Trust • Supply‑chain governance

Supply‑chain governance — for reviewer kits.

Enterprise review flows assume software artifacts can be moved into isolated environments and audited later. MVG’s air‑gapped verifier kit publishes a signed keyring snapshot, a key rotation policy (with grace windows), and an append‑only head‑of‑heads chain for commitment log updates — all verifiable offline.

Signed keyring snapshot Grace windows Head‑of‑heads Offline verification PASS / FAIL / HOLD
Verify supply‑chain (offline) Verify kit overview Verify commitments Download rotation policy spec

Procurement‑grade boundaries

  • Non‑binding unless incorporated by reference. Binding terms exist only in a fully executed agreement.
  • No patent license by publication. Public materials are informational only.
  • Not a compliance certification. This is transparency evidence, not a compliance stamp.
  • Fail‑closed. Unsupported crypto / missing evidence → HOLD.

Keyring snapshots + key rotation

A signed keyring snapshot pins which keys are allowed to sign which artifacts — with explicit lifecycle policy.

Keyring DSSE → Keyring payload →

What reviewers get

  • Signed keyring snapshot (DSSE) containing allowed signer keys + roles.
  • Lifecycle fields: active / deprecated / revoked, and grace_until where applicable.
  • Fail‑closed behavior: after grace, verifiers HOLD unless an explicit legacy override exists.

Published keyring version: v1.0.0 • Issued (UTC): 2026‑02‑12T04:00:00Z

Pinned identifiers

FieldValue
keyring_payload_sha256sha256:3fea08a2451c1c16be2f4424dfb5a7fa9c58c7627e10afbfd6a5a2dbe8f83342
root trust keyidta.mvg.airgapped.kit.root.2026-02-12.v2.demo.19a29d194d
prev: ta.mvg.airgapped.kit.root.2026-02-12.v1.demo.d9f8e47adc (deprecated, grace)
grace window120 days (deprecated keys)
post‑grace behaviorHOLD (fail‑closed)

Verify offline Download policy spec

Why this exists

A keyring snapshot is the missing piece in many “signed artifact” stories. Without it, reviewers can verify a signature but cannot reproduce the authorization policy that decided which keys were acceptable. MVG treats the keyring as a first‑class, signed artifact.

Append‑only head‑of‑heads (log‑of‑heads)

Commitment logs evolve. The headchain makes those updates auditable by chaining the signed heads.

Commitments page → Headchain JSON →

What it guarantees

  • Append‑only updates: log heads are chained as the commitment log grows.
  • Signed headchain head: the latest headchain head is DSSE‑signed under a pinned role.
  • Offline inclusion: reviewers can validate that a given signed log head appears in the headchain.

Offline verification path

  1. Verify kit ZIP against its DSSE signature.
  2. Verify the release receipt commitment against the public commitment log.
  3. Verify the signed log head is included in the headchain.

Verify supply‑chain Download spec

Lawsuit‑aware transparency

The public log stores blinded commitments — it does not reveal underlying kit hashes or counterparties. This preserves transparency value without creating unnecessary correlation surfaces.