docs: reframe code-signing section after SignPath Foundation declined

SignPath Foundation declined PowerNetbox's OSS application on 2026-04-24
citing insufficient external reputation signals. Removes "application in
progress" language from SECURITY.md and README.md and promotes GitHub
build-provenance attestations (already live since PR #406 via
actions/attest-build-provenance@v2) to the primary authenticity anchor.

- SECURITY.md: rename "Code signing" -> "Authenticity & provenance"; add
  gh attestation verify snippet as the first trust anchor
- README.md: rename "Code signing policy" -> "Authenticity & provenance";
  drop Get-AuthenticodeSignature snippet (misleading for an unsigned
  module — would report NotSigned) and SignPath credit block; add
  explanatory note on Authenticode
- release.yml: update comment on the attestation step to reflect that
  it is the sole authenticity anchor, not a stopgap

A Foundation-backed cert may be revisited once the project grows enough
to requalify.

Author: ctrl-alt-automate

.github/workflows/release.yml

@@ -89,9 +89,10 @@ jobs:
       - name: Generate build provenance attestation
         # Creates a cryptographic attestation that this PowerNetbox.psd1 +
         # PowerNetbox.psm1 were built by THIS workflow run. Consumers can
-        # verify via `gh attestation verify`. Free alternative to a paid
-        # Authenticode code-signing certificate (SignPath application is
-        # in progress separately for the full signature chain).
+        # verify via `gh attestation verify`. This is the module's sole
+        # authenticity anchor — PowerNetbox is distributed unsigned on
+        # PSGallery (SignPath Foundation declined the OSS application
+        # 2026-04-24; see SECURITY.md Authenticity & provenance section).
         uses: actions/attest-build-provenance@v2
         with:
           subject-path: |

README.md

@@ -333,38 +333,32 @@ See also [CONTRIBUTING.md](CONTRIBUTING.md) and [SECURITY.md](SECURITY.md).
   telemetry, no analytics.
 - **Recent security reviews:** `docs/superpowers/reviews/`.
 
-## Code signing policy
-
-PowerNetbox follows the [SignPath.io](https://signpath.org) code signing
-model (application in progress with the SignPath Foundation free open
-source tier). Once active:
-
-- Every published release on PSGallery will be signed with a certificate
-  issued to **ctrl-alt-automate / PowerNetbox** via SignPath.
-- Consumers can verify authenticity with:
-
-  ```powershell
-  $module = Get-Module -ListAvailable PowerNetbox |
-      Sort-Object Version -Descending |
-      Select-Object -First 1
-  if ($module) {
-      Get-AuthenticodeSignature $module.Path
-  }
-  ```
-
-- Team roles for signing governance:
-  - **Author / Reviewer / Approver:** ctrl-alt-automate (solo
-    maintainer; external contributions are reviewed and merged by the
-    same maintainer before a signed release is cut).
-
-Until SignPath signing is live, the module is distributed unsigned on
-PSGallery. Trust anchors meanwhile are the PSGallery publisher identity
-(`ctrl-alt-automate`), signed git tags, and the public MIT-licensed
-source at each release tag.
-
-Credit: code signing sponsored by
-[SignPath Foundation](https://signpath.org) via
-[SignPath.io](https://signpath.io).
+## Authenticity & provenance
+
+PowerNetbox is distributed **unsigned** on PSGallery. Authenticity is
+anchored in GitHub's Sigstore-backed build-provenance attestations,
+produced automatically for every release by
+[`actions/attest-build-provenance`](https://github.com/actions/attest-build-provenance).
+
+Verify a downloaded module:
+
+```powershell
+$module = Get-Module -ListAvailable PowerNetbox |
+    Sort-Object Version -Descending |
+    Select-Object -First 1
+
+gh attestation verify $module.Path `
+    --repo ctrl-alt-automate/PowerNetbox
+```
+
+Additional trust anchors: PSGallery publisher identity
+(`ctrl-alt-automate`), signed git release tags, and the public MIT-licensed
+source at each tag.
+
+**Note on Authenticode:** PowerNetbox has no Authenticode signature, so
+`Get-AuthenticodeSignature` will report `NotSigned` — this is expected.
+An OSS code-signing certificate may be revisited if the project grows
+enough to qualify for a Foundation-backed program.
 
 ## License
 

SECURITY.md

@@ -72,21 +72,30 @@ Current hardening includes:
 - Restricted GitHub Actions permissions (`contents: read` default)
 - Client-side 10 MB upload cap on `New-NBImageAttachment` (see `Functions/Extras/ImageAttachments/New-NBImageAttachment.ps1`); client-side default 10 000-item cap on `Send-NBBulkRequest` via `-MaxItems` (see `Functions/Helpers/Send-NBBulkRequest.ps1`). Both are local guards that throw before any network call — server-side limits from NetBox apply on top.
 
-## Code signing
+## Authenticity & provenance
 
-The published module on PSGallery is **not yet code-signed**. An
-application with [SignPath Foundation](https://signpath.org) for free
-open-source code signing is in progress. Until then, consumers can
-verify authenticity via:
+PowerNetbox is distributed **unsigned** on PSGallery. SignPath Foundation's
+free OSS code-signing program declined the application on 2026-04-24,
+citing insufficient external reputation signals (a common threshold for
+young/niche OSS projects).
 
-1. **PSGallery publisher:** modules are published only by the
+Consumers can verify authenticity today via:
+
+1. **GitHub build-provenance attestations** — every release is signed by
+   GitHub's Sigstore-backed attestation service (wired in `release.yml` via
+   `actions/attest-build-provenance@v2`):
+
+   ```bash
+   gh attestation verify PowerNetbox.psm1 \
+       --repo ctrl-alt-automate/PowerNetbox
+   ```
+
+2. **PSGallery publisher identity** — modules are published only by the
    `ctrl-alt-automate` publisher account.
-2. **Git tag SHA:** each release tag matches a commit on `main`; you
-   can verify by inspecting `git log` on your local clone.
-3. **Review the source:** PowerNetbox is MIT-licensed; the full source
-   of every released version is public at the matching tag.
-
-Once SignPath signing is live, use the `Get-AuthenticodeSignature`
-snippet in [README.md → Code signing policy](README.md#code-signing-policy)
-to verify a local install. Signature verification steps are maintained
-in a single location to avoid drift.
+3. **Signed git tags** — each release tag matches a commit on `main`;
+   `git log` on your local clone confirms the SHA.
+4. **Public MIT source** — every released version's source is public at
+   the matching tag.
+
+Code-signing certificates may be revisited if the project grows enough to
+requalify for a Foundation-backed cert.