✅ 2-minute Verify (DEMO — one-shot GO)
- Download Evidence Bundle
- Unzip and run:
Expected: GO (fail-closed: any mismatch ⇒ HOLD).
Signed status artifact: MVG_SITE_RELEASE_STATUS_LATEST.json (signature)
Verify the signed status artifact (optional)
gpg --import trust/site-release/demo/pgp.asc gpg --verify trust/site-release/demo/releases/MVG_SITE_RELEASE_STATUS_LATEST.json.asc \ trust/site-release/demo/releases/MVG_SITE_RELEASE_STATUS_LATEST.json
Website release integrity (DEMO)
TRUST_MODE=DEMO
DEMO KEYS ONLY — Not production trust. Do not rely for operational decisions.
This page publishes canonical release pointers and trust anchors for verifying MVG verifier UI assets in an audit-ready way.
You do not need MVG private keys to verify; GO requires MVG-published signatures under the pinned fingerprint.
Unsigned/partial publication = HOLD.
Release Test Attestation (signed) is REQUIRED. If absent: HOLD.
Public verification (1 minute)
Download verifier kit: https://meridianverity.com/downloads2/MVG_Public_SiteRelease_Verifier_v50.4.zip
Then verify:
Outputs GO / HOLD and explains why. No private keys required.
Release authenticity could not be established (missing or placeholder signatures). Treat this publication as HOLD until the one-shot signing order completes under the pinned fingerprint.
Signing key fingerprint
Website release manifests are authenticated under the pinned fingerprint below. For trust, use the fingerprint pin and the published public key — do not rely on keyservers.
7E4D682DF2F98EDBB398705B537D0D9C7C61794C 7E4D 682D F2F9 8EDB B398 705B 537D 0D9C 7C61 794C
MVG-SITE-DEMO-20260218.1
Release manifest for critical assets (verifier UI, styles, and integrity bootstrap). This supports procurement review: “verify the verifier.”
Offline verification (example)
gpg --import trust/site-release/demo/pgp.asc gpg --verify MVG_SITE_RELEASE_MANIFEST_MVG-SITE-DEMO-20260218.1.json.asc MVG_SITE_RELEASE_MANIFEST_MVG-SITE-DEMO-20260218.1.json
If the fingerprint differs, treat the release as untrusted (HOLD) and use the air‑gapped verifier kit.
Canonical: https://status.meridianverity.com/.well-known/mvg-trust.json. Legacy alias: /trust.json (pointer-only).
MVG_SiteRelease_Evidence_Bundle_MVG-SITE-DEMO-20260218.1.zip (recommended) MVG_SITE_RELEASE_MANIFEST_MVG-SITE-DEMO-20260218.1.json (+ .asc) MVG_SITE_RELEASE_HEADCHAIN_MVG-SITE-DEMO-20260218.1.json (+ .asc) mvg-trust.json (+ .asc / .dsse.json) mvg-contact.json (+ .asc / .dsse.json)
Signing order (normative)
- Generate the Site Release Manifest (hashes + SRI) and the unsigned trust descriptors (
mvg-trustandmvg-contact); do not publish yet. - Sign the manifest (
.asc) under the pinned site-release signing key. - Append a new head to the headchain referencing the manifest digest (and
prev_head_sha256), then updatemvg-trustpointers to the new release. - Sign + publish (one-shot) the headchain,
mvg-trust, andmvg-contactartifacts (ASC + DSSE) together. If integrity cannot be established, verifiers MUST fail‑closed to HOLD.
This order is designed for one-shot publish; partial publication MUST be treated as HOLD.
Append-only release heads (optional)
Release heads support monitoring and “no silent rewrite” posture. Heads MUST NOT override receipt pins.
For large-scale monitoring, MVG MAY publish a head chain for site releases. Verification MUST use the signed manifest and pinned fingerprint.