Trust Registry EN

Verify Artifacts

Verify artifact signatures using the current trusted key set.

Trusted Keys (Production Release Signing Policy v2)

The following keys are listed in the active signing policy. Use the fingerprint to verify artifact signatures.

Ed25519 Primary Signing Key (2026)
Ed25519 Active trust: high
SHA256:mV3rN8pQ2sK7wX1bF5tG9hC4eD6jA0nL
Public key (PEM)
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAmV3rN8pQ2sK7wX1bF5tG9hC4eD6jA0nLvR2oH7qMcPw4yS6
-----END PUBLIC KEY-----
How to verify
cosign verify-blob \
  --key pubkey.pem \
  --signature artifact.sig \
  artifact

Expand the public key above, save it to pubkey.pem, then run this command. For container images, use cosign verify instead of cosign verify-blob.

Ed25519 Secondary Signing Key (2025)
Ed25519 Active trust: high
SHA256:rC9xG2oP6wA3sU7yM4bI5nF8jK1hE0tV
Public key (PEM)
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEArC9xG2oP6wA3sU7yM4bI5nF8jK1hE0tVzL2mJ7vXpQn4dY5
-----END PUBLIC KEY-----
How to verify
cosign verify-blob \
  --key pubkey.pem \
  --signature artifact.sig \
  artifact

Expand the public key above, save it to pubkey.pem, then run this command. For container images, use cosign verify instead of cosign verify-blob.

AWS KMS Container Signing Key (2025)
Cloud-KMS-ECDSA-P256 Active trust: high
SHA256:pE3wJ6lN9xB2rT5vG8dO1mK4fH7aL0qI
How to verify
cosign verify \
  --key awskms:///arn:aws:kms:ca-central-1:123456789012:key/mrk-9f2a3c4d5e6b7081920a3b4c5d6e7f89 \
  <image>
Keyless OIDC — Gitea Actions
Keyless-OIDC Active trust: medium
Ephemeral — no persistent key material
OIDC issuer: https://git.home.jdoe.dev
How to verify
cosign verify \
  --certificate-identity-regexp="https://git.home.jdoe.dev/patterneddesigns/*/.gitea/workflows/*.yaml@refs/heads/main" \
  --certificate-oidc-issuer="https://git.home.jdoe.dev" \
  <image>
Ed25519 Emergency Replacement Key (Oct 2025)
Ed25519 Active trust: high
SHA256:nD2vH5kM8tY1cL4qW9eR3bO6fS7gJ0uA
Public key (PEM)
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEAnD2vH5kM8tY1cL4qW9eR3bO6fS7gJ0uAzX3nK8pMvRq1wT7
-----END PUBLIC KEY-----
How to verify
cosign verify-blob \
  --key pubkey.pem \
  --signature artifact.sig \
  artifact

Expand the public key above, save it to pubkey.pem, then run this command. For container images, use cosign verify instead of cosign verify-blob.

Revocation Checking

Before trusting a signature, verify the signing key is not revoked. The revocation list is available at:

https://trust.patterneddesigns.ca/api/v1/revocations/

View revocation records →