doctor: complete runtime check documentation sprint

Signed-off-by: master <>

docs/doctor/articles/verification/verification-signature.md

@@ -0,0 +1,56 @@
+---
+checkId: check.verification.signature
+plugin: stellaops.doctor.verification
+severity: fail
+tags: [verification, signatures, dsse, rekor]
+---
+# Signature Verification
+
+## What It Checks
+Requires the verification plugin plus a test artifact. In offline mode it looks for DSSE-style signature material in the bundle. In online mode it checks `Sigstore:Enabled` and verifies the Rekor log endpoint is reachable.
+
+The check reports info when Sigstore is disabled, and fails when the offline bundle is missing or Rekor cannot be reached.
+
+## Why It Matters
+Signature verification is the minimum control that proves the artifact under review was signed by the expected supply-chain path.
+
+## Common Causes
+- `Sigstore__Enabled` is false
+- Rekor URL is unreachable from the Doctor workload
+- Offline bundles were exported without signatures
+
+## How to Fix
+
+### Docker Compose
+```yaml
+services:
+  doctor-web:
+    environment:
+      Sigstore__Enabled: "true"
+      Sigstore__RekorUrl: https://rekor.sigstore.dev
+```
+
+```bash
+docker compose -f devops/compose/docker-compose.stella-ops.yml exec doctor-web curl -fsS https://rekor.sigstore.dev/api/v1/log
+```
+
+For offline verification:
+
+```bash
+stella verification bundle export --include-signatures --output /var/lib/stella/verification/offline-bundle.json
+```
+
+### Bare Metal / systemd
+Ensure the Doctor host trusts the CA chain used by the Rekor endpoint or use the approved internal Rekor deployment.
+
+### Kubernetes / Helm
+Prefer an internal Rekor service URL in disconnected or regulated clusters.
+
+## Verification
+```bash
+stella doctor --check check.verification.signature
+```
+
+## Related Checks
+- `check.attestation.rekor.connectivity` - validates the transparency log path more directly
+- `check.verification.artifact.pull` - signature checks need a reachable artifact reference