Document Staging instance usage with Keyless

Signed-off-by: Kenny Leung <kleung@chainguard.dev>

KEYLESS.md

@@ -116,6 +116,31 @@ Signature timestamps are checked in the [rekor](https://github.com/sigstore/reko
 * Probably a lot more: This is very experimental.
 * More OIDC providers: Obvious.
 
+## Public Staging Environment
+
+There is a public staging environment that is running Fulcio, Rekor and OIDC issuer endpoints at the below address:
+
+* https://fulcio.sigstage.dev
+* https://rekor.sigstage.dev
+* https://oauth2.sigstage.dev/auth
+
+These instances are operated and maintained in the same manner as the public production environment for Sigstore.
+
+### Usage
+
+To use this instance, follow the steps below:
+
+1. `rm -r ~/.sigstore`
+1. `gsutil cp -r gs://tuf-root-staging .`
+1. `cd tuf-root-staging`
+1. `cosign initialize --mirror=tuf-root-staging --root=root.json`
+1. `COSIGN_EXPERIMENTAL=1 cosign sign --oidc-issuer "https://oauth2.sigstage.dev/auth" --fulcio-url "https://fulcio.sigstage.dev" --rekor-url "https://rekor.sigstage.dev" ${IMAGE}`
+1. `COSIGN_EXPERIMENTAL=1 cosign verify --rekor-url "https://rekor.sigstage.dev" ${IMAGE}`
+
+* Steps 1-4 configures your local environment to use the staging keys and certificates.
+* Step 5 specify the staging environment with flags needed for signing.
+* Step 6 specify the staging environment with flags needed for verifying.
+
 ## Custom Infrastructure
 
 If you're running your own sigstore services flags are available to set your own endpoint's, e.g