From b3fc643a44e4c5896d5ae9ff69a0363464c07109 Mon Sep 17 00:00:00 2001
From: Patrick <patrick.labbett@calltheory.com>
Date: Wed, 29 Apr 2026 20:56:05 +0000
Subject: [PATCH] Add README.md

---
 README.md | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..f7809f3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,33 @@
+# Public Keys
+
+Call Theory public keys for verification of signed containers from our container registery. 
+
+## Verifying Calltheory container images
+
+All images published to `cr.calltheory.com/orbital/*` are signed with Cosign.
+
+## Install cosign
+
+```bash
+curl -sSL -o /usr/local/bin/cosign \
+    https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
+chmod +x /usr/local/bin/cosign
+```
+
+## Get the public key
+
+```bash
+curl -O https://git.calltheory.com/calltheory/public-keys/raw/branch/main/keys/cosign.pub
+```
+
+## Verify an image
+
+```bash
+cosign verify --key cosign.pub cr.calltheory.com/orbital/smoketest@sha256:abc123...
+```
+
+## Verify in Kubernetes
+
+For automated verification, install *Sigstore Policy Controller* or
+similar admission controller and configure it to trust this key for
+images matching `cr.calltheory.com/orbital/*`.
\ No newline at end of file