# Experimental APK Repository — Verity > Status: **experimental pending availability**. The Verity APK repository is experimental. Do not rely on it for production until the publish workflow has produced signed APKINDEX files and the repository verification task confirms availability. The Verity APK repository is the planned package-level companion to the container-image catalog. It will expose Verity-built APK packages for Wolfi/Alpine-compatible consumers once the publish workflow and repository verification tasks are complete. ## Repository Entry Points | APK arch | Platform | Repository URL | Static metadata | |----------|----------|----------------|-----------------| | `x86_64` | `linux/amd64` | `https://verity.supply/apk/x86_64` | `https://verity.supply/apk/x86_64/APKINDEX.tar.gz` | | `aarch64` | `linux/arm64` | `https://verity.supply/apk/aarch64` | `https://verity.supply/apk/aarch64/APKINDEX.tar.gz` | **Signing key**: `https://verity.supply/apk/verity-apk-rsa.pub` **Fingerprint**: `pending publication` Until the fingerprint is published and verified, treat these URLs as documentation for the intended layout rather than a production package source. ## Install Instructions Do not enable this repository on production systems yet. For disposable test containers after repository verification: ```sh set -eu apk_arch="$(apk --print-arch)" repo_url="https://verity.supply/apk/${apk_arch}" wget -O "/etc/apk/keys/verity-apk-rsa.pub" "https://verity.supply/apk/verity-apk-rsa.pub" printf '%s ' "$repo_url" >> /etc/apk/repositories apk update # Example, once packages are published: # apk add ``` If your image lacks `wget`, copy the key into `/etc/apk/keys/verity-apk-rsa.pub` during image build and append only the matching architecture URL to `/etc/apk/repositories`. ## Trust Model - APK metadata is expected to be published as signed `APKINDEX.tar.gz` files per architecture. - APK clients trust packages through the public key installed in `/etc/apk/keys/`. - Verify the key fingerprint from this page before installing any package. - Keep Verity container-image signatures and attestations separate from APK repository trust; cosign/SLSA cover OCI images, while APK installation relies on APKINDEX/package signatures. ## Key Rotation 1. Verity will publish a new key and fingerprint before rotating signing keys. 2. Install both old and new keys during the overlap window. 3. Run `apk update` and verify the signed index refreshes cleanly. 4. Remove the retired key only after the repository announces completion of the rotation. ## Experimental Caveats - Package names, versions, repository paths, and signing keys may change before general availability. - The repository may be empty or return 404 until the publish workflow lands and runs successfully. - Use only in ephemeral tests until final availability is verified. - Prefer the published container images for production workloads today. --- [Browse Catalog](https://verity.supply/) · [Complete LLM Reference](https://verity.supply/llms-full.txt) · [GitHub](https://github.com/verity-org/verity)