{
  "$comment": "fremforge SLSA L2 trust root. Customers use this to verify signed in-toto provenance attestations produced by the fremforge hosted runner. See docs.frem.sh/security#slsa-provenance for the verification recipe. EU-sovereign: no Sigstore Fulcio / Rekor / TUF-CDN dependency — the fremforge api signs attestations server-side using the private half of the key below, the public half is published here.",
  "trusted_keys": [
    {
      "kid": "fremforge-slsa-builder-v1",
      "alg": "ed25519",
      "pem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAnihnX8VnnjzDB0VSgXkjB51ygrG3NH94VcWw7tMNZ10=\n-----END PUBLIC KEY-----\n",
      "valid_from": "2026-05-17T00:00:00Z",
      "builder_id": "https://frem.sh/runner-controller/v1"
    }
  ]
}