Updates arising from the signing release process

content/en/docs/contributing/release-process.md

@@ -302,8 +302,9 @@ page if a step is missing or if it is outdated.
         ```
 
         This step takes ~10 minutes. It will build all Docker images and create
-        all the manifest files and upload them to a storage bucket on Google
-        Cloud. These artifacts will be published and released in the next steps.
+        all the manifest files, sign Helm charts and upload everything to a storage
+        bucket on Google Cloud. These artifacts will then be published and released
+        in the next steps.
 
         <div class="pageinfo pageinfo-info"><p>
         🔰 Remember to keep open the terminal where you run <code>cmrel stage</code>. Its output will be used in the next step.

content/en/docs/installation/code-signing.md

@@ -16,31 +16,19 @@ Signing keys required for verification are all available on this website, but th
 on the artifact you're trying to validate in the future. At the time of writing, all signing is done using the same underlying
 key.
 
-## Container Images / Cosign
-
-For all cert-manager versions from `v1.6.0` and later, container images are verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview).
-
-The simplest way to verify signatures is to download the public key and then pass it to the cosign CLI:
-
-```console
-curl -sSL https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem > cert-manager-pubkey-2021-09-20.pem
-cosign verify -key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-controller
-# repeat for other images as desired
-```
-
-For a more fully-featured signature verification process in Kubernetes, check out [`connaisseur`](https://sse-secure-systems.github.io/connaisseur/).
-
-- PEM-encoded public key: [`cert-manager-pubkey-2021-09-20.pem`](/public-keys/cert-manager-pubkey-2021-09-20.pem)
-
 ## Helm Charts
 
+<!--
+TODO: uncomment this when cosign signing is in place. The warning doesn't have much value
+if we're not advertising the existence of other public keys.
 {{% alert title="Warning" color="warning" %}}
 Helm requires the use of PGP for verification; the key format is different.
 
-Trying to use the PEM encoded public keys above will fail.
+Trying to use PEM encoded public keys will fail.
 {{% /alert %}}
+-->
 
-For all cert-manager versions from `v1.6.0` and later, helm charts are signed and verifiable through the helm CLI.
+For all cert-manager versions from `v1.6.0` and later, Helm charts are signed and verifiable through the Helm CLI.
 
 The easiest way to verify is to grab the GPG keyring directly, which can then be passed into `helm verify` like so:
 
@@ -51,3 +39,26 @@ helm verify --keyring cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E12
 
 - ASCII-armored signing key: [`cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc`](/public-keys/cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc)
 - GPG keyring: [`cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg`](/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg)
+
+## Container Images / Cosign
+
+Soon, all container images which make up cert-manager will be verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview).
+
+Unfortunately, this isn't possible today because the images are hosted on `quay.io` which doesn't have the proper support for cosign signatures yet. When signatures are
+added, this section will contain details of how to verify them.
+
+<!--
+TODO: also uncomment the warning in the helm section!
+
+The simplest way to verify signatures is to download the public key and then pass it to the cosign CLI:
+
+```console
+curl -sSL https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem > cert-manager-pubkey-2021-09-20.pem
+cosign verify -key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-controller
+# repeat for other images as desired
+```
+
+For a more fully-featured signature verification process in Kubernetes, check out [`connaisseur`](https://sse-secure-systems.github.io/connaisseur/).
+
+- PEM-encoded public key: [`cert-manager-pubkey-2021-09-20.pem`](/public-keys/cert-manager-pubkey-2021-09-20.pem)
+-->