openshift
diff --git a/‎config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml
+10 b/‎config/v1/0000_00_cluster-version-operator_01_clusterversion.crd.yaml
+10
diff --git a/‎config/v1/stable.clusterversion.testsuite.yaml
+54 b/‎config/v1/stable.clusterversion.testsuite.yaml
+54
diff --git a/‎config/v1/types_cluster_version.go
+16 b/‎config/v1/types_cluster_version.go
+16
diff --git a/‎config/v1/zz_generated.deepcopy.go
+5 b/‎config/v1/zz_generated.deepcopy.go
+5
diff --git a/‎config/v1/zz_generated.swagger_doc_generated.go
+8-7 b/‎config/v1/zz_generated.swagger_doc_generated.go
+8-7
diff --git a/‎openapi/generated_openapi/zz_generated.openapi.go
+20 b/‎openapi/generated_openapi/zz_generated.openapi.go
+20
diff --git a/‎openapi/openapi.json
+9 b/‎openapi/openapi.json
+9
@@ -146,6 +146,16 @@ spec:
                       unmanaged:
                         description: 'unmanaged controls if cluster version operator should stop managing the resources in this cluster. Default: false'
                         type: boolean
+                signatureStores:
+                  description: "signatureStores contains the upstream URIs to verify release signatures. By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually. \n Items in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738. A maximum of 32 signature stores may be configured."
+                  type: array
+                  maxItems: 32
+                  items:
+                    type: string
+                  x-kubernetes-list-type: set
+                  x-kubernetes-validations:
+                    - rule: self.all(x, isURL(x))
+                      message: signatureStores must contain only valid absolute URLs per the Go net/url standard
                 upstream:
                   description: upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.
                   type: string
 
@@ -162,6 +162,60 @@ tests:
           additionalEnabledCapabilities:
           - marketplace
     expectedError: the `marketplace` capability requires the `OperatorLifecycleManager` capability, which is neither explicitly or implicitly enabled in this cluster, please enable the `OperatorLifecycleManager` capability
+  - name: Should be able to set a custom signature store
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: ClusterVersion
+      spec:
+        clusterID: foo
+        signatureStores: 
+          - "https://osus.ocp.com"
+    expected: |
+      apiVersion: config.openshift.io/v1
+      kind: ClusterVersion
+      spec:
+        clusterID: foo
+        signatureStores: 
+          - "https://osus.ocp.com"
+  - name: Should be able to set multiple custom signature store
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: ClusterVersion
+      spec:
+        clusterID: foo
+        signatureStores: 
+          - "https://osus1.ocp.com"
+          - "https://osus2.ocp.com"
+    expected: |
+      apiVersion: config.openshift.io/v1
+      kind: ClusterVersion
+      spec:
+        clusterID: foo
+        signatureStores: 
+          - "https://osus1.ocp.com"
+          - "https://osus2.ocp.com"
+  - name: Invalid custom signature store should throw error
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: ClusterVersion
+      spec:
+        clusterID: foo
+        signatureStores: 
+          - "osus1.ocp.com"
+    expectedError: "signatureStores must contain only valid absolute URLs per the Go net/url standard"
+  - name: Should be able to unset the signature stores
+    initial: |
+      apiVersion: config.openshift.io/v1
+      kind: ClusterVersion
+      spec:
+        clusterID: foo
+        signatureStores: []
+    expected: |
+      apiVersion: config.openshift.io/v1
+      kind: ClusterVersion
+      spec:
+        clusterID: foo
+        signatureStores: []
   onUpdate:
   - name: Should not allow image to be set if architecture set
     initial: |
 
@@ -88,6 +88,22 @@ type ClusterVersionSpec struct {
 	// +optional
 	Capabilities *ClusterVersionCapabilitiesSpec `json:"capabilities,omitempty"`
 
+	// signatureStores contains the upstream URIs to verify release signatures.
+	// By default, CVO will use existing signature stores if this property is empty.
+	// The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature
+	// in these stores in parallel only when local ConfigMaps did not include a valid signature.
+	// Validation will fail if none of the signature stores reply with valid signature before timeout.
+	// Setting signatureStores will replace the default signature stores with custom signature stores.
+	// Default stores can be used with custom signature stores by adding them manually.
+	//
+	// Items in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738.
+	// A maximum of 32 signature stores may be configured.
+	// +kubebuilder:validation:XValidation:rule="self.all(x, isURL(x))",message="signatureStores must contain only valid absolute URLs per the Go net/url standard"
+	// +kubebuilder:validation:MaxItems=32
+	// +listType=set
+	// +optional
+	SignatureStores []string `json:"signatureStores"`
+
 	// overrides is list of overides for components that are managed by
 	// cluster version operator. Marking a component unmanaged will prevent
 	// the operator from creating or updating the object.
 
@@ -5276,6 +5276,15 @@
             "$ref": "#/definitions/com.github.openshift.api.config.v1.ComponentOverride"
           }
         },
+        "signatureStores": {
+          "description": "signatureStores contains the upstream URIs to verify release signatures. By default, CVO will use existing signature stores if this property is empty. The CVO will check the release signatures in the local ConfigMaps first. It will search for a valid signature in these stores in parallel only when local ConfigMaps did not include a valid signature. Validation will fail if none of the signature stores reply with valid signature before timeout. Setting signatureStores will replace the default signature stores with custom signature stores. Default stores can be used with custom signature stores by adding them manually.\n\nItems in this list should be a valid absolute http/https URI of an upstream signature store as per rfc1738. A maximum of 32 signature stores may be configured.",
+          "type": "array",
+          "items": {
+            "type": "string",
+            "default": ""
+          },
+          "x-kubernetes-list-type": "set"
+        },
         "upstream": {
           "description": "upstream may be used to specify the preferred update server. By default it will use the appropriate update server for the cluster and region.",
           "type": "string"