| stagex | add signatures for 2026060 | |
| .domains | Add custom domain for use with codeberg pages | |
| README.md | Updates README with new information on signature verification, add maintainers keyring | |
| stagex-keyring.pgp | Updates README with new information on signature verification, add maintainers keyring | |
[StageX] Image Signatures
This repository holds signatures related to containers built and reproduced by the [StageX] maintainers.
These signatures are stored in a format compatible with containers-registries.d
lookaside.
We provide a keyring, or you can pull our keys via WKD or Hagrid. As of now any project using image/v5.37.0 or higher should work
| Program | Tested | Works |
|---|---|---|
| skopeo | yes | no |
| podman | yes | yes |
| kubernetes | no | ? |
Signatures up to version sx2025.05.2 signed the index file instead of the OCI compliant manifest
for a given architecture. Signatures can be verified using pgp tooling but not lookaside.
Signatures from sx2025.05.2 to sx2025.11.0 only have a critical.identity.docker-reference of stagex/<package-name> meaning a policy signedIdentity only has the option of matchRepo for Dockerhub Images
Getting Started
1.Configure the lookaside server for both quay.io and docker hub for the stagex organization
~/.config/containers/registries.d/default.yaml
docker:docker.io/stagex:lookaside:https://sigs.stagex.toolsquay.io/stagex:lookaside:https://sigs.stagex.tools- Create a PGP Keyring for a policy
3.Add a policy
~/.config/containers/policy.json
{
"default": [
{"type": "reject"}
],
"transports": {
"docker": {
"stagex": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/path/to/stagex-keyring.pgp",
"signedIdentity": {
"type": "matchRepoDigestOrExact"
}
}
],
"quay.io/stagex": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/path/to/stagex-keyring.pgp",
"signedIdentity": {
"type": "remapIdentity",
"prefix": "quay.io/stagex",
"signedPrefix": "docker.io/stagex"
}
}
],
}
}
}