48 lines
No EOL
1.5 KiB
Markdown
48 lines
No EOL
1.5 KiB
Markdown
# Public Keys
|
|
|
|
Public keys you may need when working with Call Theory.
|
|
|
|
## Call Theory SSH Public Key
|
|
|
|
Add to your `authorized_keys` file for the SSH user Call Theory uses to access your server(s).
|
|
|
|
- [calltheory.pub](calltheory.pub)
|
|
|
|
---
|
|
|
|
## Call Theory Container Registry
|
|
|
|
Call Theory public keys for verification of signed containers from our container registery. All images published to `cr.calltheory.com/orbital/*` are signed with [cosign](https://github.com/sigstore/cosign).
|
|
|
|
### Install cosign
|
|
|
|
> You will need to install `cosign` first to validate our signed containers. More information can be found [here](https://github.com/sigstore/cosign).
|
|
|
|
### Login to the Call Theory container registery
|
|
|
|
Run `podman login cr.calltheory.com` (or `docker login cr.calltheory.com`) before trying to verify the signature on our containers.
|
|
|
|
We will create and share a *"robot"* account with you for access:
|
|
|
|
- Container registery username: `calltheory$orbital+yourcompany`
|
|
- Container registery password: `<redacted>`
|
|
|
|
Once you have logged in, you can verify signatures using [cosign.pub](cosign.pub), our public key.
|
|
|
|
### Get the public key
|
|
|
|
```bash
|
|
curl -O https://git.calltheory.com/calltheory/public-keys/raw/branch/main/keys/cosign.pub
|
|
```
|
|
|
|
### Verify an image
|
|
|
|
```bash
|
|
cosign verify --key cosign.pub cr.calltheory.com/orbital/smoketest@sha256:abc123...
|
|
```
|
|
|
|
### Verify in Kubernetes
|
|
|
|
For automated verification, install *Sigstore Policy Controller* or
|
|
similar admission controller and configure it to trust this key for
|
|
images matching `cr.calltheory.com/orbital/*`. |