crates/registry-relay/docs/security-assurance.md and products/notary/docs/security-assurance.md still document the pre-monorepo image publication and signing policy: cosign verification against https://github.com/jeremi/registry-{relay,notary}/.github/workflows/container.yml@refs/tags/... identities.
Current reality (per release/VERIFY.md and .github/workflows/release.yml): release assets are signed keyless by https://github.com/registrystack/registry-stack/.github/workflows/release.yml@refs/tags/<tag>, images publish to ghcr.io/registrystack/*, and OCI image signatures are not yet published for the monorepo namespace.
Impact: anyone following these docs to verify an image gets instructions that cannot succeed against current releases, and the docs claim an image-signing guarantee the monorepo release does not currently provide.
These two pages were deliberately left out of the docs-site product-doc allowlist until corrected (the rest of the linked product docs are being published; see PR #181). Fixing them is a release-provenance content change, so it needs maintainer review.
crates/registry-relay/docs/security-assurance.mdandproducts/notary/docs/security-assurance.mdstill document the pre-monorepo image publication and signing policy: cosign verification againsthttps://github.com/jeremi/registry-{relay,notary}/.github/workflows/container.yml@refs/tags/...identities.Current reality (per
release/VERIFY.mdand.github/workflows/release.yml): release assets are signed keyless byhttps://github.com/registrystack/registry-stack/.github/workflows/release.yml@refs/tags/<tag>, images publish toghcr.io/registrystack/*, and OCI image signatures are not yet published for the monorepo namespace.Impact: anyone following these docs to verify an image gets instructions that cannot succeed against current releases, and the docs claim an image-signing guarantee the monorepo release does not currently provide.
These two pages were deliberately left out of the docs-site product-doc allowlist until corrected (the rest of the linked product docs are being published; see PR #181). Fixing them is a release-provenance content change, so it needs maintainer review.