diff --git a/roles/fedora-web/build/tasks/main.yml b/roles/fedora-web/build/tasks/main.yml
index 4fc92e6f92..9f4bb4b616 100644
--- a/roles/fedora-web/build/tasks/main.yml
+++ b/roles/fedora-web/build/tasks/main.yml
@@ -46,6 +46,11 @@
   tags:
   - fedora-web
 
+- name: make registry-signatures dir
+  file: state=directory path=/srv/web/registry-signatures owner=apache group=sysadmin-releng mode=2775 setype=httpd_sys_content_t seuser=system_u
+  tags:
+  - fedora-web
+
 - name: Copy syncStatic script (stg)
   when: env == "staging"
   copy: >
diff --git a/roles/fedora-web/registry/tasks/main.yml b/roles/fedora-web/registry/tasks/main.yml
index 003ba9740a..3b92726ddc 100644
--- a/roles/fedora-web/registry/tasks/main.yml
+++ b/roles/fedora-web/registry/tasks/main.yml
@@ -7,6 +7,12 @@
   - fedora-web
   - fedora-web/registry
 
+- name: Copy in the sync-registry-signatures cronjob
+  copy: src=cron-sync-registry-signatures dest=/etc/cron.d/sync-registry-signatures
+  tags:
+  - fedora-web
+  - fedora-web/registry
+
 - name: Copy over the registry passwd
   copy: src=passwd dest=/etc/httpd/conf.d/registry.fedoraproject.org/passwd
         owner=root group=root mode=0644
diff --git a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf b/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
index d501ea8af7..51e2265013 100644
--- a/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
+++ b/roles/httpd/reverseproxy/templates/reversepassproxy.registry.conf
@@ -3,6 +3,8 @@ RequestHeader set X-Scheme https early
 RequestHeader set X-Forwarded-Proto https early
 ProxyPreserveHost On
 
+Alias /signatures /srv/web/registry-signatures
+
 RewriteEngine on
 {% if env == "production" %}
 RewriteCond %{HTTP:VIA} !cdn77
@@ -20,6 +22,10 @@ SSLVerifyDepth 1
 SSLCACertificateFile /etc/pki/httpd/fedora-server-ca.cert
 SSLOptions +FakeBasicAuth
 
+<Directory /srv/web/registry-signatures>
+    Require all granted
+</Directory>
+
 
 <Location /v2>
   Order deny,allow
diff --git a/roles/rsyncd/files/rsyncd.conf.sundries b/roles/rsyncd/files/rsyncd.conf.sundries
index 36f9378b47..032ef2db36 100644
--- a/roles/rsyncd/files/rsyncd.conf.sundries
+++ b/roles/rsyncd/files/rsyncd.conf.sundries
@@ -181,3 +181,11 @@ uid = root
 gid = root
 read only = yes
 hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0
+
+[registry-signatures]
+comment = registry-signatures
+path = /srv/web/registry-signatures
+uid = root
+gid = root
+read only = yes
+hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0
diff --git a/roles/rsyncd/files/rsyncd.conf.sundries-stg b/roles/rsyncd/files/rsyncd.conf.sundries-stg
index 36f9378b47..032ef2db36 100644
--- a/roles/rsyncd/files/rsyncd.conf.sundries-stg
+++ b/roles/rsyncd/files/rsyncd.conf.sundries-stg
@@ -181,3 +181,11 @@ uid = root
 gid = root
 read only = yes
 hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0
+
+[registry-signatures]
+comment = registry-signatures
+path = /srv/web/registry-signatures
+uid = root
+gid = root
+read only = yes
+hosts allow = 10.5.126.0/255.255.255.0 192.168.0.0/255.255.0.0