# Sovrient EU AI Act Verifier Key Policy v0 This file describes the signing key used for the EU AI Act v1.0 verifier bundle published in this directory. ## Release Key - Key purpose: Sovrient EU AI Act Verifier release key for this bundle. - Public fingerprint: `231DF589D89C25FAD7A8E8E685F9BA1E0016C226` - Signed object: detached GPG signature over `manifest.json` inside the verifier bundle. The keyserver command in the verifier runbook is a distribution step, not a trust root. A reviewer should compare the full fingerprint against this page and an out-of-band source before relying on the signature. ## Scope The signature authenticates the manifest bytes and the attribution fields named by that manifest. It does not convert the bundle into legal advice, an EU AI Act compliance determination, a conformity assessment, an official benchmark score, or an external timestamped transparency-log entry. ## Rotation If the release key changes, Sovrient will publish a new key-policy file or successor section naming the new fingerprint. Previously published bundles keep their original fingerprint so historical verifier artifacts remain checkable against the key named at release time. Routine key rotation is not represented by this v0 policy. This policy names the release key used for this published bundle only. Future verifier bundles may name a successor key and should carry their own key-policy reference. ## Revocation If this key is revoked or suspected compromised, new verifier bundles must be signed by a successor key. Existing bundles signed before revocation should be evaluated with the publication date, bundle digest, manifest digest, and any external timestamp or publication record available to the reviewer. ## Compromise Notice If Sovrient determines that the release key was compromised, the public verifier page should be updated to identify the affected fingerprint, the first known affected bundle if known, and the successor fingerprint. A bundle signed only by a compromised key should not be treated as signer-attributed unless the reviewer has an independent timestamp or publication record that predates the compromise. ## Operational Boundary This v0 policy does not claim HSM custody, split-control approval, RFC-3161 timestamping, or public transparency-log anchoring. Those controls may be added later, but they are not prerequisites for verifying this bundle's digest chain and detached manifest signature.