Bundle Format

OXP bundles are OCI artifacts signed with Sigstore (or Ed25519 for offline use). Both standards are adopted verbatim — OXP adds only the manifest schema and artifact media types.

The .oxp File

A .oxp file is a POSIX tar archive compressed with zstd level 19.

Key properties:

• **oxp.json is always the first tar entry** — enables streaming validation
• Entries are in lexicographic order — deterministic builds
• **All mtimes are 1980-01-01T00:00:00Z** — identical inputs produce identical hashes
• **Modes: 0644 for files, 0755 for directories** — reproducible

Bundle Digest

The digest is the SHA-256 of the uncompressed tar stream (not the compressed file). This is stable across recompression and matches how OCI content-addresses layers.

Per-File Integrity

oxp publish generates .oxp/integrity.json:

{
  "specVersion": "1",
  "algorithm": "sha-256",
  "files": {
    "oxp.json": "e3b0c44...",
    "ui/index.html": "a4d2...",
    "wasm/core.wasm": "9b1c..."
  }
}

Hosts verify per-file digests on extract. Mismatches are hard errors.

Signing

Ed25519 (default, offline-capable)

Every oxp pack signs the bundle digest with an Ed25519 key stored at ~/.oxp/keys/. The signature is written to .oxp/SIGNATURE:

{
  "alg": "ed25519",
  "keyId": "ed25519:0x...",
  "signature": "base64...",
  "payload": { "digest": "sha256:...", "signedAt": "rfc3339" }
}

Sigstore (keyless, transparency-logged)

For maximum trust, OXP supports Sigstore keyless signing. The signature includes a Fulcio certificate, OIDC identity proof, and Rekor inclusion proof.

OCI Representation

OXP bundles are stored in any OCI-compliant registry. Media types:

This means Docker Hub, GHCR, ECR, GAR, Harbor, and any OCI registry can host OXP bundles. Mirroring is a single command:

oras copy oci.oxp.sh/acme/postgres:1.4.2 internal.corp/oxp/acme/postgres:1.4.2

Size Limits