Problem
There is no single end-user guide that walks a consumer through verifying AICR artifacts end to end. The V1 acceptance bar calls for "a documented verification path that works in air-gapped, private, and public-trust deployments." Verification knowledge today is scattered across aicr verify help and the signing-side docs.
Proposal
Write an end-user verification guide (under docs/user/) that covers verifying bundles — and recipe data — in each deployment shape.
Scope
- Public-trust verification (default
aicr verify).
- Private Sigstore verification (custom trust root).
- KMS-key verification (
--key).
- Air-gapped / offline verification.
- Recipe-data provenance verification.
- Trust levels and what each guarantees (
pkg/bundler/verifier/trust.go).
Dependencies
- Depends on the verifier feature sub-issues landing (KMS, private trust root, offline) and recipe-data provenance.
Success criteria
- A published
docs/user/ guide lets a consumer verify every artifact type in every supported trust environment, with copy-pasteable commands.
Problem
There is no single end-user guide that walks a consumer through verifying AICR artifacts end to end. The V1 acceptance bar calls for "a documented verification path that works in air-gapped, private, and public-trust deployments." Verification knowledge today is scattered across
aicr verifyhelp and the signing-side docs.Proposal
Write an end-user verification guide (under
docs/user/) that covers verifying bundles — and recipe data — in each deployment shape.Scope
aicr verify).--key).pkg/bundler/verifier/trust.go).Dependencies
Success criteria
docs/user/guide lets a consumer verify every artifact type in every supported trust environment, with copy-pasteable commands.