Skip to content

docs: end-user artifact verification guide #1157

Description

@lockwobr

Problem

There is no single end-user guide that walks a consumer through verifying AICR artifacts end to end. The V1 acceptance bar calls for "a documented verification path that works in air-gapped, private, and public-trust deployments." Verification knowledge today is scattered across aicr verify help and the signing-side docs.

Proposal

Write an end-user verification guide (under docs/user/) that covers verifying bundles — and recipe data — in each deployment shape.

Scope

  • Public-trust verification (default aicr verify).
  • Private Sigstore verification (custom trust root).
  • KMS-key verification (--key).
  • Air-gapped / offline verification.
  • Recipe-data provenance verification.
  • Trust levels and what each guarantees (pkg/bundler/verifier/trust.go).

Dependencies

  • Depends on the verifier feature sub-issues landing (KMS, private trust root, offline) and recipe-data provenance.

Success criteria

  • A published docs/user/ guide lets a consumer verify every artifact type in every supported trust environment, with copy-pasteable commands.

Metadata

Metadata

Assignees

No one assigned

    Fields

    No fields configured for Documentation.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions