From 4219b5fa7f91aa11c7eb5bfcf57dc9e844c471d9 Mon Sep 17 00:00:00 2001
From: "Jorge O. Castro" <jorge.castro@gmail.com>
Date: Tue, 27 Dec 2022 19:12:53 -0500
Subject: [PATCH] Add initial instructions for signing

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 8504dd2..cdea469 100644
--- a/README.md
+++ b/README.md
@@ -37,4 +37,6 @@ The `latest` tag will automatically point to the latest build.
 
 These images are signed with sisgstore's [cosign](https://docs.sigstore.dev/cosign/overview/). You can verify the signature by downloading the `cosign.pub` key from this repo and running the following command:
 
-    cosign verify --key cosign.pub ghcr.io/ublue-os/base
\ No newline at end of file
+    cosign verify --key cosign.pub ghcr.io/ublue-os/base
+    
+If you're forking this repo you should [read the docs](https://docs.github.com/en/actions/security-guides/encrypted-secrets) on keeping secrets in github. You need to [generate a new keypair](https://docs.sigstore.dev/cosign/overview/) with cosign. The public key can be in your public repo (your users need it to check the signatures), and you can paste the private key in Settings -> Secrets -> Actions.