Experimental experimental pending availability

APK Repository

The Verity APK repository is experimental. Do not rely on it for production until the publish workflow has produced signed APKINDEX files and the repository verification task confirms availability.

Repository metadata

APK arch Platform Repository URL Static metadata

x86_64 linux/amd64 /apk/x86_64

 /apk/x86_64/APKINDEX.tar.gz

aarch64 linux/arm64 /apk/aarch64

 /apk/aarch64/APKINDEX.tar.gz

Signing key

Install this key only after Verity publishes and confirms the fingerprint.

/apk/verity-apk-rsa.pub

Fingerprint: pending publication

Key rotation

Install old and new keys during the overlap window.
Run apk update and verify index refresh succeeds.
Remove the retired key after Verity announces rotation completion.

Install flow after verification

set -eu
apk_arch="$(apk --print-arch)"
repo_url="/apk/${apk_arch}"

wget -O "/etc/apk/keys/verity-apk-rsa.pub" "/apk/verity-apk-rsa.pub"
printf '%s
' "$repo_url" >> /etc/apk/repositories
apk update

# apk add <verity-package>

Experimental caveats

Package names, versions, repository paths, and signing keys may change.
The repository may be empty or return 404 until publish and verification complete.
Use only in ephemeral tests until general availability.
Use published OCI container images for production workloads today.