Skip to content

docs: security-assurance pages describe pre-monorepo container signing #186

Description

@jeremi

crates/registry-relay/docs/security-assurance.md and products/notary/docs/security-assurance.md still document the pre-monorepo image publication and signing policy: cosign verification against https://github.com/jeremi/registry-{relay,notary}/.github/workflows/container.yml@refs/tags/... identities.

Current reality (per release/VERIFY.md and .github/workflows/release.yml): release assets are signed keyless by https://github.com/registrystack/registry-stack/.github/workflows/release.yml@refs/tags/<tag>, images publish to ghcr.io/registrystack/*, and OCI image signatures are not yet published for the monorepo namespace.

Impact: anyone following these docs to verify an image gets instructions that cannot succeed against current releases, and the docs claim an image-signing guarantee the monorepo release does not currently provide.

These two pages were deliberately left out of the docs-site product-doc allowlist until corrected (the rest of the linked product docs are being published; see PR #181). Fixing them is a release-provenance content change, so it needs maintainer review.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions