Website release integrity (PROD)
TRUST_MODE=PROD
Fail‑closed canonical rail. Public verifier results are PASS / HOLD / FAIL. The current machine-readable pointer phase is READY_TO_SIGN, so public status remains HOLD pending publication. No private keys required.
Current machine-readable production pointer phase: READY_TO_SIGN. Public reviewer status remains HOLD until detached signatures and publication proofs are complete.
Status artifact (receipt): MVG_SITE_RELEASE_STATUS_LATEST.json (.asc)
This page publishes canonical release pointers and trust anchors for verifying MVG verifier UI assets in an audit-ready way.
Single-source reviewer navigation. If any page text conflicts with a signed receipt, treat it as HOLD and follow the receipt.
/.well-known/mvg-prod.json (+ .asc) is the single signed production pointer.
Determine state from signature validity (fail‑closed):
missing ⇒ HOLD; invalid ⇒ FAIL; valid signature ⇒ proceed to verify referenced receipts offline.
site_release_verification_keyring_url = /trust/site-release/latest/pgp.asc
· security_contact_encryption_key_url = /pgp.asc
· security.txt
You do not need MVG private keys to verify; public PASS requires MVG-published signatures under the pinned fingerprint.
Unsigned/partial publication = HOLD.
Release Test Attestation (signed) is REQUIRED. If absent: HOLD.
Public verification (1 minute)
Download verifier kit: https://meridianverity.com/downloads2/MVG_Public_SiteRelease_Verifier_v50.4.zip
Then verify:
Output is deterministic: PASS only when all required signatures verify; otherwise HOLD (fail‑closed). No private keys required.
Release authenticity could not be established (missing or placeholder signatures). Treat this publication as HOLD until the one-shot signing order completes under the pinned fingerprint.
Signing key fingerprint
Website release manifests are authenticated under the pinned fingerprint below. For trust, use the fingerprint pin and the published public key — do not rely on keyservers.
70FE48225463D34063E024D9C9E4797A0678908BMVG-SITE-PROD-20260227.3
Release manifest for critical assets (verifier UI, styles, and integrity bootstrap). This supports procurement review: “verify the verifier.”
Offline verification (example)
gpg --import trust/site-release/latest/pgp.asc gpg --verify MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260227.3.json.asc MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260227.3.json
If the fingerprint differs, treat the release as untrusted (HOLD) and use the air‑gapped verifier kit.
Canonical: https://meridianverity.com/.well-known/mvg-trust.json. Legacy alias: /trust.json (pointer-only).
MVG_SiteRelease_Evidence_Bundle_MVG-SITE-PROD-20260227.3.zip (recommended) MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260227.3.json (+ .asc) MVG_SITE_RELEASE_HEADCHAIN_MVG-SITE-PROD-20260227.3.json (+ .asc) mvg-trust.json (+ .asc / .dsse.json) mvg-contact.json (+ .asc / .dsse.json)
Signing order (normative)
- Generate the Site Release Manifest (hashes + SRI) and the unsigned trust descriptors (
mvg-trustandmvg-contact); do not publish yet. - Sign the manifest (
.asc) under the pinned site-release signing key. - Append a new head to the headchain referencing the manifest digest (and
prev_head_sha256), then updatemvg-trustpointers to the new release. - Sign + publish (one-shot) the headchain,
mvg-trust, andmvg-contactartifacts (ASC + DSSE) together. If integrity cannot be established, verifiers MUST fail‑closed to HOLD.
This order is designed for one-shot publish; partial publication MUST be treated as HOLD.
Append-only release heads (optional)
Release heads support monitoring and “no silent rewrite” posture. Heads MUST NOT override receipt pins.
For large-scale monitoring, MVG MAY publish a head chain for site releases. Verification MUST use the signed manifest and pinned fingerprint.