oras

General info

oras is a client which allows for the pushing/pulling of arbitrary artifacts to/from a registry.

Media type: (any)

Client homepage: https://github.com/deislabs/oras

Usage

Authentication

First, set the BB_USER environment variable to your Bundle Bar username:

BB_USER="<insert_username_here>"

Next, create a token in the Bundle Bar UI and copy it into your clipboard. Set it in the BB_TOKEN environment variable using one of the following commands:

 BB_TOKEN="<insert_token_here>"  # manual copy-paste
 BB_TOKEN="$(pbpaste)"           # with pbpaste
 BB_TOKEN="$(xclip -o)"          # with xclip

Note: the previous commands are intentionally prefixed with a space to prevent them from appearing in your history. This can be enabled in your shell with export HISTCONTROL=ignoreboth.

Finally, run the following command to log in to Bundle Bar using oras:

echo "$BB_TOKEN" | oras login bundle.bar -u $BB_USER --password-stdin

Pushing

# 1. Create any artifact to push
echo "Welcome to Bundle Bar" > welcome.txt

# 2. Push the artifact
oras push bundle.bar/u/$BB_USER/oras/welcome:v1 welcome.txt:text/plain
Changing the media type of the artifact
# 1. Create any artifact to push
echo "Greetings, friend" > greetings.txt

# 2. Create a bare manifest config
echo "{}" > config.json

# 3. Push the artifact, with any media type you like
oras push --manifest-config config.json:application/arbitrary.artifact.media.type \
         bundle.bar/u/$BB_USER/oras/greetings:v1 greetings.txt

Pulling

# 1. Pull the artifact
oras pull bundle.bar/u/$BB_USER/oras/welcome:v1

# 2. Check it out
cat welcome.txt

Installation

Official docs

Please see https://github.com/deislabs/oras#cli-installation.

Bundle Bar CDN

Bundle Bar provides a secure mirror of the latest version of oras on the following platforms:

  • Mac x86-64
  • Linux x86-64

Release artifacts were downloaded from here and should have identical checksums.

Mac x86-64

Latest version
VersionFilenameSHA-256 checksum
0.8.1oras_0.8.1_darwin_amd64.tar.gz22bb05b5d73ba5d8746dc6e52805cc212b9dafd84ebd8c14a88343701a4d645b
Install instructions
ORAS_VERSION="0.8.1"
ORAS_FILENAME="oras_0.8.1_darwin_amd64.tar.gz"
ORAS_CHECKSUM="22bb05b5d73ba5d8746dc6e52805cc212b9dafd84ebd8c14a88343701a4d645b"

# 1. Download the release artifact
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}"

# 2. Verify the checksum
shasum -a 256 "${ORAS_FILENAME}" | grep "^${ORAS_CHECKSUM} "

# 3. Extract the tarball
tar -xvf "${ORAS_FILENAME}"

# 4. Move binary into PATH
mv oras /usr/local/bin

# 5. Verify install
oras version
Optional: Validate signatures

For additional security, the release artifact has been signed using Bundle Bar's GPG key. Prior to extracting the tarball (step 3 above), run the following commands to import our public key and validate the signature:

# 1. Import our public key (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D)
curl -sL "https://cdn.bundle.bar/keys/bundlebar-2020-08-18.pub" | gpg --import

# 2. Download the signature file
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}.asc"

# 3. Validate the signature
[[ $(gpg --verify --status-fd=1 "${ORAS_FILENAME}.asc" | \
    grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') -ge 2 ]] || \
    (echo "ERROR: Failed to verify signature" && exit 1)

Linux x86-64

VersionFilenameSHA-256 checksum
0.8.1oras_0.8.1_linux_amd64.tar.gzda3eced65688163acc1a45c034a96a02fb54bc5eaee9d614340d0d7551a28ec7
Install instructions
ORAS_VERSION="0.8.1"
ORAS_FILENAME="oras_0.8.1_linux_amd64.tar.gz"
ORAS_CHECKSUM="da3eced65688163acc1a45c034a96a02fb54bc5eaee9d614340d0d7551a28ec7"

# 1. Download the release artifact
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}"

# 2. Verify the checksum
shasum -a 256 "${ORAS_FILENAME}" | grep "^${ORAS_CHECKSUM} "

# 3. Extract the tarball
tar -xvf "${ORAS_FILENAME}"

# 4. Move binary into PATH
mv oras /usr/local/bin

# 5. Verify install
oras version
Optional: Validate signatures

For additional security, the release artifact has been signed using Bundle Bar's GPG key. Prior to extracting the tarball (step 3 above), run the following commands to import our public key and validate the signature:

# 1. Import our public key (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D)
curl -sL "https://cdn.bundle.bar/keys/bundlebar-2020-08-18.pub" | gpg --import

# 2. Download the signature file
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}.asc"

# 3. Validate the signature
[[ $(gpg --verify --status-fd=1 "${ORAS_FILENAME}.asc" | \
    grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') -ge 2 ]] || \
    (echo "ERROR: Failed to verify signature" && exit 1)