📜 Registrar — legal records & long-term validity
Sealed release provenance Live
Binds an install package's file hashes into a qualified-sealed PDF — a supply-chain/NIS2 evidence layer.
Each release's files are bound by SHA-256 into a canonical manifest sealed into a qualified PAdES/B-LTA PDF; verification re-checks seal trust, the manifest and every artifact hash. It complements the existing ed25519 bundle signing as a supply-chain / NIS2 evidence layer. Honest scope: this is legal provenance attestation, not OS code-signing.