# Public Keys

 Public keys you may need when working with Call Theory.

## Call Theory SSH Public Key

Add to your `authorized_keys` file for the SSH user Call Theory uses to access your server(s).

- [calltheory.pub](calltheory.pub)

---

## Call Theory Container Registry

Call Theory public keys for verification of signed containers from our container registery. All images published to `cr.calltheory.com/orbital/*` are signed with [cosign](https://github.com/sigstore/cosign).

### Install cosign

> You will need to install `cosign` first to validate our signed containers. More information can be found [here](https://github.com/sigstore/cosign).

### Login to the Call Theory container registery

Run `podman login cr.calltheory.com` (or `docker login cr.calltheory.com`) before trying to verify the signature on our containers.

We will create and share a *"robot"* account with you for access:

- Container registery username: `calltheory$orbital+yourcompany`
- Container registery password: `<redacted>`

Once you have logged in, you can verify signatures using [cosign.pub](cosign.pub), our public key.

### Get the public key

```bash
curl -O https://git.calltheory.com/calltheory/public-keys/raw/branch/main/keys/cosign.pub
```

### Verify an image

```bash
cosign verify --key cosign.pub cr.calltheory.com/orbital/smoketest@sha256:abc123...
```

### Verify in Kubernetes

For automated verification, install *Sigstore Policy Controller* or
similar admission controller and configure it to trust this key for
images matching `cr.calltheory.com/orbital/*`.