Meridian Verity Group ⌘K
Trust · Operations

Receipts signing ceremony

This is the one-page runbook to turn Company, Governance, AIMS, and Safety IR pages from “statements” into signed receipts. Auditors can verify offline. Missing or placeholder signatures must yield HOLD (fail‑closed) — never silent PASS.

Scope
Publish detached signatures for the public-safe receipts below, then commit their sha256 into the append-only transparency leaf that backs the Ticket Pack chain.
Private keys must remain offline. Do not paste secrets into CI logs or tickets.
Publish (required)
  • /.well-known/mvg-company.json + /.well-known/mvg-company.json.asc
  • /.well-known/mvg-governance.json + /.well-known/mvg-governance.json.asc
  • /.well-known/mvg-aims.json + /.well-known/mvg-aims.json.asc
  • /.well-known/mvg-safety-ir.json + /.well-known/mvg-safety-ir.json.asc
Signature files must not be READY_TO_SIGN placeholders.
Placement (max impact)
  • /trust-center/ “Copy for auditors” includes these receipts
  • /trust/site-release/ Auditor quickstart line (single URL)
  • /company/, /governance/, /aims/, /safety/incident-response/: top “Verified receipt” card (✅/HOLD)

Procedure

1) Preflight

Confirm the published public key fingerprint matches security.txt, and confirm placeholders are not being published.

# Fingerprint (public)
curl -fsS https://meridianverity.com/.well-known/security.txt | sed -n '1,140p'

# Check placeholders are NOT present (must be absent after signing)
head -n 2 .well-known/mvg-company.json.asc
head -n 2 .well-known/mvg-governance.json.asc
head -n 2 .well-known/mvg-aims.json.asc
head -n 2 .well-known/mvg-safety-ir.json.asc

2) Sign offline (detached, ASCII armored)

Run on an offline/signing machine. Use your existing MVG signing key.

# Company descriptor
gpg --armor --detach-sign \
  --local-user 58335BA12693400891BF13285A9E187C3BB18C94 \
  --output .well-known/mvg-company.json.asc \
  .well-known/mvg-company.json

# Governance descriptor
gpg --armor --detach-sign \
  --local-user 58335BA12693400891BF13285A9E187C3BB18C94 \
  --output .well-known/mvg-governance.json.asc \
  .well-known/mvg-governance.json

# AIMS descriptor
gpg --armor --detach-sign \
  --local-user 58335BA12693400891BF13285A9E187C3BB18C94 \
  --output .well-known/mvg-aims.json.asc \
  .well-known/mvg-aims.json

# Safety IR descriptor
gpg --armor --detach-sign \
  --local-user 58335BA12693400891BF13285A9E187C3BB18C94 \
  --output .well-known/mvg-safety-ir.json.asc \
  .well-known/mvg-safety-ir.json

3) Verify offline (expected)

# Import the published public key (if needed)
gpg --import pgp.asc

gpg --verify .well-known/mvg-company.json.asc .well-known/mvg-company.json
gpg --verify .well-known/mvg-governance.json.asc .well-known/mvg-governance.json
gpg --verify .well-known/mvg-aims.json.asc .well-known/mvg-aims.json
gpg --verify .well-known/mvg-safety-ir.json.asc .well-known/mvg-safety-ir.json

Expected: Good signature from the MVG key. If verification fails, treat as FAIL. If missing, treat as HOLD.

4) Cut a release (append transparency + refresh roots/proofs)

Run from repo root. This refreshes deterministic outputs: Packet regen, transparency append, roots/proofs regeneration, and well-known mirroring. 

python3 downloads2b/release_cut_v59.py \
  --site-root . \
  --bump-to v63 \
  --mode both \
  --require-company-sig \
  --require-governance-sig \
  --require-aims-sig \
  --require-safety-ir-sig

Expected outputs: Company/Governance/AIMS/Safety-IR signatures GO, and transparency log updated. Phase2 witness/anchors may remain HOLD until published — that is normal.

Audit ticket text (copy/paste)

Minimal, procurement-friendly. Replace <...> with your release ID if needed.

Receipts (authoritative; detached signatures):
- Company (KYB): /.well-known/mvg-company.json  (+ /.well-known/mvg-company.json.asc)
- Governance: /.well-known/mvg-governance.json  (+ /.well-known/mvg-governance.json.asc)
- AIMS: /.well-known/mvg-aims.json  (+ /.well-known/mvg-aims.json.asc)
- Safety IR: /.well-known/mvg-safety-ir.json  (+ /.well-known/mvg-safety-ir.json.asc)

Verify (offline):
- gpg --verify .well-known/mvg-company.json.asc .well-known/mvg-company.json
- gpg --verify .well-known/mvg-governance.json.asc .well-known/mvg-governance.json
- gpg --verify .well-known/mvg-aims.json.asc .well-known/mvg-aims.json
- gpg --verify .well-known/mvg-safety-ir.json.asc .well-known/mvg-safety-ir.json

Ticket Pack (1 URL):
- DSSE: /.well-known/mvg-procurement-ticket-pack.dsse.json
- Viewer: /trust/dsse-viewer/?dsse=/.well-known/mvg-procurement-ticket-pack.dsse.json

Auditors start here:
- Trust Center: /trust-center/

Expected outputs:
- Missing/placeholder signatures MUST yield HOLD (fail-closed)
- Invalid signature MUST yield FAIL
- When signatures publish: receipts are GO-verifiable offline

References

Receipt

Company (KYB)

Public identity surface + descriptor.
Receipt

Governance

Who can stop a release + escalation path.
Receipt

AIMS

Artificial Intelligence Management System (public-safe).
Receipt

Safety incident response

Stop/HOLD triggers + escalation (public-safe).
Canonical hub: /trust-center/