# Public Keys

Call Theory public keys for verification of signed containers from our container registery. 

## Verifying Calltheory container images

All images published to `cr.calltheory.com/orbital/*` are signed with Cosign.

## Install cosign

```bash
curl -sSL -o /usr/local/bin/cosign \
    https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
chmod +x /usr/local/bin/cosign
```

## Get the public key

```bash
curl -O https://git.calltheory.com/calltheory/public-keys/raw/branch/main/keys/cosign.pub
```

## Verify an image

```bash
cosign verify --key cosign.pub cr.calltheory.com/orbital/smoketest@sha256:abc123...
```

## Verify in Kubernetes

For automated verification, install *Sigstore Policy Controller* or
similar admission controller and configure it to trust this key for
images matching `cr.calltheory.com/orbital/*`.