Website release integrity (READY_TO_SIGN)
TRUST_MODE=READY_TO_SIGN
READY_TO_SIGN (candidate) build. Current published candidate artifact set: MVG-SITE-PROD-20260218.1. Production signatures are intentionally NOT included. Expected verifier output: HOLD (exit 2) — by design.
Status artifact (candidate; intentionally incomplete): MVG_SITE_RELEASE_STATUS_LATEST.json
This page publishes canonical release pointers and trust anchors for verifying MVG verifier UI assets in an audit-ready way.
You do not need MVG private keys to verify; GO requires MVG-published signatures under the pinned fingerprint.
Unsigned/partial publication = HOLD.
Release Test Attestation (signed) is REQUIRED. If absent: HOLD.
Public verification (1 minute)
Download verifier kit: https://meridianverity.com/downloads2/MVG_Public_SiteRelease_Verifier_v50.4.zip
Then verify:
Expected: HOLD (exit 2) in READY_TO_SIGN — by design. PROD (default rail) is expected: GO (exit 0). No private keys required.
Release authenticity could not be established (missing or placeholder signatures). Treat this publication as HOLD until the one-shot signing order completes under the pinned fingerprint.
Signing key fingerprint
Website release manifests are authenticated under the pinned fingerprint below. For trust, use the fingerprint pin and the published public key — do not rely on keyservers.
PROD: signatures published — expected GO. READY_TO_SIGN: intentional HOLD (candidate).
MVG-SITE-PROD-20260218.1
Release manifest for critical assets (verifier UI, styles, and integrity bootstrap). This supports procurement review: “verify the verifier.”
Offline verification (example)
gpg --import trust/site-release/latest/pgp.asc gpg --verify MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260218.1.json.asc MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260218.1.json
If the fingerprint differs, treat the release as untrusted (HOLD) and use the air‑gapped verifier kit.
Canonical: /.well-known/mvg-trust.json. Legacy alias: /trust.json (pointer-only).
MVG_SiteRelease_Evidence_Bundle_MVG-SITE-PROD-20260218.1.zip (recommended) MVG_SITE_RELEASE_MANIFEST_MVG-SITE-PROD-20260218.1.json (+ .asc) MVG_SITE_RELEASE_HEADCHAIN_MVG-SITE-PROD-20260218.1.json (+ .asc) mvg-trust.json (+ .asc / .dsse.json) mvg-contact.json (+ .asc / .dsse.json)
Signing order (normative)
- Generate the Site Release Manifest (hashes + SRI) and the unsigned trust descriptors (
mvg-trustandmvg-contact); do not publish yet. - Sign the manifest (
.asc) under the pinned site-release signing key. - Append a new head to the headchain referencing the manifest digest (and
prev_head_sha256), then updatemvg-trustpointers to the new release. - Sign + publish (one-shot) the headchain,
mvg-trust, andmvg-contactartifacts (ASC + DSSE) together. If integrity cannot be established, verifiers MUST fail‑closed to HOLD.
This order is designed for one-shot publish; partial publication MUST be treated as HOLD.
Append-only release heads (optional)
Release heads support monitoring and “no silent rewrite” posture. Heads MUST NOT override receipt pins.
For large-scale monitoring, MVG MAY publish a head chain for site releases. Verification MUST use the signed manifest and pinned fingerprint.