feat(C6): add publisher key pinning control for trusted source enforcement (6.4.6)

[RicoKomenda]

Summary

Adds 6.4.6 to C6.4 (Trusted Source Enforcement) to close a gap where 6.4.2 requires signature validation but does not require pinning the publisher's signing key per source registry.

New control:

Verify that cryptographic signing keys used to authenticate model publishers are pinned per source (e.g., Hugging Face, internal registry), that key rotation events require explicit re-approval before updated keys are trusted, and that artifacts signed by unknown or revoked keys are rejected.

Level: 2

Why this is needed

6.4.2 says to validate signatures, but without key pinning an attacker who compromises a registry or performs a DNS hijack can substitute their own signing key. Key pinning closes this: organizations maintain an explicit allowlist of trusted publisher keys per source registry, and any key not on that list causes the artifact to be rejected. Key rotation is treated as a security event requiring explicit re-approval rather than being transparently accepted.

This is analogous to certificate pinning in TLS but applied to the AI supply chain (model weights, containers). It is AI-specific because model weight repositories (Hugging Face, model hubs) are not covered by standard web PKI pinning mechanisms.

Changes

• 1.0/en/0x10-C06-Supply-Chain.md: add 6.4.6, fix MD060 separator rows
• 1.0/en/0x93-Appendix-D_AI_Security_Controls_Inventory.md: add entry to AD.6