Mirrored CentOS Stream content has signed repository metadata, but CentOS Stream composes do not. Having CentOS Stream composes with signed repository metadata enables secure mirroring by being able to verify the integrity of the metadata, as well as enabling the openSUSE Build Service to consume composes directly.

Please sign repository metadata alongside packages for composes (c9s and c10s).