diff --git a/README.md b/README.md
index 47ab878..38167f0 100644
--- a/README.md
+++ b/README.md
@@ -141,3 +141,34 @@ machinectl login
 ```
 
 Another alternative can be to open an `ssh` session.
+
+
+## Advanced topics
+
+### Changing the resource settings trusted key
+
+The top-level settings for the applications are set from files in `<repo_root>/var/cic-staff-client`. These files are signed with PGP, and the trusted key(s) for signing are in `<repo_root>/keys`. 
+
+In order to define alternate settings, a different key must be imported and trusted, and this key must sign the new settings files.
+
+The code below assumes the key with fingerprint `F3FAF668E82EF5124D5187BAEF26F4682343F692`:
+
+```
+echo "F3FAF668E82EF5124D5187BAEF26F4682343F692:6:" >> <repo_root>/keys/trust
+gpg -a F3FAF668E82EF5124D5187BAEF26F4682343F692 --export  > <repo_root>/keys/F3FAF668E82EF5124D5187BAEF26F4682343F692.asc
+```
+
+Now the private key holder can ceate the same contents as in `<repo_root>/var`, e.g. to set `CIC_REGISTRY_ADDRESS` in `<repo_root>/var/alt`:
+
+```
+mkdir -vp var/alt/cic-staff-client
+d=`mktemp -d`
+echo -n 0xcf60ebc445b636a5ab787f9e8bc465a2a3ef8299 > $d/CIC_REGISTRY_ADDRESS
+gpg -a -s -u F3FAF668E82EF5124D5187BAEF26F4682343F692 -o var/alt/cic-staff-client/CIC_REGISTRY_ADDRESS $d/CIC_REGISTRY_ADDRESS
+```
+
+Running the process again you would replace this:
+
+```
+export CIC_ROOT_URL=file://`pwd`/var/alt
+```