Part of #1431.
Summary
Document the known Fulcio/Sigstore connectivity issue and the recommended way to publish evidence. Corporate VPN and some home networks block TLS to fulcio.sigstore.dev (upstream IP-level rejection, not an AICR bug), which forces contributors onto a phone hotspot for keyless signing. The recommended remedy is the fork-based GitHub Actions signing workflow, with the local split-leg validate (on VPN) → evidence publish (off VPN) as the fallback.
Acceptance criteria
References
docs/design/007-recipe-evidence.md and subpages
pkg/cli/evidence_publish.go
Part of #1431.
Summary
Document the known Fulcio/Sigstore connectivity issue and the recommended way to publish evidence. Corporate VPN and some home networks block TLS to
fulcio.sigstore.dev(upstream IP-level rejection, not an AICR bug), which forces contributors onto a phone hotspot for keyless signing. The recommended remedy is the fork-based GitHub Actions signing workflow, with the local split-legvalidate(on VPN) →evidence publish(off VPN) as the fallback.Acceptance criteria
docs/contributor/or the evidence section) explains the symptom, the cause (upstream Sigstore IP blocking), and the CI-based remedy.aicr-evidenceGHCR package be public so the gate's verify pull (and the signing workflow's pre-sign pull) doesn't 403.References
docs/design/007-recipe-evidence.mdand subpagespkg/cli/evidence_publish.go