oras
General info
oras is a client which allows for the pushing/pulling of arbitrary artifacts to/from a registry.
Media type: (any)
Client homepage: https://github.com/deislabs/oras
Usage
Authentication
First, set the BB_USER environment variable to your Bundle Bar username:
BB_USER="<insert_username_here>"
Next, create a token in the Bundle Bar UI and copy it into your clipboard. Set it in the BB_TOKEN environment variable using one of the following commands:
BB_TOKEN="<insert_token_here>" # manual copy-paste
BB_TOKEN="$(pbpaste)" # with pbpaste
BB_TOKEN="$(xclip -o)" # with xclip
Note: the previous commands are intentionally prefixed with a space to prevent them from appearing in your history. This can be enabled in your shell with export HISTCONTROL=ignoreboth.
Finally, run the following command to log in to Bundle Bar using oras:
echo "$BB_TOKEN" | oras login bundle.bar -u $BB_USER --password-stdin
Pushing
# 1. Create any artifact to push
echo "Welcome to Bundle Bar" > welcome.txt
# 2. Push the artifact
oras push bundle.bar/u/$BB_USER/oras/welcome:v1 welcome.txt:text/plain
Changing the media type of the artifact
# 1. Create any artifact to push
echo "Greetings, friend" > greetings.txt
# 2. Create a bare manifest config
echo "{}" > config.json
# 3. Push the artifact, with any media type you like
oras push --manifest-config config.json:application/arbitrary.artifact.media.type \
bundle.bar/u/$BB_USER/oras/greetings:v1 greetings.txt
Pulling
# 1. Pull the artifact
oras pull bundle.bar/u/$BB_USER/oras/welcome:v1
# 2. Check it out
cat welcome.txt
Installation
Official docs
Please see https://github.com/deislabs/oras#cli-installation.
Bundle Bar CDN
Bundle Bar provides a secure mirror of the latest version of oras on the following platforms:
- Mac x86-64
- Linux x86-64
Release artifacts were downloaded from here and should have identical checksums.
Mac x86-64
Latest version
| Version | Filename | SHA-256 checksum |
|---|---|---|
| 0.8.1 | oras_0.8.1_darwin_amd64.tar.gz | 22bb05b5d73ba5d8746dc6e52805cc212b9dafd84ebd8c14a88343701a4d645b |
Install instructions
ORAS_VERSION="0.8.1"
ORAS_FILENAME="oras_0.8.1_darwin_amd64.tar.gz"
ORAS_CHECKSUM="22bb05b5d73ba5d8746dc6e52805cc212b9dafd84ebd8c14a88343701a4d645b"
# 1. Download the release artifact
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}"
# 2. Verify the checksum
shasum -a 256 "${ORAS_FILENAME}" | grep "^${ORAS_CHECKSUM} "
# 3. Extract the tarball
tar -xvf "${ORAS_FILENAME}"
# 4. Move binary into PATH
mv oras /usr/local/bin
# 5. Verify install
oras version
Optional: Validate signatures
For additional security, the release artifact has been signed using Bundle Bar's GPG key. Prior to extracting the tarball (step 3 above), run the following commands to import our public key and validate the signature:
# 1. Import our public key (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D)
curl -sL "https://cdn.bundle.bar/keys/bundlebar-2020-08-18.pub" | gpg --import
# 2. Download the signature file
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}.asc"
# 3. Validate the signature
[[ $(gpg --verify --status-fd=1 "${ORAS_FILENAME}.asc" | \
grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') -ge 2 ]] || \
(echo "ERROR: Failed to verify signature" && exit 1)
Linux x86-64
| Version | Filename | SHA-256 checksum |
|---|---|---|
0.8.1 | oras_0.8.1_linux_amd64.tar.gz | da3eced65688163acc1a45c034a96a02fb54bc5eaee9d614340d0d7551a28ec7 |
Install instructions
ORAS_VERSION="0.8.1"
ORAS_FILENAME="oras_0.8.1_linux_amd64.tar.gz"
ORAS_CHECKSUM="da3eced65688163acc1a45c034a96a02fb54bc5eaee9d614340d0d7551a28ec7"
# 1. Download the release artifact
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}"
# 2. Verify the checksum
shasum -a 256 "${ORAS_FILENAME}" | grep "^${ORAS_CHECKSUM} "
# 3. Extract the tarball
tar -xvf "${ORAS_FILENAME}"
# 4. Move binary into PATH
mv oras /usr/local/bin
# 5. Verify install
oras version
Optional: Validate signatures
For additional security, the release artifact has been signed using Bundle Bar's GPG key. Prior to extracting the tarball (step 3 above), run the following commands to import our public key and validate the signature:
# 1. Import our public key (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D)
curl -sL "https://cdn.bundle.bar/keys/bundlebar-2020-08-18.pub" | gpg --import
# 2. Download the signature file
curl -LO "https://cdn.bundle.bar/clients/oras/${ORAS_VERSION}/${ORAS_FILENAME}.asc"
# 3. Validate the signature
[[ $(gpg --verify --status-fd=1 "${ORAS_FILENAME}.asc" | \
grep -c -E '^\[GNUPG:\] (GOODSIG|VALIDSIG)') -ge 2 ]] || \
(echo "ERROR: Failed to verify signature" && exit 1)