Built for modern registry workflows
Blobber makes OCI registries behave like a file store while keeping the full benefits of existing auth, caching, and immutability.
Stream Without Downloading
List and read individual files from OCI images without downloading the entire layer. Powered by eStargz.
Standard OCI
Works with any OCI-compliant registry (GHCR, Docker Hub, ECR, GCR). No special server-side software required.
Go Library & CLI
Use it as a standalone CLI tool for scripts or embed it directly into your Go applications as a library.
Supply Chain Security
Sign artifacts with Sigstore for provenance. Verify signatures before pulling to ensure integrity.
List, inspect, and stream with eStargz
eStargz keeps a table of contents inside the image so Blobber can list files instantly and stream a single path on demand.
- Inspect large images without pulling layers.
- Stream a single file for config or secrets.
- Pin by digest for immutable, reproducible builds.
- Sign with Sigstore for supply chain security.
Works with the registries you already use
Blobber relies on standard OCI APIs, so there is no server-side setup or special infrastructure to deploy.
Simple and powerful
Use Blobber as a CLI for scripts or as a Go library in your services. The API is tiny, the behavior is predictable, and it works anywhere an OCI registry does.
- CLI
- Go Library
# Push a directory to a registry
blobber push ./config ghcr.io/myorg/config:v1
# Push with Sigstore signing
blobber push --sign ./config ghcr.io/myorg/config:v1
# Pull with signature verification
blobber pull --verify --verify-issuer https://accounts.google.com \
--verify-subject dev@company.com ghcr.io/myorg/config:v1 ./out
# Stream a single file to stdout
blobber cat ghcr.io/myorg/config:v1 app.yaml
package main
import (
"context"
"os"
"github.com/meigma/blobber"
"github.com/meigma/blobber/sigstore"
)
func main() {
ctx := context.Background()
// Create client with Sigstore signing
signer, _ := sigstore.NewSigner(sigstore.WithEphemeralKey())
client, _ := blobber.NewClient(blobber.WithSigner(signer))
// Push signs automatically
client.Push(ctx, "ghcr.io/myorg/config:v1", os.DirFS("./config"))
// Verify signatures on pull
verifier, _ := sigstore.NewVerifier(
sigstore.WithIdentity("https://accounts.google.com", "dev@company.com"),
)
verified, _ := blobber.NewClient(blobber.WithVerifier(verifier))
verified.Pull(ctx, "ghcr.io/myorg/config:v1", "./out")
}
Ship files like images.
Start with the CLI or embed the Go client. Blobber stays small and predictable while giving you registry-native storage.