go/blob v0.0.9
 	ocm.software/open-component-model/bindings/go/configuration v0.0.8
-	ocm.software/open-component-model/bindings/go/constructor v0.0.0-20250909064434-e1a06fe74668
-	ocm.software/open-component-model/bindings/go/credentials v0.0.1
-	ocm.software/open-component-model/bindings/go/descriptor/runtime v0.0.0-20250909064434-e1a06fe74668
+	ocm.software/open-component-model/bindings/go/constructor v0.0.0-20250915165427-710b0c881b3c
+	ocm.software/open-component-model/bindings/go/credentials v0.0.2
+	ocm.software/open-component-model/bindings/go/descriptor/runtime v0.0.0-20250915165427-710b0c881b3c
 	ocm.software/open-component-model/bindings/go/descriptor/v2 v2.0.1-alpha3
-	ocm.software/open-component-model/bindings/go/repository v0.0.0-20250909064434-e1a06fe74668
+	ocm.software/open-component-model/bindings/go/repository v0.0.0-20250915165427-710b0c881b3c
 	ocm.software/open-component-model/bindings/go/runtime v0.0.2
+	ocm.software/open-component-model/bindings/go/signing v0.0.0-20250915165427-710b0c881b3c
 )
 
 require (
@@ -26,9 +27,10 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/text v0.29.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	ocm.software/open-component-model/bindings/go/dag v0.0.4 // indirect
+	ocm.software/open-component-model/bindings/go/descriptor/normalisation v0.0.0-20250912092813-396078c6d574 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
@@ -1,3 +1,5 @@
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
 github.com/bahlo/generic-list-go v0.2.0 h1:5sz/EEAK+ls5wF+NeqDpk5+iNdMDXrh3z3nPnH1Wvgk=
 github.com/bahlo/generic-list-go v0.2.0/go.mod h1:2KvAjgMlE5NNynlg/5iLrrCCZ2+5xWbdbCW3pNTGyYg=
 github.com/buger/jsonparser v1.1.1 h1:2PnMjfWD7wBILjqQbt530v576A/cAbQvEW9gGIpYMUs=
@@ -6,8 +8,10 @@ github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467 h
 github.com/cyberphone/json-canonicalization v0.0.0-20241213102144-19d51d7fe467/go.mod h1:uzvlm1mxhHkdfqitSA92i7Se+S9ksOn3a3qmv/kyOCw=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI=
-github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
+github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/invopop/jsonschema v0.13.0 h1:KvpoAJWEjR3uD9Kbm2HWJmqsEaHt8lBUpd0qHcIi21E=
@@ -18,8 +22,12 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
 github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
+github.com/nlepage/go-tarfs v1.2.1 h1:o37+JPA+ajllGKSPfy5+YpsNHDjZnAoyfvf5GsUa+Ks=
+github.com/nlepage/go-tarfs v1.2.1/go.mod h1:rno18mpMy9aEH1IiJVftFsqPyIpwqSUiAOpJYjlV2NA=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
@@ -30,16 +38,18 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/veqryn/slog-context v0.8.0 h1:lDhwAgjwx52K5StqqQzi5d0Y/F4SNyGZbsXGd8MtucM=
+github.com/veqryn/slog-context v0.8.0/go.mod h1:8rsT72p0kzzN9lmkwtabIhxg7ZkpnKblt9x3Eix8Tc0=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
 golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
 golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -51,19 +61,29 @@ ocm.software/open-component-model/bindings/go/blob v0.0.9 h1:XNK04PnqvsE6KHx/04m
 ocm.software/open-component-model/bindings/go/blob v0.0.9/go.mod h1:BjErnbAzzY4mJ6cO/hIFj8Gf/v9zerkIQ1Y1XQEOB5M=
 ocm.software/open-component-model/bindings/go/configuration v0.0.8 h1:IH5ARqAwUJIV8U3l7Mv/txmjh7HbSwYMGSk9V8QlTVo=
 ocm.software/open-component-model/bindings/go/configuration v0.0.8/go.mod h1:VZ8jQ3a6oTWyOpY09C7V3L0CfzKe9i1/Z4uJjLAVjN4=
-ocm.software/open-component-model/bindings/go/constructor v0.0.0-20250909064434-e1a06fe74668 h1:ePvbeL8lISx4sqo0kEZbSq3id2dm+2BWVViGILLb+9Q=
-ocm.software/open-component-model/bindings/go/constructor v0.0.0-20250909064434-e1a06fe74668/go.mod h1:fLBedpjfl42v2XO4gHeTKii77xH+zU0d/yCKtCneuLg=
-ocm.software/open-component-model/bindings/go/credentials v0.0.1 h1:iT2RlZthTfy8mMP6s7BF/gr8EV/HWvTcFijvRc4YUFw=
-ocm.software/open-component-model/bindings/go/credentials v0.0.1/go.mod h1:eLLVJAztmxMPJMd15XcJXJ8u3cKNNmGvVexTKn0WCIk=
+ocm.software/open-component-model/bindings/go/constructor v0.0.0-20250915165427-710b0c881b3c h1:kSORPW3ZNipMowEoy+AthuFc8YnldVJfnLDCEnaksnE=
+ocm.software/open-component-model/bindings/go/constructor v0.0.0-20250915165427-710b0c881b3c/go.mod h1:YHHse9b0cE/rD/3tnIBGQcfppbjafhoeJC1IljgywoQ=
+ocm.software/open-component-model/bindings/go/credentials v0.0.2 h1:PYCu8QYgY7+KcOVLCc0TYJ5PLhXgU7+lbfcrgA0zjyE=
+ocm.software/open-component-model/bindings/go/credentials v0.0.2/go.mod h1:B1RJDS5dV59Z+PBw2bddP8Ks63dr43QrNB7SkNEr6cg=
+ocm.software/open-component-model/bindings/go/ctf v0.2.0 h1:BGZ+irknUVjZkOjL5j5bK5shmGWbOjpszfuETkPndVw=
+ocm.software/open-component-model/bindings/go/ctf v0.2.0/go.mod h1:L9JjTdoWDybr2YY9zXCsCAtNLracxW3aMK2f2TrqYZo=
 ocm.software/open-component-model/bindings/go/dag v0.0.4 h1:V77o/AUjkmEDQPktKPpKTkrFIFHIPJG32TKmtJXh8t8=
 ocm.software/open-component-model/bindings/go/dag v0.0.4/go.mod h1:Qr/gPg19CLloGSVqVyxyKiPUPctFMkwNa5qpnvvBbZc=
-ocm.software/open-component-model/bindings/go/descriptor/runtime v0.0.0-20250909064434-e1a06fe74668 h1:5cepIdT9AQKObFaxRw9m+qbtZp/j3dtPf5JsXlwl84c=
-ocm.software/open-component-model/bindings/go/descriptor/runtime v0.0.0-20250909064434-e1a06fe74668/go.mod h1:mQepbkWCdzm8W8/In1Q5QqQDibvimAt5eKtH0wvS72E=
+ocm.software/open-component-model/bindings/go/descriptor/normalisation v0.0.0-20250912092813-396078c6d574 h1:XzI9l5+9NNp2XRsICQRnRT6cpjs5+FYKGu9HDydvwD0=
+ocm.software/open-component-model/bindings/go/descriptor/normalisation v0.0.0-20250912092813-396078c6d574/go.mod h1:qBvCDn909Pkwr3EDAnzvnJOV0jSsl2+Ab3Rs22quMv4=
+ocm.software/open-component-model/bindings/go/descriptor/runtime v0.0.0-20250915165427-710b0c881b3c h1:Zge0CA+uRIg4yKHNa1H6Vs4Wq4NdSnJu3ByJ88JgtKo=
+ocm.software/open-component-model/bindings/go/descriptor/runtime v0.0.0-20250915165427-710b0c881b3c/go.mod h1:mQepbkWCdzm8W8/In1Q5QqQDibvimAt5eKtH0wvS72E=
 ocm.software/open-component-model/bindings/go/descriptor/v2 v2.0.1-alpha3 h1:daGC2XnJEJkukGdhvKxobUH+vF5TKYPlVQ6nl5ASdFM=
 ocm.software/open-component-model/bindings/go/descriptor/v2 v2.0.1-alpha3/go.mod h1:nnLzPfpD2zy9YUgIuQxA3vCmUUKFQqSCl6jFAQXVE8M=
-ocm.software/open-component-model/bindings/go/repository v0.0.0-20250909064434-e1a06fe74668 h1:W+W0JCbfK9VHuAPFYPMztitiKgDhZqgLk1fEBTqla24=
-ocm.software/open-component-model/bindings/go/repository v0.0.0-20250909064434-e1a06fe74668/go.mod h1:SBR5IbnJ+r7ggJ0X6LIXsi3l6cGe/FT+j2KZLJ/xsds=
+ocm.software/open-component-model/bindings/go/oci v0.0.7 h1:ognKj/Y7q1fDijU65pvBjP0p6OIuZS5uk/ySRZyzqgw=
+ocm.software/open-component-model/bindings/go/oci v0.0.7/go.mod h1:Q/y/aIlp9PV/fxRuCeqyoPczgSudw7/9D17s4CYaPlI=
+ocm.software/open-component-model/bindings/go/repository v0.0.0-20250915165427-710b0c881b3c h1:xkJZe9AD2uawXJF2F764MM0kRnX1dqHZx3K2c7EVFkY=
+ocm.software/open-component-model/bindings/go/repository v0.0.0-20250915165427-710b0c881b3c/go.mod h1:VvTUl90bjymXixw9YqYhHWC/rjY+3wOj1MtldgUWa7Y=
 ocm.software/open-component-model/bindings/go/runtime v0.0.2 h1:YA20enOxMsk4gDWF+Anltwkc616dXebfgPz/0Bl0EKE=
 ocm.software/open-component-model/bindings/go/runtime v0.0.2/go.mod h1:9qeyWvvxkua6NyDVGxeQV6B022WqoAfdU/JnuImm1ws=
+ocm.software/open-component-model/bindings/go/signing v0.0.0-20250915165427-710b0c881b3c h1:293h1NwrjXXg2+zNDUCVhd+Gn7tNGx7wt8qCKJmw9wM=
+ocm.software/open-component-model/bindings/go/signing v0.0.0-20250915165427-710b0c881b3c/go.mod h1:RwFu7vYYDxh0N8WIJLwxi0xdAZS3Y5ZagaJUIgZNNWU=
+oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc=
+oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
@@ -0,0 +1,99 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"flag"
+	"fmt"
+	"log/slog"
+	"os"
+
+	v2 "ocm.software/open-component-model/bindings/go/descriptor/v2"
+	plugin "ocm.software/open-component-model/bindings/go/plugin/client/sdk"
+	"ocm.software/open-component-model/bindings/go/plugin/internal/dummytype"
+	dummyv1 "ocm.software/open-component-model/bindings/go/plugin/internal/dummytype/v1"
+	v1 "ocm.software/open-component-model/bindings/go/plugin/manager/contracts/signing/v1"
+	"ocm.software/open-component-model/bindings/go/plugin/manager/endpoints"
+	"ocm.software/open-component-model/bindings/go/plugin/manager/registries/signinghandler"
+	"ocm.software/open-component-model/bindings/go/plugin/manager/types"
+	"ocm.software/open-component-model/bindings/go/runtime"
+)
+
+type TestSigningPlugin struct{}
+
+func (m *TestSigningPlugin) GetSignerIdentity(ctx context.Context, req *v1.GetSignerIdentityRequest[*dummyv1.Repository]) (*v1.IdentityResponse, error) {
+	return &v1.IdentityResponse{Identity: map[string]string{"id": "signer"}}, nil
+}
+
+func (m *TestSigningPlugin) Sign(ctx context.Context, request *v1.SignRequest[*dummyv1.Repository], credentials map[string]string) (*v1.SignResponse, error) {
+	return &v1.SignResponse{Signature: &v2.SignatureInfo{Algorithm: "rsa", Value: "sig", MediaType: "text/plain"}}, nil
+}
+
+func (m *TestSigningPlugin) GetVerifierIdentity(ctx context.Context, req *v1.GetVerifierIdentityRequest[*dummyv1.Repository]) (*v1.IdentityResponse, error) {
+	return &v1.IdentityResponse{Identity: map[string]string{"id": "verifier"}}, nil
+}
+
+func (m *TestSigningPlugin) Verify(ctx context.Context, request *v1.VerifyRequest[*dummyv1.Repository], credentials map[string]string) (*v1.VerifyResponse, error) {
+	return &v1.VerifyResponse{}, nil
+}
+
+func (m *TestSigningPlugin) Ping(_ context.Context) error { return nil }
+
+var _ v1.SignatureHandlerContract[*dummyv1.Repository] = &TestSigningPlugin{}
+
+func main() {
+	args := os.Args[1:]
+	// log messages are shared over stderr by convention established by the plugin manager.
+	logger := slog.New(slog.NewJSONHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug}))
+
+	scheme := runtime.NewScheme()
+	dummytype.MustAddToScheme(scheme)
+	capabilities := endpoints.NewEndpoints(scheme)
+
+	if err := signinghandler.RegisterPlugin(&dummyv1.Repository{}, &TestSigningPlugin{}, capabilities); err != nil {
+		logger.Error("failed to register test signing plugin", "error", err.Error())
+		os.Exit(1)
+	}
+
+	if len(args) > 0 && args[0] == "capabilities" {
+		content, err := json.Marshal(capabilities)
+		if err != nil {
+			logger.Error("failed to marshal capabilities", "error", err)
+			os.Exit(1)
+		}
+		if _, err := fmt.Fprintln(os.Stdout, string(content)); err != nil {
+			logger.Error("failed print capabilities", "error", err)
+			os.Exit(1)
+		}
+		os.Exit(0)
+	}
+
+	// Parse command-line arguments
+	configData := flag.String("config", "", "Plugin config.")
+	flag.Parse()
+	if configData == nil || *configData == "" {
+		logger.Error("missing required flag --config")
+		os.Exit(1)
+	}
+
+	conf := types.Config{}
+	if err := json.Unmarshal([]byte(*configData), &conf); err != nil {
+		logger.Error("failed to unmarshal config", "error", err)
+		os.Exit(1)
+	}
+	if conf.ID == "" {
+		logger.Error("plugin config has no ID")
+		os.Exit(1)
+	}
+
+	separateContext := context.Background()
+	ocmPlugin := plugin.NewPlugin(separateContext, logger, conf, os.Stdout)
+	if err := ocmPlugin.RegisterHandlers(capabilities.GetHandlers()...); err != nil {
+		logger.Error("failed to register handlers", "error", err)
+		os.Exit(1)
+	}
+	if err := ocmPlugin.Start(context.Background()); err != nil {
+		logger.Error("failed to start plugin", "error", err)
+		os.Exit(1)
+	}
+}
@@ -0,0 +1,25 @@
+package v1
+
+import (
+	"context"
+
+	"ocm.software/open-component-model/bindings/go/plugin/manager/contracts"
+	"ocm.software/open-component-model/bindings/go/runtime"
+)
+
+type SignerPluginContract[T runtime.Typed] interface {
+	contracts.PluginBase
+	GetSignerIdentity(ctx context.Context, typ *GetSignerIdentityRequest[T]) (*IdentityResponse, error)
+	Sign(ctx context.Context, request *SignRequest[T], credentials map[string]string) (*SignResponse, error)
+}
+
+type VerifierPluginContract[T runtime.Typed] interface {
+	contracts.PluginBase
+	GetVerifierIdentity(ctx context.Context, typ *GetVerifierIdentityRequest[T]) (*IdentityResponse, error)
+	Verify(ctx context.Context, request *VerifyRequest[T], credentials map[string]string) (*VerifyResponse, error)
+}
+
+type SignatureHandlerContract[T runtime.Typed] interface {
+	SignerPluginContract[T]
+	VerifierPluginContract[T]
+}
@@ -0,0 +1,12 @@
+// Package v1 contains the contracts and types for OCM plugins.
+//
+// It defines interfaces for interacting with OCM repositories and resources,
+// enabling plugins to read from and write to them.
+//
+// The contracts are categorized based on their functionality:
+//
+//   - SignerPluginContract: Defines methods for signing digests
+//   - VerifierPluginContract: Defines methods for verifying signatures
+//
+// The types define the request and response structures used by these contracts.
+package v1
@@ -0,0 +1,35 @@
+package v1
+
+import (
+	v2 "ocm.software/open-component-model/bindings/go/descriptor/v2"
+	"ocm.software/open-component-model/bindings/go/runtime"
+)
+
+type SignRequest[T runtime.Typed] struct {
+	// Digest that should be signed.
+	Digest *v2.Digest `json:"digest"`
+	Config T          `json:"config"`
+}
+type SignResponse struct {
+	Signature *v2.SignatureInfo `json:"signature"`
+}
+
+type VerifyRequest[T runtime.Typed] struct {
+	Signature *v2.Signature `json:"signature"`
+	Config    T             `json:"config"`
+}
+
+type VerifyResponse struct{}
+
+type GetSignerIdentityRequest[T runtime.Typed] struct {
+	SignRequest[T] `json:",inline"`
+	Name           string `json:"name"`
+}
+
+type GetVerifierIdentityRequest[T runtime.Typed] struct {
+	VerifyRequest[T] `json:",inline"`
+}
+
+type IdentityResponse struct {
+	Identity map[string]string `json:"identity"`
+}
@@ -22,6 +22,7 @@ import (
 	"ocm.software/open-component-model/bindings/go/plugin/manager/registries/digestprocessor"
 	"ocm.software/open-component-model/bindings/go/plugin/manager/registries/input"
 	"ocm.software/open-component-model/bindings/go/plugin/manager/registries/resource"
+	"ocm.software/open-component-model/bindings/go/plugin/manager/registries/signinghandler"
 	mtypes "ocm.software/open-component-model/bindings/go/plugin/manager/types"
 )
 
@@ -38,6 +39,7 @@ type PluginManager struct {
 	DigestProcessorRegistry            *digestprocessor.RepositoryRegistry
 	ResourcePluginRegistry             *resource.ResourceRegistry
 	BlobTransformerRegistry            *blobtransformer.Registry
+	SigningRegistry                    *signinghandler.SigningRegistry
 
 	mu sync.Mutex
 
@@ -58,6 +60,7 @@ func NewPluginManager(ctx context.Context) *PluginManager {
 		DigestProcessorRegistry:            digestprocessor.NewDigestProcessorRegistry(ctx),
 		ResourcePluginRegistry:             resource.NewResourceRegistry(ctx),
 		BlobTransformerRegistry:            blobtransformer.NewBlobTransformerRegistry(ctx),
+		SigningRegistry:                    signinghandler.NewSigningRegistry(ctx),
 		baseCtx:                            ctx,
 	}
 }
@@ -156,6 +159,7 @@ func (pm *PluginManager) Shutdown(ctx context.Context) error {
 		pm.DigestProcessorRegistry.Shutdown(ctx),
 		pm.ResourcePluginRegistry.Shutdown(ctx),
 		pm.BlobTransformerRegistry.Shutdown(ctx),
+		pm.SigningRegistry.Shutdown(ctx),
 	)
 
 	return errs
@@ -278,6 +282,11 @@ func (pm *PluginManager) addPlugin(ctx context.Context, ocmConfig *genericv1.Con
 			if err := pm.BlobTransformerRegistry.AddPlugin(plugin, typs[0].Type); err != nil {
 				return fmt.Errorf("failed to register plugin %s: %w", plugin.ID, err)
 			}
+		case mtypes.SigningHandlerPluginType:
+			slog.DebugContext(ctx, "adding signing plugin", "id", plugin.ID)
+			if err := pm.SigningRegistry.AddPlugin(plugin, typs[0].Type); err != nil {
+				return fmt.Errorf("failed to register plugin %s: %w", plugin.ID, err)
+			}
 		}
 	}
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@ import (`
`22`	`22`	`"ocm.software/open-component-model/bindings/go/plugin/manager/registries/digestprocessor"`
`23`	`23`	`"ocm.software/open-component-model/bindings/go/plugin/manager/registries/input"`
`24`	`24`	`"ocm.software/open-component-model/bindings/go/plugin/manager/registries/resource"`
	`25`	`+ "ocm.software/open-component-model/bindings/go/plugin/manager/registries/signinghandler"`
`25`	`26`	`mtypes "ocm.software/open-component-model/bindings/go/plugin/manager/types"`
`26`	`27`	`)`
`27`	`28`
`@@ -38,6 +39,7 @@ type PluginManager struct {`
`38`	`39`	`DigestProcessorRegistry *digestprocessor.RepositoryRegistry`
`39`	`40`	`ResourcePluginRegistry *resource.ResourceRegistry`
`40`	`41`	`BlobTransformerRegistry *blobtransformer.Registry`
	`42`	`+ SigningRegistry *signinghandler.SigningRegistry`
`41`	`43`
`42`	`44`	`mu sync.Mutex`
`43`	`45`
`@@ -58,6 +60,7 @@ func NewPluginManager(ctx context.Context) *PluginManager {`
`58`	`60`	`DigestProcessorRegistry: digestprocessor.NewDigestProcessorRegistry(ctx),`
`59`	`61`	`ResourcePluginRegistry: resource.NewResourceRegistry(ctx),`
`60`	`62`	`BlobTransformerRegistry: blobtransformer.NewBlobTransformerRegistry(ctx),`
	`63`	`+ SigningRegistry: signinghandler.NewSigningRegistry(ctx),`
`61`	`64`	`baseCtx: ctx,`
`62`	`65`	`}`
`63`	`66`	`}`
`@@ -156,6 +159,7 @@ func (pm *PluginManager) Shutdown(ctx context.Context) error {`
`156`	`159`	`pm.DigestProcessorRegistry.Shutdown(ctx),`
`157`	`160`	`pm.ResourcePluginRegistry.Shutdown(ctx),`
`158`	`161`	`pm.BlobTransformerRegistry.Shutdown(ctx),`
	`162`	`+ pm.SigningRegistry.Shutdown(ctx),`
`159`	`163`	`)`
`160`	`164`
`161`	`165`	`return errs`
`@@ -278,6 +282,11 @@ func (pm PluginManager) addPlugin(ctx context.Context, ocmConfig genericv1.Con`
`278`	`282`	`if err := pm.BlobTransformerRegistry.AddPlugin(plugin, typs[0].Type); err != nil {`
`279`	`283`	`return fmt.Errorf("failed to register plugin %s: %w", plugin.ID, err)`
`280`	`284`	`}`
	`285`	`+ case mtypes.SigningHandlerPluginType:`
	`286`	`+ slog.DebugContext(ctx, "adding signing plugin", "id", plugin.ID)`
	`287`	`+ if err := pm.SigningRegistry.AddPlugin(plugin, typs[0].Type); err != nil {`
	`288`	`+ return fmt.Errorf("failed to register plugin %s: %w", plugin.ID, err)`
	`289`	`+ }`
`281`	`290`	`}`
`282`	`291`	`}`
`283`	`292`