Require signed unified agent release assets

docs/release-control/v6/internal/subsystems/deployment-installability.md

@@ -975,3 +975,11 @@ routing on both sides instead of relying only on generic API fallback
 coverage: update transport changes must continue to carry the direct
 `updates-api-surface` installability proof together with a direct
 API-contract proof path.
+That same governed release-promotion boundary now also owns detached agent and
+installer signatures. `scripts/build-release.sh`,
+`scripts/release_update_key.go`, `scripts/release_ldflags.sh`, and
+`.github/workflows/create-release.yml` must derive the embedded update trust
+root from the governed release signing key, emit `.sig` sidecars for shipped
+agent binaries and installer assets, and upload those signatures with the
+matching release packet so published RC/stable downloads can keep the updater
+trust chain fail-closed instead of downgrading to checksum-only trust.