From 264638f61a2b1a2967b7c05fb7adf32a3b5d1000 Mon Sep 17 00:00:00 2001
From: Paul Savoie <paul.savoie@signpath.io>
Date: Sun, 6 Apr 2025 12:28:38 +0200
Subject: [PATCH] big step to docs.signpath.io

---
 docs/_data/changelog.yml                      |  54 +--
 docs/_data/menus/documentation.yml            |   3 -
 docs/_data/tables/artifact-configuration.yml  |   4 +-
 docs/_includes/changelog_feed.md              |   6 +-
 docs/_includes/footer.html                    |   7 +-
 docs/_includes/header.html                    |  45 +--
 docs/_layouts/resources.html                  | 102 +++---
 docs/_sass/header.scss                        |  27 +-
 .../artifact-configuration/examples.md        |   0
 .../artifact-configuration/index.md           |   4 +-
 .../artifact-configuration/reference.md       |   4 +-
 .../render-ac-directive-table.inc             |   0
 .../artifact-configuration/syntax.md          |   2 +-
 ...ifact-configuration_similar-definition.png | Bin
 ...rtifact-configuration_similar-resolved.png | Bin
 .../artifact-configuration/screenshot.png     | Bin
 .../build-integration_appveyor.png            | Bin
 .../certificate-chains-abstract.png           | Bin 3888 -> 0 bytes
 .../certificate-chains-concrete.png           | Bin 6177 -> 0 bytes
 .../img/resources/code-signing/overview.png   | Bin 37153 -> 0 bytes
 .../crypto-providers/gpg-signing-flow.svg     |   0
 .../crypto-providers/signing-flow.svg         |   0
 .../double-authentication-proxy.png           | Bin
 .../scim/scr_01-create-app.png                | Bin
 .../scim/scr_02a-select-app-registration.png  | Bin
 .../scim/scr_02b-create-app-roles.png         | Bin
 .../scim/scr_04a-select-provisioning.png      | Bin
 .../scim/scr_04b-basic-provisioning.png       | Bin
 .../scim/scr_05a-mapping-part1.png            | Bin
 .../scim/scr_05b-mapping-part2.png            | Bin
 .../scim/scr_05c-mapping-part3.png            | Bin
 .../scim/scr_05d-mapping-part4.png            | Bin
 .../scr_05e-sso-identifier-on-signpath.png    | Bin
 .../scim/scr_06a-add-users-and-groups.png     | Bin
 .../scim/scr_06b-test-provisioning.png        | Bin
 .../scim/scr_06c-validate-provisioning.png    | Bin
 .../scim/scr_07a-start-provisioning.png       | Bin
 docs/assets/js/main-bundle.js                 |   2 +-
 ...nalysis-of-secure-variables-in-appveyor.md | 155 ---------
 ...6-on-the-importance-of-trust-validation.md |  60 ----
 .../2020-08-26-unfulfilled-expectations.md    |  35 --
 .../_posts/2020-12-21-evaluating-sunburst.md  |  78 -----
 ...ption-ineffective-in-windows-containers.md | 100 ------
 ...periences-with-security-report-handling.md |  71 ----
 .../_posts/2022-02-21-cybernews-interview.md  | 108 ------
 .../_posts/2024-02-22-new-year-new-faces.md   |  32 --
 .../_posts/2024-09-10-implicit-to-explicit.md |  75 -----
 ...-29-building-trusted-software-for-macos.md | 148 --------
 ...25-01-19-announcing-series-a-investment.md |  40 ---
 docs/blog/index.html                          |  93 -----
 .../build-system-integration.md               |  10 +-
 .../changelog/feeds/all.xml                   |   0
 .../changelog/feeds/application.xml           |   0
 .../changelog/feeds/crypto_providers.xml      |   0
 .../changelog/feeds/github_connector.xml      |   0
 .../changelog/feeds/jenkins_plugin.xml        |   0
 .../changelog/feeds/macos_cryptotokenkit.md   |   0
 .../changelog/feeds/powershell_module.xml     |   0
 .../feeds/powershell_module_docker.xml        |   0
 .../feeds/self_hosted_installations.xml       |   0
 docs/{documentation => }/changelog/index.md   |   2 +-
 docs/code-signing/index.md                    |   7 -
 docs/code-signing/introduction.md             |  42 ---
 docs/code-signing/media-coverage.md           | 174 ----------
 docs/code-signing/private-keys.md             | 104 ------
 docs/code-signing/test-certificates.md        |  76 -----
 docs/code-signing/theory.md                   | 318 ------------------
 docs/code-signing/windows-platform.md         | 189 -----------
 docs/company.md                               |  42 ---
 docs/contact-done.html                        |  14 -
 docs/contact.md                               |  13 -
 .../crypto-providers/cryptoki.md              |  12 +-
 .../crypto-providers/gpg.md                   |  12 +-
 .../crypto-providers/index.md                 |  22 +-
 .../crypto-providers/macos.md                 |   6 +-
 .../crypto-providers/rest-api.md              |   6 +-
 .../crypto-providers/windows.md               |   6 +-
 .../directory-synchronization.md              |  28 +-
 docs/documentation/getting-started.md         |  19 --
 docs/documentation/index.md                   |   7 -
 docs/{documentation => }/faq.md               |   2 +-
 docs/index.html                               | 249 --------------
 docs/index.md                                 |  18 +
 .../managing-certificates.md                  |   5 +-
 docs/newsletter-subscribed.html               |  14 -
 docs/newsletter.md                            |  12 -
 .../origin-verification.md                    |   2 +-
 .../Get-CertificateByMicrosoftTemplateId.md   |   0
 .../powershell/Get-SignedArtifact.md          |   0
 .../powershell/Submit-SigningRequest.md       |   6 +-
 docs/{documentation => }/powershell/index.md  |   0
 docs/privacy-policy.md                        | 107 ------
 docs/product/devops.html                      | 132 --------
 docs/product/editions-explained.md            | 312 -----------------
 docs/product/editions.html                    | 107 ------
 docs/product/features.html                    | 115 -------
 docs/product/index.md                         |   3 -
 docs/product/infosec.html                     |  75 -----
 docs/product/office-macros.md                 |  77 -----
 docs/product/open-source.html                 |  75 -----
 docs/product/pkic-best-practices.md           | 131 --------
 docs/product/pricing.html                     | 209 ------------
 docs/product/thales-dpod.md                   |  65 ----
 docs/{documentation => }/projects.md          |  14 +-
 docs/redirects/about-us.md                    |   4 -
 .../ArtifactConfigurationDocumentationLink.md |   4 -
 ...nSupportedFileElementsDocumentationLink.md |   4 -
 ...BuildSystemIntegrationDocumentationLink.md |   4 -
 .../app/ClickOnceSignDocumentationLink.md     |   4 -
 .../app/DockerSigningDocumentationLink.md     |   5 -
 ...SignUpCallbackWithoutCookieRedirectLink.md |   3 -
 .../redirects/app/ProductSelectionPageLink.md |   5 -
 .../app/ProjectsDocumentationLink.md          |   4 -
 .../app/SigningPoliciesDocumentationLink.md   |   4 -
 docs/redirects/app/Support.md                 |   4 -
 docs/redirects/app/TermsOfServiceLink.md      |   4 -
 ...rustedBuildSystemLinksDocumentationLink.md |   4 -
 .../TrustedBuildSystemsDocumentationLink.md   |   4 -
 .../app/WebhooksDocumentationLink.md          |   4 -
 docs/redirects/artifact-configuration_v1.md   |   4 -
 docs/redirects/casc.md                        |   4 -
 docs/redirects/connectors/api-token.md        |   5 -
 .../github-branch-rule-restriction-history.md |   4 -
 .../trusted-build-system-configuration.md     |   5 -
 .../cryptoproviders/configuration.md          |   4 -
 .../cryptoproviders/post-msi-installation.md  |   4 -
 docs/redirects/jobs.md                        |   4 -
 docs/sign-up-successful.html                  |  17 -
 docs/{documentation => }/signing-code.md      |  10 +-
 .../signing-containers/cosign.md              |   4 +-
 .../docker-content-trust.md                   |   4 +-
 .../signing-containers/index.md               |   6 +-
 docs/status.md                                |   2 +-
 docs/support.md                               |  32 --
 docs/team.md                                  |  38 ---
 docs/terms-of-service.md                      | 209 ------------
 .../trusted-build-systems/appveyor.md         |   2 +-
 .../trusted-build-systems/azure-devops.md     |   0
 .../double-authentication-proxy.md            |   4 +-
 .../trusted-build-systems/github.md           |   8 +-
 .../trusted-build-systems/index.md            |  14 +-
 .../trusted-build-systems/jenkins.md          |   6 +-
 docs/{documentation => }/users.md             |   4 +-
 143 files changed, 238 insertions(+), 4311 deletions(-)
 rename docs/{documentation => }/artifact-configuration/examples.md (100%)
 rename docs/{documentation => }/artifact-configuration/index.md (95%)
 rename docs/{documentation => }/artifact-configuration/reference.md (98%)
 rename docs/{documentation => }/artifact-configuration/render-ac-directive-table.inc (100%)
 rename docs/{documentation => }/artifact-configuration/syntax.md (98%)
 rename docs/assets/img/resources/{documentation => }/artifact-configuration/artifact-configuration_similar-definition.png (100%)
 rename docs/assets/img/resources/{documentation => }/artifact-configuration/artifact-configuration_similar-resolved.png (100%)
 rename docs/assets/img/resources/{documentation => }/artifact-configuration/screenshot.png (100%)
 rename docs/assets/img/resources/{documentation => }/build-integration_appveyor.png (100%)
 delete mode 100644 docs/assets/img/resources/code-signing/certificate-chains-abstract.png
 delete mode 100644 docs/assets/img/resources/code-signing/certificate-chains-concrete.png
 delete mode 100644 docs/assets/img/resources/code-signing/overview.png
 rename docs/assets/img/resources/{documentation => }/crypto-providers/gpg-signing-flow.svg (100%)
 rename docs/assets/img/resources/{documentation => }/crypto-providers/signing-flow.svg (100%)
 rename docs/assets/img/resources/{documentation => }/double-authentication-proxy.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_01-create-app.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_02a-select-app-registration.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_02b-create-app-roles.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_04a-select-provisioning.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_04b-basic-provisioning.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_05a-mapping-part1.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_05b-mapping-part2.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_05c-mapping-part3.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_05d-mapping-part4.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_05e-sso-identifier-on-signpath.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_06a-add-users-and-groups.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_06b-test-provisioning.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_06c-validate-provisioning.png (100%)
 rename docs/assets/img/resources/{documentation => }/scim/scr_07a-start-provisioning.png (100%)
 delete mode 100644 docs/blog/_posts/2019-12-13-an-analysis-of-secure-variables-in-appveyor.md
 delete mode 100644 docs/blog/_posts/2020-08-26-on-the-importance-of-trust-validation.md
 delete mode 100644 docs/blog/_posts/2020-08-26-unfulfilled-expectations.md
 delete mode 100644 docs/blog/_posts/2020-12-21-evaluating-sunburst.md
 delete mode 100644 docs/blog/_posts/2021-03-23-dp-api-encryption-ineffective-in-windows-containers.md
 delete mode 100644 docs/blog/_posts/2021-03-23-experiences-with-security-report-handling.md
 delete mode 100644 docs/blog/_posts/2022-02-21-cybernews-interview.md
 delete mode 100644 docs/blog/_posts/2024-02-22-new-year-new-faces.md
 delete mode 100644 docs/blog/_posts/2024-09-10-implicit-to-explicit.md
 delete mode 100644 docs/blog/_posts/2024-11-29-building-trusted-software-for-macos.md
 delete mode 100644 docs/blog/_posts/2025-01-19-announcing-series-a-investment.md
 delete mode 100644 docs/blog/index.html
 rename docs/{documentation => }/build-system-integration.md (94%)
 rename docs/{documentation => }/changelog/feeds/all.xml (100%)
 rename docs/{documentation => }/changelog/feeds/application.xml (100%)
 rename docs/{documentation => }/changelog/feeds/crypto_providers.xml (100%)
 rename docs/{documentation => }/changelog/feeds/github_connector.xml (100%)
 rename docs/{documentation => }/changelog/feeds/jenkins_plugin.xml (100%)
 rename docs/{documentation => }/changelog/feeds/macos_cryptotokenkit.md (100%)
 rename docs/{documentation => }/changelog/feeds/powershell_module.xml (100%)
 rename docs/{documentation => }/changelog/feeds/powershell_module_docker.xml (100%)
 rename docs/{documentation => }/changelog/feeds/self_hosted_installations.xml (100%)
 rename docs/{documentation => }/changelog/index.md (98%)
 delete mode 100644 docs/code-signing/index.md
 delete mode 100644 docs/code-signing/introduction.md
 delete mode 100644 docs/code-signing/media-coverage.md
 delete mode 100644 docs/code-signing/private-keys.md
 delete mode 100644 docs/code-signing/test-certificates.md
 delete mode 100644 docs/code-signing/theory.md
 delete mode 100644 docs/code-signing/windows-platform.md
 delete mode 100644 docs/company.md
 delete mode 100644 docs/contact-done.html
 delete mode 100644 docs/contact.md
 rename docs/{documentation => }/crypto-providers/cryptoki.md (97%)
 rename docs/{documentation => }/crypto-providers/gpg.md (82%)
 rename docs/{documentation => }/crypto-providers/index.md (89%)
 rename docs/{documentation => }/crypto-providers/macos.md (93%)
 rename docs/{documentation => }/crypto-providers/rest-api.md (90%)
 rename docs/{documentation => }/crypto-providers/windows.md (94%)
 rename docs/{documentation => }/directory-synchronization.md (86%)
 delete mode 100644 docs/documentation/getting-started.md
 delete mode 100644 docs/documentation/index.md
 rename docs/{documentation => }/faq.md (92%)
 delete mode 100644 docs/index.html
 create mode 100644 docs/index.md
 rename docs/{documentation => }/managing-certificates.md (90%)
 delete mode 100644 docs/newsletter-subscribed.html
 delete mode 100644 docs/newsletter.md
 rename docs/{documentation => }/origin-verification.md (94%)
 rename docs/{documentation => }/powershell/Get-CertificateByMicrosoftTemplateId.md (100%)
 rename docs/{documentation => }/powershell/Get-SignedArtifact.md (100%)
 rename docs/{documentation => }/powershell/Submit-SigningRequest.md (98%)
 rename docs/{documentation => }/powershell/index.md (100%)
 delete mode 100644 docs/privacy-policy.md
 delete mode 100644 docs/product/devops.html
 delete mode 100644 docs/product/editions-explained.md
 delete mode 100644 docs/product/editions.html
 delete mode 100644 docs/product/features.html
 delete mode 100644 docs/product/index.md
 delete mode 100644 docs/product/infosec.html
 delete mode 100644 docs/product/office-macros.md
 delete mode 100644 docs/product/open-source.html
 delete mode 100644 docs/product/pkic-best-practices.md
 delete mode 100644 docs/product/pricing.html
 delete mode 100644 docs/product/thales-dpod.md
 rename docs/{documentation => }/projects.md (93%)
 delete mode 100644 docs/redirects/about-us.md
 delete mode 100644 docs/redirects/app/ArtifactConfigurationDocumentationLink.md
 delete mode 100644 docs/redirects/app/ArtifactConfigurationSupportedFileElementsDocumentationLink.md
 delete mode 100644 docs/redirects/app/BuildSystemIntegrationDocumentationLink.md
 delete mode 100644 docs/redirects/app/ClickOnceSignDocumentationLink.md
 delete mode 100644 docs/redirects/app/DockerSigningDocumentationLink.md
 delete mode 100644 docs/redirects/app/OktaSignUpCallbackWithoutCookieRedirectLink.md
 delete mode 100644 docs/redirects/app/ProductSelectionPageLink.md
 delete mode 100644 docs/redirects/app/ProjectsDocumentationLink.md
 delete mode 100644 docs/redirects/app/SigningPoliciesDocumentationLink.md
 delete mode 100644 docs/redirects/app/Support.md
 delete mode 100644 docs/redirects/app/TermsOfServiceLink.md
 delete mode 100644 docs/redirects/app/TrustedBuildSystemLinksDocumentationLink.md
 delete mode 100644 docs/redirects/app/TrustedBuildSystemsDocumentationLink.md
 delete mode 100644 docs/redirects/app/WebhooksDocumentationLink.md
 delete mode 100644 docs/redirects/artifact-configuration_v1.md
 delete mode 100644 docs/redirects/casc.md
 delete mode 100644 docs/redirects/connectors/api-token.md
 delete mode 100644 docs/redirects/connectors/github-branch-rule-restriction-history.md
 delete mode 100644 docs/redirects/connectors/trusted-build-system-configuration.md
 delete mode 100644 docs/redirects/cryptoproviders/configuration.md
 delete mode 100644 docs/redirects/cryptoproviders/post-msi-installation.md
 delete mode 100644 docs/redirects/jobs.md
 delete mode 100644 docs/sign-up-successful.html
 rename docs/{documentation => }/signing-code.md (86%)
 rename docs/{documentation => }/signing-containers/cosign.md (94%)
 rename docs/{documentation => }/signing-containers/docker-content-trust.md (99%)
 rename docs/{documentation => }/signing-containers/index.md (88%)
 delete mode 100644 docs/support.md
 delete mode 100644 docs/team.md
 delete mode 100644 docs/terms-of-service.md
 rename docs/{documentation => }/trusted-build-systems/appveyor.md (96%)
 rename docs/{documentation => }/trusted-build-systems/azure-devops.md (100%)
 rename docs/{documentation => }/trusted-build-systems/double-authentication-proxy.md (89%)
 rename docs/{documentation => }/trusted-build-systems/github.md (96%)
 rename docs/{documentation => }/trusted-build-systems/index.md (83%)
 rename docs/{documentation => }/trusted-build-systems/jenkins.md (95%)
 rename docs/{documentation => }/users.md (97%)

diff --git a/docs/_data/changelog.yml b/docs/_data/changelog.yml
index f4aec94..5fce943 100644
--- a/docs/_data/changelog.yml
+++ b/docs/_data/changelog.yml
@@ -3,7 +3,7 @@
     application:
       version: 1.184.0
       new_features:
-        - text: Certificate chains are now automatically resolved. See the [documentation](/documentation/managing-certificates#uploading-certificates).
+        - text: Certificate chains are now automatically resolved. See the [documentation](/managing-certificates#uploading-certificates).
           issues: [SIGN-7551]
       improvements:
         - text: Uploaded X.509 certificate chains are now embedded in the signature when using the `<authenticode-sign>` directive.
@@ -23,7 +23,7 @@
         - text: |-
             Added support for storing and retrieving X.509 certificate chains (for e.g. certificates issued by in-house PKIs).
           issues: [SIGN-7423]
-        - text: Added support for `file-version`, `company-name`, `copyright`, and `original-filename` to [`<pe-file>` metadata restrictions](/documentation/artifact-configuration/reference#metadata-restrictions).
+        - text: Added support for `file-version`, `company-name`, `copyright`, and `original-filename` to [`<pe-file>` metadata restrictions](/artifact-configuration/reference#metadata-restrictions).
           issues: [SIGN-7395]
       improvements:
         - text: |-
@@ -59,7 +59,7 @@
     github_connector:
       version: 1.2.0
       improvements:
-        - text: The [SignPath GitHub App](/documentation/trusted-build-systems/github) is only required if source code and build policy verification is used.
+        - text: The [SignPath GitHub App](/trusted-build-systems/github) is only required if source code and build policy verification is used.
           issues: [SIGN-7506]
       bug_fixes:
         - text: Fixed bug for workflow runs with skipped jobs.
@@ -90,7 +90,7 @@
               * moved Organization ID and API token parameters to the "inner" scenario scripts 
               * improved Cryptoki library discovery
               * various minor improvements
-            * [GPG-based hash signing](/documentation/crypto-providers/gpg): GPG public key file is now downloaded automatically. Therefore the `-GpgKeyId` parameter of the scenario scripts has been replaced with `-ProjectSlug` and `-SigningPolicySlug`.
+            * [GPG-based hash signing](/crypto-providers/gpg): GPG public key file is now downloaded automatically. Therefore the `-GpgKeyId` parameter of the scenario scripts has been replaced with `-ProjectSlug` and `-SigningPolicySlug`.
             * Changed work directory from `Samples/Scenarios/temp` to `Samples/Scenarios/Work` and logs directory to `Samples/Scenarios/Work/Logs`.
             * Added detached CMS signing sample to the OpenSSL scenario.
           issues: [SIGN-7410, SIGN-7497]
@@ -111,17 +111,17 @@
       version: 1.179.0
       new_features:
         - text: |-
-            Added support for [detached GPG file signing](/documentation/artifact-configuration/reference#create-gpg-signature).
+            Added support for [detached GPG file signing](/artifact-configuration/reference#create-gpg-signature).
           issues: [SIGN-7455]
         - text: |-
             The signing request details page now displays details of detected malware including threat names and the exact file location in container files like ZIP archives.
           issues: [SIGN-7454]
       improvements:
         - text: |-
-            [`<create-raw-signature>`](/documentation/artifact-configuration/reference#create-raw-signature): renamed `file-name` attribute to `output-file-name`. (`file-name` is still supported for backwards compatibility.)
+            [`<create-raw-signature>`](/artifact-configuration/reference#create-raw-signature): renamed `file-name` attribute to `output-file-name`. (`file-name` is still supported for backwards compatibility.)
           issues: [SIGN-7490]
         - text: |-
-            [`<create-cms-signature>`](/documentation/artifact-configuration/reference#create-cms-signature): `hash-algorithm` attribute is now optional.
+            [`<create-cms-signature>`](/artifact-configuration/reference#create-cms-signature): `hash-algorithm` attribute is now optional.
           issues: [SIGN-7507]
       bug_fixes:
         - text: |-
@@ -141,14 +141,14 @@
     application:
       version: 1.177.2
       new_features:
-        - text: Added support for [Cryptographic Message Syntax (CMS) signatures](/documentation/artifact-configuration/reference#create-cms-signature).
+        - text: Added support for [Cryptographic Message Syntax (CMS) signatures](/artifact-configuration/reference#create-cms-signature).
           issues: [SIGN-7477]
 - date: '2024-12-16'
   updates:
     github_connector:
       version: 1.1.0
       new_features:
-        - text: Policy checks for branch rulesets, build and build runner are supported. See the [documentation](/documentation/trusted-build-systems/github#build-and-source-code-policies).
+        - text: Policy checks for branch rulesets, build and build runner are supported. See the [documentation](/trusted-build-systems/github#build-and-source-code-policies).
           issues: [SIGN-7266, SIGN-7285, SIGN-2792, SIGN-7424, SIGN-7433, SIGN-7266, SIGN-7199, SIGN-7198]
       bug_fixes:
         - text: Fixed a bug that prevented signing requests from being submitted when the "re-run failed jobs" feature of workflows was used for workflows with multiple jobs.
@@ -161,7 +161,7 @@
       version: 1.177.0
       new_features:
         - text: |-
-            Added [GPG key management](/documentation/managing-certificates):
+            Added [GPG key management](/managing-certificates):
             * GPG keys can now be created directly in the SignPath UI.
             * They can currently be used for hash signing and `create-raw-signature`.
           issues: [SIGN-7247]
@@ -207,10 +207,10 @@
       version: 5.1.0
       new_features:
         - text: |-
-            Added support for using GPG keys generated by [SignPath certificate management](/documentation/managing-certificates):
+            Added support for using GPG keys generated by [SignPath certificate management](/managing-certificates):
             * It is no longer required to locally generate GPG keys based on backing X.509 certificates. You can create GPG keys directly in the SignPath UI.
             * Requires SignPath version 1.177 or higher.
-            * Adapted and simplified the Linux container samples for [GPG hash signing](/documentation/crypto-providers/gpg).
+            * Adapted and simplified the Linux container samples for [GPG hash signing](/crypto-providers/gpg).
           issues: [SIGN-7341, SIGN-7318]
       improvements:
         - text: |-
@@ -274,7 +274,7 @@
     jenkins_plugin:
       version: '2.1.0'
       new_features:
-        - text: Added support for [user-defined parameters](/documentation/artifact-configuration/syntax#parameters).
+        - text: Added support for [user-defined parameters](/artifact-configuration/syntax#parameters).
           issues: [SIGN-6986]
       improvements:
         - text: The _API Token Credential_ can now be stored either in th _System_ or a _Global_ (recommended) scope.
@@ -329,7 +329,7 @@
           issues: [SIGN-7248]
       new_features:
         - text: |-
-            ECDSA hash signing: added support for signature block format "RFC 3279 ASN.1 sequence". See [artifact format for signing hash digests](/documentation/crypto-providers/rest-api#hash-signing-payload-json).
+            ECDSA hash signing: added support for signature block format "RFC 3279 ASN.1 sequence". See [artifact format for signing hash digests](/crypto-providers/rest-api#hash-signing-payload-json).
           issues: [SIGN-7240]
       improvements:
         - text: |-
@@ -398,7 +398,7 @@
     github_connector:
       version: '1.0' # note is 0.8 in connectors release
       new_features:
-        - text: 'Initial release: GitHub.com is now available as a [Trusted Build System](/documentation/trusted-build-systems).'
+        - text: 'Initial release: GitHub.com is now available as a [Trusted Build System](/trusted-build-systems).'
 - date: '2024-08-13'
   updates:
     application:
@@ -445,7 +445,7 @@
             For all other `v1` APIs, `multipart/form-data` is no longer available.
           issues: [SIGN-7050]
         - text: |-
-            Authenticode signing now supports the following [optional attributes](/documentation/artifact-configuration/reference#authenticode-sign-attributes):
+            Authenticode signing now supports the following [optional attributes](/artifact-configuration/reference#authenticode-sign-attributes):
               * `description` and `description-url`
               * `hash-algorithm`
           issues: [SIGN-5410, SIGN-7177]
@@ -507,7 +507,7 @@
       version: 1.168.1
       new_features:
         - text: >-
-            Added support for [appending Authenticode signatures](/documentation/artifact-configuration/reference#authenticode-sign-attributes).
+            Added support for [appending Authenticode signatures](/artifact-configuration/reference#authenticode-sign-attributes).
           issues: [SIGN-7004]
       improvements:
         - text: >-
@@ -573,13 +573,13 @@
               * Use `SIGNPATH_LOG_CONSOLE_LEVEL=none` to opt-out from file logging.
             * Console logging (if enabled) now logs to stderr instead of stdout by default.
               * Use the new `SIGNPATH_LOG_CONSOLE_OUTPUT_STREAM` configuration to switch back to `stdout`.
-            * See [Crypto Provider configuration](/documentation/crypto-providers#crypto-provider-configuration) for details.
+            * See [Crypto Provider configuration](/crypto-providers#crypto-provider-configuration) for details.
           issues: [SIGN-6987]
       new_features:
         - text: |-
             The Windows Crypto Providers (incl. KSP, CSP and Cryptoki library) now are delivered with a Windows MSI installer.
 
-            * See [install/uninstall docs](/documentation/crypto-providers/windows#installation). This also includes unattended installation options.
+            * See [install/uninstall docs](/crypto-providers/windows#installation). This also includes unattended installation options.
             * To upgrade from a previous _manual_ installation/registration or from an `InstallCspKsp.ps1` installation:
               * Install using the new MSI
               * In case you used a `SIGNPATH_CONFIG_FILE` JSON file: copy its content to `%ProgramFiles%\SignPath\CryptoProviders\CryptoProvidersConfig.json`
@@ -652,7 +652,7 @@
       version: 1.163.0
       new_features:
         - text: >-
-            Authenticode files can now be signature _validated_ with the new [`<authenticode-verify />`](/documentation/artifact-configuration/reference#authenticode-verify) artifact configuration directive.
+            Authenticode files can now be signature _validated_ with the new [`<authenticode-verify />`](/artifact-configuration/reference#authenticode-verify) artifact configuration directive.
 
             Use to ensure that third-party components are properly signed in deep signing configurations.
           issues: [SIGN-2021]
@@ -715,7 +715,7 @@
       version: 1.160.1
       improvements:
         - text: |-
-            Artifact configuration: [`<create-raw-signature>`](/documentation/artifact-configuration/reference#create-raw-signature) supports input filename substitution via `${file.name}`.
+            Artifact configuration: [`<create-raw-signature>`](/artifact-configuration/reference#create-raw-signature) supports input filename substitution via `${file.name}`.
           issues: [SIGN-6771]
         - text: |-
             "Resubmit with current settings" now also works for signing requests which fail due to an _artifact retrieval_ error.
@@ -1106,12 +1106,12 @@
       version: 1.149.2
       new_features:
         - text: >-
-            Added limited administrator roles: _User Administrator_, _Project Administrator_ and _Certificate Administrator. For more details, see the [user roles documentation](/documentation/users#roles).
+            Added limited administrator roles: _User Administrator_, _Project Administrator_ and _Certificate Administrator. For more details, see the [user roles documentation](/users#roles).
           issues: [SIGN-6305]
         - text: >-
-            [Select multiple files](/documentation/artifact-configuration/syntax#zip-file-element) is now generally available.
+            [Select multiple files](/artifact-configuration/syntax#zip-file-element) is now generally available.
           issues: []
-        - text: Added support for deep signing of APPX and MSIX files. Read more about [deep signing](https://about.signpath.io/documentation/artifact-configuration#deep-signing-of-nested-files).
+        - text: Added support for deep signing of APPX and MSIX files. Read more about [deep signing](https://about.signpath.io/artifact-configuration#deep-signing-of-nested-files).
           issues: [SIGN-6150]
       bug_fixes:
         - text: Fixes incorrect display of malware scanning status for old signing requests.
@@ -1147,7 +1147,7 @@
     application:
       version: 1.148.2
       new_features:
-        - text: Added support for personal API tokens for interactive users. See [authentication](/documentation/build-system-integration#authentication).
+        - text: Added support for personal API tokens for interactive users. See [authentication](/build-system-integration#authentication).
           issues: [SIGN-6246]
       improvements:
         - text: >-
@@ -1158,7 +1158,7 @@
             (Existing spelling is still valid for the current schema version.)
           issues: [SIGN-6000]
         - text: >-
-            The zip archive created when uploading multiple files for signing is now named `bundle.zip`. See [`ui-multifile-upload`](/documentation/artifact-configuration/syntax#zip-file-element).
+            The zip archive created when uploading multiple files for signing is now named `bundle.zip`. See [`ui-multifile-upload`](/artifact-configuration/syntax#zip-file-element).
           issues: [SIGN-6271]
         - text: Renamed "Initial Login Email Address" of interactive users to "Account email address" in the user interface and `InteractiveUser` pre-release APIs.
           issues: [SIGN-6069]
@@ -1226,7 +1226,7 @@
     application:
       version: 1.146.0
       new_features:
-        - text: Added [`ui-multifile-upload`](/documentation/artifact-configuration/syntax#zip-file-element) feature to upload multiple files in signing request web client UI (preview).
+        - text: Added [`ui-multifile-upload`](/artifact-configuration/syntax#zip-file-element) feature to upload multiple files in signing request web client UI (preview).
           issues: [SIGN-5936]
         - text: Added "Multiple Office files with macros" default artifact configuration which allows to upload multiple Office files in the user interface.
           issues: [SIGN-5936]
diff --git a/docs/_data/menus/documentation.yml b/docs/_data/menus/documentation.yml
index 2d593e7..10b6bc6 100644
--- a/docs/_data/menus/documentation.yml
+++ b/docs/_data/menus/documentation.yml
@@ -1,6 +1,3 @@
-- text: Getting Started
-  path: getting-started
-
 - text: Managing Certificates
   path: managing-certificates
 
diff --git a/docs/_data/tables/artifact-configuration.yml b/docs/_data/tables/artifact-configuration.yml
index 96324f9..4931a1a 100644
--- a/docs/_data/tables/artifact-configuration.yml
+++ b/docs/_data/tables/artifact-configuration.yml
@@ -209,7 +209,7 @@ similar-directories-example:
           </msi-file>
         </artifact-configuration>
         ~~~
-      image: "![graphical artifact configuration](/assets/img/resources/documentation/artifact-configuration/artifact-configuration_similar-definition.png)"
+      image: "![graphical artifact configuration](/assets/img/resources/artifact-configuration/artifact-configuration_similar-definition.png)"
 
 similar-directories-example-match:
   headers:
@@ -232,4 +232,4 @@ similar-directories-example-match:
         ~~~
 
         (All `msi`, `exe` and `dll` files are signed with Authenticode.)
-      image: "![graphical resolved artifacts](/assets/img/resources/documentation/artifact-configuration/artifact-configuration_similar-resolved.png)"
+      image: "![graphical resolved artifacts](/assets/img/resources/artifact-configuration/artifact-configuration_similar-resolved.png)"
diff --git a/docs/_includes/changelog_feed.md b/docs/_includes/changelog_feed.md
index 8e36a36..7bf615a 100644
--- a/docs/_includes/changelog_feed.md
+++ b/docs/_includes/changelog_feed.md
@@ -2,7 +2,7 @@
 ---------------- find the last update for the passed in category (or take the latest entry)
 {%- endcomment -%}
 {%- if include.category -%}
-  {%- assign id = 'https://about.signpath.io/documentation/changelog/feeds/' | append: include.category | append: '.xml' -%}
+  {%- assign id = 'https://about.signpath.io/changelog/feeds/' | append: include.category | append: '.xml' -%}
   {%- for entry in site.data.changelog -%}
     {%- if entry.updates -%}
       {%- for update in entry.updates -%}
@@ -16,7 +16,7 @@
     {%- endif -%}
   {%- endfor -%}
 {%- else -%}
-  {%- assign id = 'https://about.signpath.io/documentation/changelog/feeds/all.xml' -%}
+  {%- assign id = 'https://about.signpath.io/changelog/feeds/all.xml' -%}
   {%- assign updated = site.data.changelog[0].date -%}
 {%- endif -%}
 <feed xmlns="http://www.w3.org/2005/Atom">
@@ -51,7 +51,7 @@
         <title>SignPath {{ site.data.changelog_components.details[component].label }} {{ release.version }}</title>
         <updated>{{ entry.date | date: '%F' }}</updated>
         <published>{{ entry.date | date: '%F' }}</published>
-        <link rel="alternate" href="https://about.signpath.io/documentation/changelog#{{ entry.date | date: '%F' }}" />
+        <link rel="alternate" href="https://about.signpath.io/changelog#{{ entry.date | date: '%F' }}" />
         <category term="release/{{ component }}" label="{{ site.data.changelog_components.details[component].label }}" />
         <summary type="html">New Release: {{ category_label }} {{ release.version }}</summary>
         <content type="html">
diff --git a/docs/_includes/footer.html b/docs/_includes/footer.html
index 667f10f..f0017e8 100644
--- a/docs/_includes/footer.html
+++ b/docs/_includes/footer.html
@@ -1,5 +1,4 @@
 <!-- last_modified_at:  -->
-{%- include newsletter.html -%}
   </main>
   <footer>
   	<div>
@@ -18,8 +17,8 @@
 			</div>
 	  	</div>
 	  	<div>
-	  		<a href='/privacy-policy'>Privacy Policy</a>
-	  		<a href='/terms-of-service'>Terms of Service</a>
+	  		<a href='https://about.signpath.io/privacy-policy'>Privacy Policy</a>
+	  		<a href='https://about.signpath.io/terms-of-service'>Terms of Service</a>
 	  		<a href='/status'>
 				{%- if site.data.status.current.type == "good" -%}
 					<span style="color: lightgreen;">
@@ -46,7 +45,7 @@ <h3>Cookie settings</h3>
                 <p class="mobile show-more active"><a>Show more information</a></p>
                 <p class="mobile show-less"><a>Show less information</a></p>
                 <span class="information">By clicking the “Accept” button below, you agree that non-essential cookies on our website may be used by us and by third parties, some of them located in the USA. Learn more about our cookies in our <a
-                            href='/privacy-policy'>Privacy
+                            href='https://about.signpath.io/privacy-policy'>Privacy
 					Policy</a>
                 </span>
 				<div class="actions">
diff --git a/docs/_includes/header.html b/docs/_includes/header.html
index 5933216..13f4ff2 100644
--- a/docs/_includes/header.html
+++ b/docs/_includes/header.html
@@ -63,45 +63,34 @@
       <a href='/'><img src='/assets/signpath-logo-white.svg' width="181" height="36" alt='SignPath'></a>
       <nav>
         <ul>
-          {%- for entry in site.data.menus.menus -%}
-            <li>
-              <a href='/{{entry.path}}'> {{entry.text}}</a>
-              <ul>
-                {%- for subentry in site.data.menus[entry.path] -%}
-                  {%- if subentry.separator -%}
-                    <li class='separator' />
-                  {%- else -%}
-                    {%- assign subentry_path = "/" | append: subentry.path -%}
-                    {%- assign is_variable = subentry.path | split: '$' -%}
-                    {%- if is_variable[0] == '' -%}
-                      {%- assign site_var_name = is_variable[1] -%}
-                      {%- assign subentry_path = site[site_var_name] -%}
-                    {%- endif -%}
-                    {%- if entry.subdir -%}
-                      <li> <a href='/{{entry.path}}{{subentry_path}}'> {{subentry.text}} </a> </li>
-                    {%- else -%}
-                      <li> <a href='{{subentry_path}}'> {{subentry.text}} {{site[subentry_path]}}</a> </li>
-                    {%- endif -%}
-                  {%- endif -%}
-                {%- endfor -%}
-              </ul>
-            </li>
+          {%- for entry in site.data.menus.documentation -%}
+            {%- if entry.separator -%}
+              <li class='separator' />
+            {%- else -%}
+              <li>
+                <a href='/{{entry.path}}'> {{entry.text}} </a>
+                {%- if entry.items -%}
+                  <ul>
+                    {%- for subentry in entry.items -%}
+                      <li> <a href='/{{entry.path}}/{{subentry.path}}'> {{ subentry.text }} </a> </li>
+                    {%- endfor -%}
+                  </ul>
+                {%- endif -%}
+              </li>
+            {%- endif -%}
           {%- endfor -%}
           <li class='search'>
             <div>
               <div>
                 <form method="get" target="_self" action="/search">
-                  <input type='search' name='q' placeholder="Search SignPath.io" />
+                  <input type='search' name='q' placeholder="Search Documentation" tabindex='0' />
                 </form>
               </div>
             </div>
-            <span tabindex='0'>
+            <span>
               {% include search.svg %}
             </span>
           </li>
-          <li class='login'><a class='btn btn-flat' href='{{ site.data.hosts.app[site.target_environment] }}/Web/Home/Login'>Login</a>
-          <li class='login'><a href='{{ site.data.hosts.app[site.target_environment] }}/Web/Subscription/StartFreeTrial' class='btn btn-primary trial'>Start free trial</a></li>
-          </li>
         </ul>
         <a id='main-menu-toggle' href='#' onclick='document.querySelector("header > div > nav > ul").classList.toggle("open")'>
           <div></div>
diff --git a/docs/_layouts/resources.html b/docs/_layouts/resources.html
index 5905764..216d2c9 100644
--- a/docs/_layouts/resources.html
+++ b/docs/_layouts/resources.html
@@ -13,7 +13,6 @@
 {%- include header.html -%}
 
 {%- assign parts = page.path | split:"/" -%}
-{%- assign root_group = parts[0] -%}
 {%- if page.nav_on_small_screen -%}
   {%- assign hideNavOnMobile = nil -%}
 {%- else -%}
@@ -23,9 +22,12 @@
 <section class="bg-blue font-white top-section resources-header">
 	<div>
 		<h1>
-		{%- if site.data.menus contains root_group and page.hide_nav != true -%}
-		  {%- for main in site.data.menus.menus -%}
-		    {%- if main.path == root_group -%}
+		{%- assign part0_cleaned = parts[0] | split: "." | first -%}
+		{%- if parts.size == 1 and parts[0] == "index.md" -%}
+			<span class='no-break'>{{ page.header }}</span>
+		{%- else -%}
+		  {%- for main in site.data.menus.documentation -%}
+		    {%- if main.path == part0_cleaned -%}
 		    	{%- if parts.size > 2 or parts.size == 2 and parts[-1] != "index.md" -%}
 		    		<span class='no-break'><a href='/{{parts[0]}}'>{{ main.text }}</a>&nbsp;&nbsp;❯&nbsp;&nbsp;</span>
 		    	{%- else -%}
@@ -33,48 +35,46 @@ <h1>
 		    	{%- endif -%}
 		    {%- endif -%}
 		  {%- endfor -%}
-		  {%- if parts.size > 2 or parts.size == 2 and parts[-1] != "index.md"-%}
-		  	{%- assign entry_found = 0 -%}
-		  	{%- for entry in site.data.menus[root_group] -%}
-		  	  {%- assign part1_cleaned = parts[1] | split: "." -%}
-		  	  {%- if entry.path == part1_cleaned[0] -%}
-		  	  	{%- assign entry_found = 1 -%}
-		  	  	{%- if entry.items -%}
-		  	  	  {%- assign hideNavOnMobile = nil -%}
-		  	  	{%- endif -%}
-		  	  	<span class='no-break'>
-		  	  		{%- if parts.size > 2 and parts[2] != "index.md" and parts[2] != "index.html" -%}
-		  	  		  <a href='/{{parts[0]}}/{{parts[1]}}'>
-		  	  		{%- endif -%}
-		  	  		{{ entry.text }}
-		  	  		{%- if parts.size > 2 and parts[2] != "index.md" and parts[2] != "index.html" -%}
-		  	  	      </a>
-		  	  		  &nbsp;&nbsp;❯&nbsp;&nbsp;
-		  	  		{%- endif -%}
-		  	  	</span>
-		  	  	{%- if parts.size > 2 -%}
-		  	  	{% assign part2_cleaned = parts[2] | split: "." -%}
-		  	  	{%- if part2_cleaned[0] != "index" -%}
-		  	  	   {%- for subentry in entry.items -%}
-		  	  	     {%- if subentry.path == part2_cleaned[0] -%}
-		  	  	       <span class='no-break'>
-		  	  	         {{ subentry.text }}
-		  	  	       </span>
-		  	  	     {%- endif -%}
-		  	  	   {%- endfor -%}
-		  	  	{%- endif -%}
-		  	  	{%- endif -%}
-		  	  {%- endif -%}
-		  	{%- endfor -%}
-		  	{%- if entry_found == 0 -%}
-		  	  <span class='no-break'>
-	  	         {{ page.header }}
-	  	      </span>
-		  	{%- endif -%}
-		  {%- endif -%}
-		{%- else -%}
-		  {{ page.header }}
-		{%- endif -%}	
+		{%- endif -%}
+	  {%- if parts.size > 2 or parts.size == 2 and parts[-1] != "index.md"-%}
+	  	{%- assign entry_found = 0 -%}
+	  	{%- for entry in site.data.documentation -%}
+	  	  {%- assign part1_cleaned = parts[1] | split: "." -%}
+	  	  {%- if entry.path == part1_cleaned[0] -%}
+	  	  	{%- assign entry_found = 1 -%}
+	  	  	{%- if entry.items -%}
+	  	  	  {%- assign hideNavOnMobile = nil -%}
+	  	  	{%- endif -%}
+	  	  	<span class='no-break'>
+	  	  		{%- if parts.size > 2 and parts[2] != "index.md" and parts[2] != "index.html" -%}
+	  	  		  <a href='/{{parts[0]}}/{{parts[1]}}'>
+	  	  		{%- endif -%}
+	  	  		{{ entry.text }}
+	  	  		{%- if parts.size > 2 and parts[2] != "index.md" and parts[2] != "index.html" -%}
+	  	  	      </a>
+	  	  		  &nbsp;&nbsp;❯&nbsp;&nbsp;
+	  	  		{%- endif -%}
+	  	  	</span>
+	  	  	{%- if parts.size > 2 -%}
+	  	  	{% assign part2_cleaned = parts[2] | split: "." -%}
+	  	  	{%- if part2_cleaned[0] != "index" -%}
+	  	  	   {%- for subentry in entry.items -%}
+	  	  	     {%- if subentry.path == part2_cleaned[0] -%}
+	  	  	       <span class='no-break'>
+	  	  	         {{ subentry.text }}
+	  	  	       </span>
+	  	  	     {%- endif -%}
+	  	  	   {%- endfor -%}
+	  	  	{%- endif -%}
+	  	  	{%- endif -%}
+	  	  {%- endif -%}
+	  	{%- endfor -%}
+	  	{%- if entry_found == 0 -%}
+	  	  <span class='no-break'>
+  	         {{ page.header }}
+  	      </span>
+	  	{%- endif -%}
+	  {%- endif -%}
 		</h1>
 	</div>
 </section>
@@ -83,13 +83,12 @@ <h1>
 {%- endif -%}
 <section class="resources-section {{ hide_nav_class }}">
 	<div>
-		{%- if site.data.menus contains root_group and page.hide_nav != true -%}
 			<nav class='{{ hideNavOnMobile }}'>
 				{%- if page.nav_on_small_screen -%}
 				  {%- assign show_nav = 'show' -%}
 				{%- endif -%}
 				<ul class='{{ show_nav }}'>
-					{%- for entry in site.data.menus[root_group] -%}
+					{%- for entry in site.data.menus.documentation -%}
 						{%- assign activeClass = nil -%}
 						{%- assign currentGroup = nil -%}
 						{%- assign tail = parts[-1] | split: "." -%}
@@ -103,8 +102,8 @@ <h1>
 						<li class='separator' />
 						{%- else -%}
 						<li class='{{ activeClass }} {{ currentGroup }}'>
-							<a href='/{{root_group}}/{{entry.path}}#'>{{ entry.text }}</a>
-							{%- if parts[1] == entry.path and entry.items -%}
+							<a href='/{{entry.path}}#'>{{ entry.text }}</a>
+							{%- if part0_cleaned == entry.path and entry.items -%}
 								<ul>
 								{%- for sub in entry.items -%}
 									{%- if parts.size > 1 -%}
@@ -115,7 +114,7 @@ <h1>
 									    {%- endif -%}
 									{%- endif -%}
 									<li class='{{ activeClass }}'>
-										<a href='/{{root_group}}/{{entry.path}}/{{sub.path}}'>{{ sub.text }}</a>
+										<a href='/{{entry.path}}/{{sub.path}}'>{{ sub.text }}</a>
 									</li>
 								{%- endfor -%}
 								</ul>
@@ -125,7 +124,6 @@ <h1>
 					{%- endfor -%}
 				</ul>
 			</nav>
-		{%- endif -%}
 			<div class='content'>
 				{%- include toc.html class="article-toc" html=content h_max=page.show_toc -%}
 				<article>
diff --git a/docs/_sass/header.scss b/docs/_sass/header.scss
index b6acc88..5832ba3 100644
--- a/docs/_sass/header.scss
+++ b/docs/_sass/header.scss
@@ -36,7 +36,6 @@ html:not([data-scroll='0']) {
 }
 
 header nav > ul { /** main navigation **/
-	display: flex;
 	flex-direction: row;
 	list-style-type: none;
 	align-items: center;
@@ -44,6 +43,7 @@ header nav > ul { /** main navigation **/
 	padding-inline-start: 0px;
 
 	& > li {
+		display: none;
 		margin: 0px 12px;
 		position: relative;
 
@@ -51,6 +51,10 @@ header nav > ul { /** main navigation **/
 			margin-right: 0px;
 		}
 
+		&.login {
+			display: block;
+		}
+
 		a {
 			color: inherit;
 			font-size: 1em;
@@ -163,16 +167,18 @@ header nav > a#main-menu-toggle {
  	}
 
  	span {
- 		padding-top:5px;
+ 		position: absolute;
+ 		right: 5px;
+ 		top: 10px;
 
  		svg {
  			width: 16px;
  			height: 16px;
- 			fill: #fff;
+ 			fill: $grey-font-color;
 
  			path {
  				stroke-width: 2;
- 				stroke: #fff;
+ 				stroke: $grey-font-color;
  			}
  		}
 
@@ -192,17 +198,6 @@ header nav > a#main-menu-toggle {
  	}
 
  	& > div {
-		visibility: hidden;
-		position: absolute;
-		right: -5px;
-		top: 1em;
-		padding: 0px;
-		padding-top: 16px;
-
-		&.with-search-term {
-			visibility: visible;
-		}
-
 		div {
 			background-color: $white-background-color;
 			border-left: 1px solid $grey-border-color;
@@ -214,6 +209,7 @@ header nav > a#main-menu-toggle {
 		 		line-height: 1.65;
 		 		padding: 6px;
 		 		min-width: 210px;
+		 		padding-right: 24px;
 
 		 		&:focus {
 		 			outline: none;
@@ -271,6 +267,7 @@ header nav > a#main-menu-toggle {
 		}
 
 		& > li {
+			display: block;
 			margin: 0px;
 
 			& > a:hover:after {
diff --git a/docs/documentation/artifact-configuration/examples.md b/docs/artifact-configuration/examples.md
similarity index 100%
rename from docs/documentation/artifact-configuration/examples.md
rename to docs/artifact-configuration/examples.md
diff --git a/docs/documentation/artifact-configuration/index.md b/docs/artifact-configuration/index.md
similarity index 95%
rename from docs/documentation/artifact-configuration/index.md
rename to docs/artifact-configuration/index.md
index aae067e..ea5b553 100644
--- a/docs/documentation/artifact-configuration/index.md
+++ b/docs/artifact-configuration/index.md
@@ -11,7 +11,7 @@ datasource: tables/artifact-configuration
 
 The artifact configuration describes the structure of the artifacts you want to sign. For simple artifacts, you can use predefined configurations to get started quickly. For signing several artifacts together, and for more complex artifacts, specify the structure of your artifact and provide signing directives using XML.
 
-![Artifact configuration XML](/assets/img/resources/documentation/artifact-configuration/screenshot.png)
+![Artifact configuration XML](/assets/img/resources/artifact-configuration/screenshot.png)
 
 ## Creating and editing artifact configurations
 
@@ -43,7 +43,7 @@ To modify an existing artifact configuration, select a project, then select the
 
 When you edit XML content in place, a graphical representation will be rendered immediately. If you prefer to use code completion, select **Download XML schema** and use a schema-aware XML editor, such as Microsoft Visual Studio.
 
-Read more about projects and artifact configurations in [Setting up Projects](/documentation/projects).
+Read more about projects and artifact configurations in [Setting up Projects](/projects).
 
 ## Signing multiple files 
 
diff --git a/docs/documentation/artifact-configuration/reference.md b/docs/artifact-configuration/reference.md
similarity index 98%
rename from docs/documentation/artifact-configuration/reference.md
rename to docs/artifact-configuration/reference.md
index 46c52a6..af37397 100644
--- a/docs/documentation/artifact-configuration/reference.md
+++ b/docs/artifact-configuration/reference.md
@@ -262,7 +262,7 @@ Create detached GPG signatures to sign any file with a GPG key.
 > **Detached signature files and GPG key reference**
 > 
 > * This directive adds a file to the output and is therefore only available within a [`<zip-file>`](syntax#zip-file-element) element.
-> * Only available for [signing policies](/documentation/projects#signing-policies) with a [GPG key](/documentation/managing-certificates#certificate-types) certificate.
+> * Only available for [signing policies](/projects#signing-policies) with a [GPG key](/managing-certificates#certificate-types) certificate.
 
 The `create-gpg-signature` directive supports the following parameters:
 
@@ -311,7 +311,7 @@ Use cases for raw signatures include:
 
 * Signing for lightweight verification, e.g. on embedded systems 
 * Creating signature blocks for subsequent use with other tools and formats
-* [Signing _Cosign_ metadata files](/documentation/signing-containers/cosign)
+* [Signing _Cosign_ metadata files](/signing-containers/cosign)
 
 {:.panel.note}
 > **This directive creates a detached signature file**
diff --git a/docs/documentation/artifact-configuration/render-ac-directive-table.inc b/docs/artifact-configuration/render-ac-directive-table.inc
similarity index 100%
rename from docs/documentation/artifact-configuration/render-ac-directive-table.inc
rename to docs/artifact-configuration/render-ac-directive-table.inc
diff --git a/docs/documentation/artifact-configuration/syntax.md b/docs/artifact-configuration/syntax.md
similarity index 98%
rename from docs/documentation/artifact-configuration/syntax.md
rename to docs/artifact-configuration/syntax.md
index d4417f4..30f9d9b 100644
--- a/docs/documentation/artifact-configuration/syntax.md
+++ b/docs/artifact-configuration/syntax.md
@@ -224,7 +224,7 @@ Sets are especially useful if your artifacts contain repeating nested structures
 
 You can define parameters for each signing request. Use this to create a more restrictive artifact configuration, track values, or include build-time values.
 
-Parameter values can be set when submitting a signing request via the user interface or API (see [documentation](/documentation/build-system-integration#submit-a-signing-request)). Actual values are displayed on the signing request details page. 
+Parameter values can be set when submitting a signing request via the user interface or API (see [documentation](/build-system-integration#submit-a-signing-request)). Actual values are displayed on the signing request details page. 
 
 Parameters are defined in an optional `parameters` block at the beginning of the artifact configuration and can be referenced using the `${parameterName}` syntax in any XML attribute.
 
diff --git a/docs/assets/img/resources/documentation/artifact-configuration/artifact-configuration_similar-definition.png b/docs/assets/img/resources/artifact-configuration/artifact-configuration_similar-definition.png
similarity index 100%
rename from docs/assets/img/resources/documentation/artifact-configuration/artifact-configuration_similar-definition.png
rename to docs/assets/img/resources/artifact-configuration/artifact-configuration_similar-definition.png
diff --git a/docs/assets/img/resources/documentation/artifact-configuration/artifact-configuration_similar-resolved.png b/docs/assets/img/resources/artifact-configuration/artifact-configuration_similar-resolved.png
similarity index 100%
rename from docs/assets/img/resources/documentation/artifact-configuration/artifact-configuration_similar-resolved.png
rename to docs/assets/img/resources/artifact-configuration/artifact-configuration_similar-resolved.png
diff --git a/docs/assets/img/resources/documentation/artifact-configuration/screenshot.png b/docs/assets/img/resources/artifact-configuration/screenshot.png
similarity index 100%
rename from docs/assets/img/resources/documentation/artifact-configuration/screenshot.png
rename to docs/assets/img/resources/artifact-configuration/screenshot.png
diff --git a/docs/assets/img/resources/documentation/build-integration_appveyor.png b/docs/assets/img/resources/build-integration_appveyor.png
similarity index 100%
rename from docs/assets/img/resources/documentation/build-integration_appveyor.png
rename to docs/assets/img/resources/build-integration_appveyor.png
diff --git a/docs/assets/img/resources/code-signing/certificate-chains-abstract.png b/docs/assets/img/resources/code-signing/certificate-chains-abstract.png
deleted file mode 100644
index 11ccf66d142ed82d3b7c749eee2e743a910eb335..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3888
zcmV-056|$4P)<h;3K|Lk000e1NJLTq008;`002G+0ssI2jrWnr00004XF*Lt006O%
z3;baP00009a7bBm000ic000ic0Tn1pfB*mh7<5HgbW?9;ba!ELWdLwtX>N2bZe?^J
zG%hhNG!sB*!~g&eu1Q2eRCr$PoLg*MM;XVr67T>I2vi}ewnFMl5pSguQbS*O1c?_A
zMIhRW7fYxG9(XB;5|UO0ifGf85|vcF(B{@Q&Bcim=VB*uyk1|{YkSvwJA3we_U^sk
zeRkK(oa@Y-i|y<>K8feoqs`3see->DX8t`rv3F|QpiuS<RPK~L1eH5w4?*Ql*+Wpd
zQ}z&>%e~obg#7NHcS*Qh!PUj!s*CYS?Et)-;M4DM20Tvj)4ga9_*VM;zLbJOu?A*x
z2SNv*<+YU8IpMl>Zt>>lu3Kl8r_Z|WqaMfkRmXYH>;>=Kn0Nl7Z~l^RVchS$>|MC*
zTeuupnsiK_Y1FG?9ty=Gn8_Uo9ekGZ3FnQ^8TU*s73QLTHsECgzA)pDv4KRCiHDg;
zn2AS2@hHp1Bc(#BR?eoPZnxuNqgD~~P$(9`OzuGF;Io*E&s{rF$i+ds*=}>Gaxz^`
zWy`rjtx&9I^OZ!Z#HHbt$ya;*E(pse0<NjE%{~2eXAbSNLG~SDBnxHtF_SwGy6~Bp
zyLK`a4^``}VyRLpS0L4Du~;q?%7tPX7^?!{572D3JDHewY3iJr++{I9a6ycXK-<We
z)EzFc?C??(+2G8Tdx0I*hq<=KaHmQUF_$}hx`Su@?A7BLF0{_`;BCIuYP8!8AnsIp
z4P0C@pI<8iOS=Oe{moXV#rL|Y=qi+Z!$9u%=7W7jlmLADMn-mOr*~BD81O!}r*8r(
z_nlz#mzi>&b6h!=O@=_b*YAL9W22MJ6_`*e63sAdDiqGP*5MCfdf=Z8eq*DbjJS>E
zjz9MZM3oqBwctJk5-9%xfT1$z5Um}x;8H|9athtFX!U*jG})9J!zu|D?4GsdNDG!g
zo~rJYDBHvIuc~<tey(wj%g3@D3luFq!rRSSy$0S}z)MZJ+N@NI^@6iibadMJ4iBRG
zTzCb@z166Rc`)Fv8Sa*-b}<N3qy&@=DIB?nbd2mmTNy0@bIP^GMuZlsPB=tz6V=IV
z=qT7hZUAw?CSFb|3P5U^B}c<3+rm`tYf$dRd}3z&XqJOd_j<irt5xfbdaYiK$GJ?d
zmQMN>N1w6(=Yho|U-zB+Q6=XBVF`BGQ0|y0aFA^@*in2ip$O;|#u(YP9)NZ}WNl?Q
z8A@cs+-gmT>LPRCAQ`dbhEt+!57T#d;bjKA(g3+<IEL?bxdg{?DUM60Qki<A)$8&8
z$=_Xh#pZbP3(mK{IJMvAJM+_CuMrQymzh>`dveG2l-ytud@z|xR)~=uZ7FD#1A_>}
z2;;m0m>W;4y0qoUf>H`Bx#5&3+hg;0_fk%Hx+j@-r^Ck6Y?uqPaW0XmH@oZ2xc$9H
z?T2isnP&o@eE;T)HrL_%D+N!C^#QrJn{_b{4k;R$t!ybimXMnwB_q4m1JF)KCrE@0
zB?2+GS`(tWwB=9>k`YU8I3>#VFqOOTlbK>JVZZcIE*$~wKr9msu-QZcyv~4bpHD7+
z@a>5M_jx}2?&4ebuO7BVPJW|Z4a8ZWYwE0l+=abEv;exW19u$}h!jTbF(DQ#1a=Tr
z>)Elk3|d%xjn<2TkWwY$FgNJvyENqppWMci8%>F_JxpI_q#s0b3)fFAJH{h^XJBO}
zuwrLC4%Ryt3AhrBW9GvjPrhLD9I}Nzw55;RR!%$?4^9EGugr|;zsv~0-BS>@5!rMF
ztxew|fyu$ZE*HjP)!8U!Y=W{`QytHSxj_f1fw?s0l(`B&_mShssp?LNvOUaSX5e2{
zOZlYp)|lhkr_<xd?3a&&3p8N+($U$;vu}NR{*6C9G4tA2{O{Xd`{R?({NecA_47-&
zMx9e*opwviL!np%bGawMXQ$JSN0?YRC|*$(Tmf*!SpU@A($hyu-+Idb!b|UdcKVga
zM{Yd$v-FvXcsvrwrs2OT6pE!VlRFT))G{EoR{P<fxksMP&wAVOV*lAAokxG2nOR+z
z+!Tt%Fq8Wh=)ZHW@Y^@CJl_TFe_d!F{J7MGZ3@MT3@G=FUa#NmNXIzptsdX)iERqS
zf($D6$;nBng+tFkQ7p)ya^JsyztqB^XP_t+WT)g_qGzBe)?=q$X6PBH?ScPV>TZDi
zHP~Ij&dJ?EXP}^Wvt5C?jmF;r5V@Pr_D;@|sD(`oc2wV1Rv2ZsR(l6uX6~*tP}Y&V
zIlCx#j4e-CmwQd_RyqTP4i<x;K|tIwXjG6l5j84lg-YsiDi8z0m29F#Y@=GxO@*3;
zobm{Dw#YcafaWouCk~khH>so0ySv@vTH0Eq1slDMyBG#L^)h3nGf>E8NXsfkA$GC?
z=|V;z`ypl%yJ8#Z$Wt*$MTThNhjq#chN!uPmcb}t8c24NTCjuEl3nmmyw<SpVmJ&c
z_tU3Ozc0Wr%+%DB*amhhoq<9}<Le9@x*I?yQsRhtXa*@ACD14p7LCn>r~yHOH6?ZD
ziJ(nqIEoC_&Qa~+r6d=b0B4Z97!rfZJt9-9)$;kg*amhhoq<9}W9y7AtY!lU#5iIe
znn6lO2{cMYWI|?QFjNZGlqAsHK9X6&a1=2oycXfc(@HLFtzq58kQh|%Mp)?#6gn8+
zL1cS08=zN>oQClrCD14pVMk^n4Mj^K!Nw&GAf^m397Tp|=csl;2U%#zrLBcp2DytN
zu~Txl(itdp&GDrL4tX?mVCnI^62yLD*|3fpXqHN{!w~g8q@hSD*p%CNI-}$$NFmUM
zEwd>pcK{&bFgNJvxHPqpF|c|2cQG7x?CEZyGf=1r=1{%Bp)9kUT{d9VWGj&z%Z7EZ
zK;2ZRd1MT<WxFyIHUtJe<)nt_)P_iA;_k>=m>YDETB=J^YiM^d40cZL^b8cma_p4c
z=@}@B1=%UNn?TP%QFe=6kUKpCMcFNOMeg(r6lHhV9l0BQ^`O&kvjLBE01BRaf*0dk
zVx;p>;xQ=cFqGfp^t%@Vp2g*bX_oQRV^EY$*&VqXeX*=s%KKc`m!{7<Z=7;X!81@R
z)8{-h@EDZGabb0K%sY1x9)nsK_rU{D<KFpkzw?UUH8DGRj{Zo8vMCmmdm#-}?sHzx
zCBvzBFdX!T0={t27h(PJNH7s$qAU}Qgc4CU7G=}PXr-90mePsPqT4avX*Z=T6p8`X
zdYJ)opPx9HjCw(v@A0Wjnah;HXC_}Q6zlmy4YU)fQZfUNK^4p5?_c|gkZbAID1Ewb
z9nJ5P?il2+m+mmuk~?@>&rf_3WtMA=PN7sTl`8NQRJB?zSJu`_g<`o-ER`$p093VB
z1C3Ip)@rvBjB|PVyuRF(-|6kv{#ue9l{-{4k{s4j#ElomTw8$1d>dHnWu{Wh%wIbh
zW0v@CS3CpNYB!qAdM;l~ri5cqseH9og<qiWz%S6ZI&Gd`j|JxS<t{u*<n>X%c)iyd
zTs5Ycr3V5ZU>EK+xmSzXxvM9l%o1qJXQ0;W^?Ha+g(K-mB;yYzQ<(}p3<3kX8ynqz
zpO5<ImZvWm$X$1Jg?|qul=TBf5DcF<vRw&7ljx3>L7cMhwrdeF$Q%r+XijMn4^tQe
z9AaL{h9yJIhE-&gyr9Tka|X&{@9w4SERcH;%3V1F)o9egdy8<@%C%Ot9BUNpt;$lT
z(^&8Jdwo9aon4u}u&(oev=o;E-$l_VFAmZXgV8q9k#nE|LhS<3sRqIpl78E@L_69M
zLv+svVZrJoO{WWiMmYdOdoM=GpjmZjQlg_^2bqHGf`8(*bnnqDGa6>X?#O*~bW}X|
z<Ps3uzz*Ks9aoM;gYa-uqge;<Ewy^B(QIV0nM5MHR;;nhAKO3p-t6J8ExrE`d;R%V
zBMlz&?5cgmt}Ay4Toj1GnnAzl!W>vfSyysVm9YZo@{0^oiyVyC5>Z3&U^Uh-odmS%
zn2~WZFjDv4$xxyY=2iv?NG>t~4w4SbY&ah?c1P~wp(j8|Kx_j$cz2%_<lgW1vzbgR
z7Eh<M@p!USDzEdsdVcQ4;fHVh!#4N!mlqD%Ztk~na|e6<UdS_JB6ktEIO1}Ui>s`m
zW-*nHGDOINgYO=(;Dgk{&7?y`FBqAL>>#os$my`TYwrcGDj-G}-lPcT#?wkJZ7s5z
zG#<-rI3F{1NA5-laz75_-tG0`sT{*{(Fhj~$BU&J-`hyIUcLH?&2#LLyz{yFHy@bZ
zZ}XgZqR}icp4k=qn7Q25wIX&yU2M%_Djj9V$gwy|n8F~n$iebhw2B&n2P<^|qK8PP
z1DcoYK@2mHp+q3&Mkl7Yw6#zRk`Bwf`5ozCHMyr9mygCn%b=aem)zb^CJ`^>vZ6P;
z^3TbGHv8+}41Dz1+-qNA-nGRp?Bn@b&<&pMWBfWPcd#Jp+QJo7rG_o06lA=Z>gprm
zI;b^Z8@2|mrQ}n`B2s`&Bv{D-9r8TnJnA$Iz%vNB<s9n0s99Bz2?-E!m>Zjz;?mSY
z#=xfB#xonu#|+Co-500MI;Tb>erM3_2rN%C9!F?(Htb)BF)KmGJC_f9b^f4j^=(_?
zgf0F*n|t&rj$K}zzv`YHH~y=t2)Z)D8j9e{r|b*XK~^8niDw0<PQ`KCwM4TrT!~OK
zBIkp!954czm^dlbi-OFKj1Y%Glw7I_BAL}0OUO~8A9LdqQ(c-`%Djeq2FhA;ua<Hy
z`=!~5Q`6%|g)>km#4}Lf0#E&m6F2|*`him~KI}St-_nu$p8L(SFZ})NihXo(>YU3y
z-sO2I%RK_zOG1ISiAIon7Hi3!=Xv;j808EUJO%~NK*5Vyd3}`K_m|RlescY@6R-a5
zzyE&d=kCWx(hJM680%llWuz4M4nvbWRl9<<<ZjN9vGjw#O#kBLa<$H1^7Vgkp!VeN
zbE$&lz2_K~+^O1C?k2gX^6g)}oc{bq8MHHH{`vQsA724&`ZagTR=Jzx4rsP}J^AEQ
ywE<dG>y&M9m&u(%83ZbK${vEsow8@x*!VvQd9A4FJyE6r0000<MNUMnLSTX?Sb}f>

diff --git a/docs/assets/img/resources/code-signing/certificate-chains-concrete.png b/docs/assets/img/resources/code-signing/certificate-chains-concrete.png
deleted file mode 100644
index 251ac7c99216c607d40c877abcd441692379e79f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6177
zcmV++7~bcJP)<h;3K|Lk000e1NJLTq00BDy0024&0ssI2K$U5M00001b5ch_0Itp)
z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D02p*dSaefwW^{L9
za%BK;VQFr3E^cLXAT%y9E;JKBXv6>j7m`UtK~#8N?VSmDQ&qmeZ_BPI&Wys$h~sQe
zWt0&`ph$<u=<s+S^C>fc3piNWWE+*y5#$>L1$7WCYZV-eP(&ylsI;`uy-nMsOPVxE
zo3=@tHv7_S&Aun^oO^GQo8_jp@-nU5-*>)z=bU@~=l;*~&p9_a{{#t8P*98>D2t__
z7)?+XOF=Q3pe&YxVl<J+VtqcJ-EOnntmMH0UTyHzg1uTTCLn^#Q&3RcY!X?l#cb^4
zHMO<W@|ZPkEj8^e)$J`bKD(CBqP1gzP2;m_K?J<Efn*Df+g!zIsq?tqcoh^B6gQPb
z7HjO6@fxmk8?JY-D)=qs?ak$UW@QJfs*7FK#i<c;Xaa7nkXzTytM6&2_jWc)x|(`B
z=**g{R`UQ}1qB7gO(l`V8v3Qosyulg-)<c+=r!U#xmYZhNEHf&O0Cv_SFuznm4TpA
zs`?!ci`!*aOFOxYBAdm8S3yBRaZ^cTv3iZPsUo*uDR#QOW~)u3HEDGwox!X(SPTY>
zPH)C?uuPl7;r4ie#kSTK*ezzf3JMB}o5~<-Y*WQWrL^1TaGK3#s}+8{WVV?5`}G=)
zUaisV4Mw}&Vgmu>TdhvFTPfyq>I&`FxE8A}`*7`=7nU!>Sh+g455E9t`E=Q`orOv~
z6^G~o&YHc!nwIaavEsQy0_t&=hbJf~MiqlR$2OK<P|Lf0exJwd1i|NXYPE(Qk+M&$
z?iML~#r+Pq-{%i_eO{l>1&S&9+JME{Y;kwRf<uoZKU<Y~0ps<@#y_~^9~B1dnwDQ$
zN*5(qnj;DbvX?yZ`;7<jnhtLK{Y!Z=?8;Ekd^Q)^RD&ldC`J{DEOtOEZ!Ei@k@xrm
z0hin1ayeXX`+&*RuNwf%t5$C{m>f>K!t0cJ{T`1GNciNvJh;Z%;+kIf(I=4wSrR;D
z7FEBu2>ICo7Mf~0{PfdDn$c(=(4P6&BQpSxJeHO|=g}E^X&{eKpgD8K<VAZ~DleJ}
z1iUI1Q-Xb^WGUMCD3pY<neAv+Akc6y{jWtu2hj_wSFfJ&t7(&vyY7RDb7H&*1;r>K
z;jUOKYbgC%BkKWiu<wPtV)*r|Ste7c`^}nu8K1VBbv~{A(yU(ER?7g~<H|%_V6hIX
z1+5?oXt7To?Z#68Tiyy}%A2(?TC^TP))%3<_51Hzusxp*$lv}DvOJ3`g)4Trfb8T`
z$nv~+U-~wG^z+HfGod7q-8Oe>MlQOG2BPDq-1Z`RK_C#Y3;zBnvit;0Xq>1V1;wZ#
zvBgRmCFj+$ZjaZilq-}9l~SozsWc|D)$Q>J>));Tcq08U(sClD{)6$t8|!_3hqPyq
zH8#Rx1J^ep$i`wc_9}wBdL71kjy;L2NAm)K8=H{doxq-U!v#vWjzcz~u}FHemrQ!%
zBO#s&1PWdr`_#!^5P_nr&Kg42DFS!cbOTRNP>d=Dd5#5ZtXeK~IGrM?Qq(IKiKH^A
z%3|}l?J~xh-_VaBa{B77OY>>}K-edzne==~PX}CM?L%8*1EpIKWZg9w3mc@rcmwj^
zClxSCdp#9da~0eCh6`L<hag)@(aZ>hN9H3)>X>msQV`_vLjrIiEQ$g3Af_oOMh^+s
zSdEl^<6OTAE^-2iS||`{WHKAN<Mn$KtTPW*y^pl#%x0aqyZtkyH}@W=Ss)d4vTLt8
z?QuW5jj`C$&Cp=s12Dm=dX6nXLaZ(DqL+yUe9&Y!$C|A0a2m3)$m?;3@%X?aIAyUE
z-y;&Pv08ac%@s~VNpA<Ui%SPV*v9DLH}-b2q{0S9&a$eVNZS#lCkIhnKw2-(mI!J)
z*tJ~7b&@p}E`n*9owzl1e3F)ux-d(GT`S%g+8=LD-Bj$y@p>?$BNhPL+N_1C$h<=x
z;hN^dH-erM3sdKR63hkQvP4lxH+WA-gXMyCQ&5Z=5?id2O)qJxx<W6#$SBVR0YqTD
z<U&JLL1te0ft`P#eexsznF$}hz4*B|zG<ks&Y>5v>q}ft2VO-4qR$pjnLKGczG)r*
z)aU5d7o+TrDO27k0}-FcRk%JSw6{%}v!COH`{Gam3`O>0VokyCb`+mK70d-JJdQ5t
zQKEr>`12*G9{6<%iqS(Ni*>tQO1VTK6JtRx#e+iH$6)iH|7_sLE2X;+<$rViUypBP
zPg~J{wMM0s_vy46Tz*)z?|%SE|5A^q0u}3!M-O!22?~l^o<tU#0G-LP;(hre8?+q~
zf4?oTDaSi!o0{9>!7qOYs^9(j)HPXL_)QET{~u5P`lWNhuW%_SZh3}jv4D~$%keAv
zfZrDg_;VSquPe;~fACDhcOrZWV#bU|)?JPJNK8R-i!ywRwV3b&h7i<lv8dPUwOY(p
ziwO%BGYrAVK-^$5>MfM>00qSm7{0}xJC}pUA_11%$!+8@Yq(97yynWb=E`<vHJ^n!
z#G`=)0!)I;HZ+IZT-Dl41CPyk6%-T{Bn;nTckbMY$09NI%eahUUSmmDYjp>^ir-Sz
z(NfdNrU_bU0&bm<TQA_%cegRR+Z#muMzMe?>t^+JHnh+RC_i`#ia{B^#pdM1Ut<mZ
z(&nm53UQ~yZZR5lVzE*phK}z_rADLfS1L4OsY)tWgP>Gtolcv_?SOvpbjlBYG|+kZ
z?W{U2o=7hL!CQ|chHtS91_O^pg89K~lzk4T$7Heg>r6VmNpCdkQCE1K!Gz^tnO3{q
z<?*T|3H;zkwpVRm?&_6TeJju6N19>556je80uY@Bb1!$z>eXv<JMkojHK^M17uFEl
z7$UAzvMGESnRO5z{S3l8yEfP@iAE~Su!kV#)}+K4l)<M88N(I~L*C?JjOp+#_W1GR
zcq|gk4_+nhwmV&BGwShUvzX0hO+R#kSE+TFAH3aewb{TmtJ9O%4}JuD)hY{j%(-X&
z->~{#U->Ln9aI=Q(2NnC4)FHhGi~<lY4_|W*uO0ArJ!mDS5CWU&Z$=XLWp=$$*1Ji
zsH5T6UO|vo(4*lAM+)b=3_;AT;}d^S2A?Wq3|kN<QIm%=ro*?`ciwpik3|ylgZKOW
z9<S5ub^86zeyzT{2lInhi25`RH~eJT>-YNnF8?5Y@bDDy2=%J%{O50xnI}|O!YpjT
zs*6589i3+F`N6MtR#)%*)erV?@T@?<CSe9u^K#ysiKJ&mx$ef50=*snDh$^vCP$XH
zIsIS*yaWNw+Kf#ZVgu36ir){g#?4sI&d9j()oW2^LpZdZXrxfS?GPlmHA#6u{6QIX
zs=!`4*3S7Sn*ZpWzZU86vIIfWGI8e~N`fYnj%i|sZ?VP2grm9yBK_d)E*Ds9?IyEH
zXBaRTj5?#uXtq0S5|3Tv^*P<JC4>9HM@*8D<5lZq?)oKi$Nd?Xjd%tMRQPwFhYx;f
zKK~uD0nNK6KlCok<6*t~(Bwa3w~B)P_5|d)OOdX-@uei^R!&`evJI+;>lK?55N6H|
zb`k(IYi=gGRU|eLb{0uLD05$&^4o1_&$3Uwa{FzGEtYJgAf!W}%+0v(wm%VW{qX*J
zET81oB&wpsACy6-3hbo`KUlN}&CgtlOx=yD5FtobCjQ)mkk2~6;4>i}!?)P{{CsSo
z7l}j-4GmZv<j3=aw_2=bsZ_4km^Er~Tg6+=XJ+!wKhRx~VKKrXkcl|ZM{kIJ@FU2p
z)??8~vzH;rq&x4rd)ayXQxT}}m<f~b3^IAbm~aDRIZG$Z+{g6*S?<1>DT}jXHig>r
zOHzNct0m%OHknk{ftkpdw}LANBsK@tC+w;OnuRM9*+8;>ko;@$*j2e!%!A6QKf5Y=
zFcMfSVWc2rLjZ5_Vn`96_3P)6MW2GDn(Wr3LxvG|PzZX)pDIxKRcBNd^lr}l)gT|M
zGOB@b%8<-G2w9T>gU^Kc4BujfLLpds00RR9DwPV0gM6YNyh1KlD3l7+72a&IdAuG$
z?T+#TV;M(MTC!5>-yhRe^cSDc{w@9BN0wKu$8Izl4a|MBQ*T>x3JxGFIQJu#AqeZE
zxuFJ#PcBMLJBp8J-_f)&zdsqd`=xE4fIPO3<HV*Z4ylyaX=&N_1On8a_;fbf_}H8%
z#X+-hWg;6$)(=tL5EjQFTu(Go5V9eNx&=@rEd{2@ZcRF5VPXb_P+9z`64Oibk6`Z!
z1T9F)kjy;@S(Aq_6UZ38#bWMoQGon}e(+Mpmk-g8A_~Tuu1inSb|dVQcboL>-_8$y
zM0(Zw{Q@wL(Cg6(6Vjp+>9~p^(of+2hJey7s1sqd6JSCqzYkTta6`(N&DahgItNbh
z@aCXoQ&5@629ouI0OS+47GZH5LM@3#3PLsng2VHWO(l2&P_h}BcNkb8*{w;3EE>X~
z3_4XJhZmF%wj`>7amtX)JqTHo2b&2A7{0}lVd$4JO1{!4dw~IWiB*EG9<@|zwU|ND
z=a#e2K2-T0(sp(h`}mLeCy~BOQyr!*V6m-r1rFON^Q!GWIv>qIDOiuBE<6q&1)##g
zH)u#GjSgRWR(Ssw=*<G-hR$hU*P*!xl6FMs3(mygz$cXQVrAX#&ch2(`;5&2JGCui
zkaYzxuOkzzPC@0O8c5a;P&y6kH6RYwGh*8!YDqLw8015c0;YN}bAIZ=6R;ymZ%w8u
zgk(?#ohnfIaBqOp!DdD^FishgxrY(A$%)2vF#bO*7W%=rGOqWuH+Htxb#m$i+<GC8
z(Zg>RchT!|R#xmx#r)u<=f^akPwVTXb+BmUe()pNt5y~k3~fSDg%^Joo~fbqjcvD2
zd9xbN#i@RC%I({LUESC^Y4Q|8JI9UNg0C(KrMBRO$Bmz~9sPVVHU~m`^Y)2o-fPvg
zH-pN>G%$WY5PA)WE3%gm+ZItvqLB(gG6X>lqvS|$O`<9!?w|}hRiN_W-T<Y8_ljy@
zY#Fk-7b3RFiN<s=Zob71=v1wYvZm^980D85D)K-85g0GM$fznjm{;@uj%O+k{gik1
zjy-QZv+S=$^r{jrqZo*|oS{#7zBQCrEyWPI=~E@ibMNL`ELi&0N|{O_Q-N13qL5;t
zk<+>I#K6=QioHjQ3(CHl{aV}971{!tMy-?@^xx_H8Rb<=F+^_qR7vvOyZIKI0E5~2
z!UytMuWE(zfX*J+`jz*|H#Gddh%Ll$p}cA-hR98yDoLGtNwru&O{*=t$cXvVe$(u_
zQU{thgvV_P3JR2DTdYyvkH-M;+aUaNHJ{gO9x$2)40tf20Y>y#7zhX5fB_47y;fs3
zoBZgvN)!~g0?D@6)2C14u}EwdQx~t1*IeD&P|9sA=QWkLHC41TD?vbg;w#%*s@hwy
zR~UGxqdcdnlEbX?c&NXGr?^!}w#Ab9!JG7IUgLFM!wn&~PQa<{VADESwOy@sUGSSB
zdUqQ`$ZP0sZxr#Hdic$KT})X|t3t%-?O?EKuQ?qg2RA7wzIP<sVzINwv6ywrmg+pQ
zfbDYFY&MfrrV>llQmI<5)Mzw1wOT8aYa}v_Orep=HCmm)>v4KK4q&%jda=uC$7@Ln
z1dq^&I0Z!#NVdh2`N5m?%I3;TQc;^7^@B(M_Z_;t8;oYX-lR8}wfX_A9?vumSS&V&
z%k7eNvpDtF;{BkxvT(<<OP4Oq=HqD`UiOkDOP<~FtsRsbK3=c@cTyvIghs>%!Cta`
z;R1|>+e?P;Z+Vk|9rS4no``H9#YiUE7JK;cVLTSefI-Eqyd)NKoG!Q7f_eNvS9qP?
zs8Z=LS9r6<Y<E~eu-dHf$17YeiGaza$F*3&Cr=>1xcA=4tF97%{DHG)@}fomgFNv`
z<hk*|8IZ78d?mK|CLA=4h$o``*qr}Lf9-TR#_8A6|MZ{!>srmpG-ONYP*g+%DMm8M
zw%A>}cHyx|z;kSKMXtEJ6&}s>IYIFIT~@2LN2C<>s(SlWT|&7^V}@sG0|Bqk<M(@f
zKDW55nL{sfI%0Rl@X&Tf&go~6r8%MXRGItdNzZ(pM?A}Jy!_(*KSi1Ti~VdYulI{*
z@tg-Ae(<@|=;6=0eY0j^KAQ<FR(tMGLBWqA{N3vJ-#1}tX16~0#j{u6EySH{<0%lR
zeedCn%a`9nFT7nDkequd<Fc{&-RW4dmk6GpLlKWv47PCUo#T<)eh4z3{Q|a-*g%qM
zff^5g#KzUQ|JNCpiSLCJ$s*YnTT()B(jZ_qXqqZ=`-IRJ--$ZGg8)`qgVBTslgn(;
zIV~M-N1w;*b9)28VtYH9xb@&UHg=6g-7Ic6^PWQ%pTUooD$YEGtjKeOTrL8#oE1MD
z`}`MTl&YO`@0h*|{wj>yq=Ff8#)q?z2luq1pF<aKK#&di8E_JdEqi^@0XkOIu1Cf%
z{W5&)Me^w)WL18gBbX!#z`Ko|H1;L*g3cZg9-cRL(jDphtFU5^O`3)k8=`ouVz7lZ
zdmcwtodKCD6Ko-&fn?PJH9)<%8egnH?tB}~rbsTyw%EeL!gDAb6f6$%O$JqC`3126
z{=AXRZUq})3;LJvY7PASNo%n7@$(zMeu|lWFYo+=ee`!64xP{M7x5W9da>ITYYn(#
zlso?~$i(e%oe5NKA2;`dHa9df%wl^#U6h)UXUG3}#OJ)S23d%EF+*zqHV&TY#*TN8
zSSc~?wue^wzN2ZWo5Sx+C7Z{D1c;C-0Bg<2v*8!8{X(7@Q^n`Z&%lZeRXo08k)C6O
zhLBbpp@yd*14%zdbP1qH4#~DyQ4q}A8;gVd0lliR>}#=*4R*yEwOS&Ps#F@ORADd}
zU2d;c%cPyUzvckalr^#CC{p`gik$g@&+qGLXYd$B2`m<OPy~|{I$dT8{OH`oES6wx
zDA1QGlrG(xf~+kJ`ArealEr(o(o--`M@ZN!D^LX1uXz6nPpUxF1rp;Ls(5_GNG+DM
z+DHjdEYj_cA~_`6V#$DOY}o~|u+{7HNtFG<9+|jT*4ryJ7%d)OK+68O{6nPu!Y{R~
zZOzAiLf?zDU7TmN>4a@fT>AAy77N}ZPNXC23kudF>6p_cm})^s<aA_1VbBfL@4E(y
z9D_xC-hy>V%GQuu6@WO6<HzC80lkW^t35>92b63{Mb;IB{U-fB)QOT*0pcA1uq_)3
zadA*=16FK^;v|Y;zMi4OVqqE5YGW)m{BZz9@)#)=8(d>seO|9rqi^F2RZ_7|qw@KH
z347JtL)Gsi^vtPUXCG!B8QXIjkrXd*xl95cSYv_3#y-bl6B3PzPc8yWOUmoGKVrxc
z89Ka<M^;_LR(s}$^CvF(9Dac7zOo7d24*#(`8Mo1mf-yzKVJ66ZR1|fLq-0*K6Ol}
z1d1ek$;6b$_A$}R@Luy4K#xum1tRVMfTof<X8r+GoVjn_c)Zxq#7Pu`p4PKJ09BeD
z@B=Y|3|X~=E(HJqYK{F*Fk;qNy_#KD$gH_4<k36ffv4)u*4i#kt$<hG)85Qyd|9;b
z-lq4F_AEq}i*#g9YRq3N?qaqzmGT-(;;pg0*~_NysKVm1oE6ij?+*T?U)7H3%d&%y
ztBt#-{t)~9w7dS8gZulHy*YLI^kDX#ucJ#X5DHaC77x|+zh9o;9m)-&J-_VkyU@$%
zz3^Y>jH^IItpI4T+iL3nj*8!P_pU}fA21Yg62(BT`~+(BhtJ>w8YvUET4I-?0^x3?
zNFF1_Vl5^ex4EjN_F6+lUSs9u#>y)V75~OUQ$_BT@}}*XU!3^+{DxCgX{Ua?a_u`C
z_tv!1OE`=hZOj_4C-@=D_mjx&D8;SKNU>P2*QeE}G-_o(8bCy&Qs6<+_ep{H;kRrv
zUhFI_%RhAS#(ghKXRg<BJGC06+-&;Z|GySI4YGD<2dgN)_ly*aO-vzO_dtf?ty5-?
zFVG|n{PAP^st>frZ}qo1qnM}zg%r0mqr+mYcFz~rjJzIriq7ir=F~XZLJ$vq(n&#a
zt1vn&HU`R8DQ;0lsl`%I+@eqxOF=Pu2n7BQiuH88zP&@-00000NkvXXu0mjfwdwRX

diff --git a/docs/assets/img/resources/code-signing/overview.png b/docs/assets/img/resources/code-signing/overview.png
deleted file mode 100644
index 76c8861c067ce524e539154aeb7f98ef2dba4095..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 37153
zcmce;WmweR*EX!8A|XhJ0wP@!GJ@cMgmg0qNJ)u+(&bPhjf8X$4MT%~h@^lZAd&;p
zQX)gg(DCfS%gg(JKhJZ&$NS-ZKX51$zrFX0bFFo*wFy>Jk-dsfi+}FixvTPW(i-Q^
z;dq@pcR~Eh1@KCqaEciC=c0v#vc$P_<q-r&#+ShFcy@BSj_1x1HDiCyQ?M(%0xwcK
zJ=Ag1w0-L2YV2Ts&d%7<#_6_=xzkO-+x)i$$sRmwJ$LSHn!L0G%*}8m6)#~BHu`?T
z?vrPOy_1Zr_(La|hZauyPg9KOgq)<4a+3`%Nk32@Ar~?`_wb_n(E~Mg%ZJz0%w+Y*
zed4sPjbtZ3eew1w*?C<G>f<!D&<$cXMQttZ0?zz}21KE}ii(OxzJi0JhCJO40i)kF
z$t#TVK4|$X*#AadL`7p?@MFd+U^{zHo)o5vec@UZGZJz3VP<(XC?57bxu|qFDfYd$
z%n}&p-w%5Ie}2$gL6eq%tGtazo6xYen(cRr#7utKxK#RX5)*LeH1CsrRH3%sp;g`4
zld}o-_xGvvbubN&lnvpS{Ub}$AsgPO)U0#@<|<x|KJ^UGhu@+7wQ610Y*xzc&(@Bj
zth5<8Xw$RVd)lo(o6^pwbYQmM_K>)$@pK4Xy*yDnJnC%fhus`AhLG-V<)hWqHu-Sl
zgl(lmHoen4M>gxVFcR#M-;!4tw*(N}F6ul{3BXf`v(?|OE-Xn9_im^nZohz)j$Fvg
zll=v-hkoH|e!}Q)i<7mAU59!)hj!e*x1W%t3z_mLZL~KrrDjcy7Ju<IC*HtnrKS7<
zR!UJO-|j6eC%$35&UQDzxc^?4&~1^O@1{kb!jxwM*7#~1NcS`aMI9i2`lP37XIke>
z%JTd$)c`z`vyWWBLq!|Eras&514)co!p(rQlf6}g(y#_)V3mT${Qu*}D`qTDo(w3+
zYSZrSU&+!pZ)@&R6`Rjiyj}ajt>uDgl<A`v9CiEeuOD7rei73i<0sgh{o>C-Dqfdc
z&#&A2o}Ba)mKjT|9O$xB5o`}>LOEcniG>GrLf7Y&K3+<@ZOssV>9>A-$r9`pOidI@
zy(Y@9jzKrxhK3)RJ(IpitWmRRzoq^4o%WW>-eASPuX27x@KrIDA+Z|-XEw}nnT>BY
zrmdCy*s9hoxg^2J<2awN)u|imk6zS7BJhaMw0koH{)ic?l&vChWQj6yqo5U9y&1o?
zCwuPm$pk+EK86beH?N0O%Sc1bKQDWhz!{1kzc3&(mnm%f1PQjpY?Ho<!%#?-5owSm
z{~G69sM{P;)X8kPnb>DPVD3<+{8!V2Do@%t!h*#D)IvIr7c&V4U7<@8u}qN9nNErW
zU9o71!yjfc=Hww%w6X4(rB$60q1Wey)};3>^G=6!7^L&_>O>ONOPA~6og7-CZDs1p
z+Nz$Ww7d%SIyC0%i|_uLj<63+o*?T%5Q>9Epy3xskSWc_+?ikAHV#i=aW;~naKX)I
z?RRygP%-oq+!%J{%B9?s$IFFmS)3oaWl9kR<13##*?lA8{(8VCysyGJ{C&7^Gi_A}
zXEkN8L$K`#YM^gyd`^in@UF93cNPh(j2HIsc@Hv6P~BBi=<37moa@#)5*R0sa)H=S
zLuLQ_?s#Zs{QKl9*dCP8Kc6B^)*e*$;3}_2a88Cby@D=lzJ7=l34qIlmJ(Kp(H92B
zmv)kkEp<?T5;ghjT6P!is8}j(^ABof7knMyj_IL+Xqi#wn5zkXh)+(TiPh?Sagk-`
z;Zh$|)$&$c;kbIl7<v)SQL3%2TF+5+#j}DMy|`mSgC}P2zgvwC`TGn~*1dtoiUQf9
zie)b*lqK8apU)gJ^#$G}#3hgA%WKde9oA&bzUzo2#U8wVoU$n?-Eb$pSI<!&s>Sea
zVq>IzkaT`NOJ7JO)TFIET5PW+v9Y?4Z3e7(@p|iMpy?S5Gk^YZ@o7qbLc*<g=8d}T
zaxtiWP92Mh9jDJ`8uWjBzUayQk9V}PcT2{3^>g*o5eG{GN-^?(y=um?<TyRjG_!9&
zkg(J>&v8BcFFsMHG=*x?w(u=7{CV2{O9UZQh&t6#e)-tz2Ldma@ekhgq_^5)Vq`h;
zr}&dHjw^HdgXIIy0P!MefrZ*kAROJ8Xt|fu@F4`5*Kmc^=RdwD`1&);9L*j~HBAx=
zlB9A-L`Ue!;RBhpnK#F^X)lKu)JnXoHM}m%<BN(NCS<|UFE~3K^?NtN-h3-|_{L>h
z&-?=YB~*co|A}&$vSg-yrs0L`+}RL*`-|6m|C?l~({2r+Y@gWDXbG^*cM7ZDo(R*p
z?ffL{nr3a`qVu({Z+5~YF`COeGENzSGGT_QrZ4E?pLtuhm5qgTu#*9#0HF>*@EtAn
z8FRPfk7XrOzp~=HkgdpB9rn~zY6=XDK+=g<P-bFqz&=>UDQ|GhNsph#+yws*zOdf0
z<2^R1u7=Z=EFuv$VpfgW;X7oRh;T*e8%DI9S20fd{E3~d<j+O^JL-9a1jP#!XJg<6
zd&5hMJN<mmk$Kod{*G(_|D!1<dRi~kqcqW#?lX*#QUhq1t!ndDZ@4;g28jsw3jUCv
zH%mHUm;_U6vEgcK{T=f_5K(#x$1H_kC7KI&w#BrTvD2Zm%$Bo>PwalKUByUCW3qM4
zo%?giFHD#_V_+*?p?yfUnGe$K@c|B|B;j1FJbe6@^m_igpg{=xV*zX}7eNFA*@BNB
zx`R)G@Q*A6l&(qr(KsPl>;KcopTgRBIpOY4`v}P1h=g&(Y^UlAy1Dc%N9D*Uvv&Xc
zq{O!`t>YW`i;?p`SPa^!B%xdJ+^HYO@dNntTY@B&R*rQ^tZ26c7HR%?0HNz6Pb0#L
z=Q}ElC%3sFdFW3t9S*CVRDIZozLd^vy?>S7n%LlAIkrns8_pYQ$P({ay^YF`Jn55H
z963%L`q!k(F0WEoOQ;w$RE~)HxBR4}nO8daS4UEbeFV4Szi~Ni^)~m<5HaE7_T+lz
zTK>C)N2FL+$W$fK;q!ZL@+YK*FIC(Bh{fWI#s~hHH)X0>_ZyUqXv%dacMt*puKG4-
zAmPhwbZB#k+4u3xRR$_rf2GcUWn$bJ^zxxWJDU!fwkN})Olm_EUD_hWzXDKhB{|+R
zxJCUUkAHbjsr26!pKb1Z&D732aF7zoes4b+Wj<9tdj~kkKVF*AAte>R=PKR{6e7d>
z!#A#<{g0Yy!oLtx(fH#L){*U4k_&MBtMdRRTO}@q<**f*^!Ic!>q`hr@_)A>YnY%j
zw^T7j6(@81*L8m-{D1d9{UtgJ|Jdt9JxeJ6KfXav`_areUpL{q8gzj3@8V9>k*^qD
z>=L2w6#u*1X}LUp|KNiO7bsd6vH46@>s$8y|MHE~4|YeHty9xtaEUqB(4WNyonxW>
zJbyn>$6x$xeYv%eZS?u}PtuDQMqLHcmJ((DRe+t@(JdqTeWEN1jPzq7!<nV6<b;I3
zi+`!BQat`}bMmml2&LKY>@jyxs~#rr^{?Uu7x`{&xY9}pI<GxXsh(R&d|22ZRLI})
zZ(<U_>T5xTIpO{^Jf3y~QwTRnI8I$8`&V|#_(GJ`H|m(n8!fkcdxM<ry64$#UzjwF
zG5mLjeCGZAUxdU^Ey7%gwwH=<??)H&A)SdafqxQ6sW_4?Qp*rK-7G)(=zoo%d22!O
zcIzXS3|!mFjUl!>I_Lj8GI3Hr@26oQOXy{*Iwbnz+^qLuJ%k`x1tmo=O@T$T6y__y
zC{R4SO~`=%fA%Jab`S5P(E6R9h2g~>%WqYUAgtz(JtoM{^vL`aWO}NdsI3-D9M${#
zeoHp>ZPeeI_6|1lvA8bxRSimp_=R%ZE^>899>)`E=1$kh$vS~!SbR5)_zM_~im2UP
z3q=Z83!tZM12S~62fHZA)RNNs0n>ya{nBK<|7^r<DVm0R;x8Cx?`+d_K8dCcpGjad
zdghxXS;ch{s>2jW_b6+XCygo$2FW9j5IH8!%Q#Bmv@nO%t%QpRDMDnkqB`3jiS1;S
zPPIH^EzB$DAf>On)TWpA^~vJj^n|r4uSe~2@}M2Ld#fmymPmo-+7A5Xnrm8QNw@ph
zU6{Xy?r?iw#pM2QW2rN&XIQ2#UHh9EM)2;#X5Y53YO%ym{l)**9!gfKX&Hof^QYNm
zV7$43q6G~iHR^4}@1U5q!b@46j?Zmrx_^H+dejqFvHEWkmk;#}5cr-QkVPG7_?3V+
zKhsD{ySz5n!&rR{*ZECQ?&LcSRl(%3Ih9JBZ}|>!ePf)cvMYo~m?SHtugst`x<M+f
z_TXcex#9Y7A#a~8wd=Be<?djCBu28gh?}5^B&?K%T9d)8E?5lZ?yq&JIxOYwlZ^kn
zESTmCvZr6nxa<^e?NHkU2Kjt~Y*6uxYiz+WTI%i)rO!r6AInDf3&ylYFD4|R*6-%{
zc81b5YH*bH@rl=8*QjT=q_is3j`J_bA9_3zGivXTp}c?B;j{0~|6OG8%$ip=NHzyx
z9_;6DrH4ab_P=uw4Q5ZO%>5})vbcmI)P+GXHs2=K#7w{5&b0i(uCN^&DQP)nucc*X
zz73J^G$pa&;@+?kSO3)icNvr91>Sgr(9hQ-Z+s#$S>g11tJAb<3KB&8Gp$4WKnlRJ
z+z@E^>izDkkT4p@5eQLvsW0q~2oZ_Y-gxI#?Kn)2mD}}`0x#L)hc62=W+lV47v49M
zwkt=jKVkW=3$eWm#o$l}*eiL6GBPs%YgpJN>W4MWe=U@9orjdL%9=js)X=T^q0=pO
zEv#!qpq5l$>9hW^_^*tQ_tc*iArjaNP)PT#zyVwZ#?1E-`c~SJYk0_^y7_*4;2%1E
zX9)7~cQs*58n@>nDJl2Y@Ca8b^2YH^yx?hRV|TbG$h-UK!mMmw+zPm{6vf$M*Q(mM
ze-1~WmYh}@gF3J;JX-XgPioLmmCaOFjX<e9FBAK(RuLetGc$&V$N1Mg`Rlra9C#yC
zM9aDA#rrpCp)<M9f>$tuirE~A%>HhS^tr+|-)c9NA5G}fQ5CdjNmOIS#PL5rl;nj&
z1y>&gRlh)83zuY}yS{Cw!2NKfIJx7VVU0_Sspa`X9wEjKW>k@bn$}d1;V1hHnej)|
z_G9FD#E<&_3tn{a;VJ&7@ZDQWp2!`jmP;*;I$H)iq_+};n;)5o7IZAPp)6$eV&##9
zikh0Ai7*E?tZdMrc9Dr`8*UX3a)@pBM+t-FNB-XRxk+A^ZlFC@l(iRMpg(dDR5hjm
zchju+P+ZoYOATG3tGQNMvV1+9>p%|xlE7mdwf_oX|EDc=sA(cyKBw^(xik>A$TFb6
zE1_VkSFnzKkndV=s+uC-cvO6=!u0mhXKr0{)!rD&ZJUQe(Ne8FuTJz;+if1|UQMsg
zdOA#yGfe4UW`)XKePeYy|H<hHyqe;+t0oeny_C+`B}rF>;zvHO!*meF*_;)5W(j^Q
z4XJOhMU4(vu=^@o35Vz%&>wI~@O6z@O(AzLDaiD|*{VBIds*`@zwGzkljR=jyF{|V
z^PPgWZ*7sE(;dmye>h>`bjL+sUYb^dZsI7Lfb3W9n=fyo<lDHSs0sXii8{R>Dm&{N
zuPJB1p;{5#?$9pAcZ6e$amLj0|EU?H*%x6nvCOt1gR7z&sTd?eY5kq6b7Mu%QTIIR
z+hqMFg{g+5K-n&I4@vC4B9>J*-dasYDyiXqKxkeje^qt^(ywi?&GGbUR2_##?b>fp
zpH}a|Y#Eik`NAfpmj-t*FWTvg4To3TYQ_jZ>OvMJ9p88_Up#hV62o@?<OTWzimx+h
zw5>e&%*emHg1S!g(^;f3nj@|7!c}c!-A}$%b*SQD0W}(QT+xQoH|!eCc>GXZNV9ic
zg-j_eK8Gnj$qie4b&1YsKcV}L5zK!^=k2%4RVB|KuQ8-D<WKAHTxGJlbW~P2hs^U%
zhM$fOuhz|Lw8v$g{)nyhAFHmTNlW1shxfDZ646$=P)N#gKbhhORrn>We(=dUvt6cw
z*NWoZFfcaf^@v6-2{U0v%3Gtxt`|t?X7P*aZNHX3zBKz@!Csa&^!d9MqQan?AB%Ma
zP?}SN!J}$6OAN=jyh%LVOA)6f)bo>{xQ9wWHgRcL6i_GmPq1<{mQ4Ju0n#FbL-S<^
zXT6+XZ%Rh0Pf_9+C#A!<$c3AGuDXw+*t0Z9stUYXK3k;iCx`68txy99=@;yWr|fSN
z#N7IxPwzFTgiw_I-;W@NiK&2~_bl8K(-8{AoF7gyV5;phCdWS>R`}2A=~X`c4bBaJ
z!I?Eiex-qIN|!ehO*1gR+#~+XwMG2)1J74v9ueVHm>TH_5pfM19F42pcfY#q@px}s
zmde|<E`9A}Q=>Z!EWpTq@t(#OP*z6i*MoiD`}^xF35vOfr@I7BR3xtay;^OD=A%q)
zOx8>9p*iDj6r24p^9Tyf>*u@Rdz0QB*;d|S1AXOXCn(zwI_PtC9<znf{Ye`tBSKYU
z2VX?Z8%tIm-Hx+#(rVlO^yVpn;*6U2VD<laeobdVqX@F{S0NCjv-z9aleC~zn{&5r
zCvZmp@VE2ND4opX><T5mTQ8yX<yz_p8KMbRF8`f0U~Jr#j8>>X-mEGtmSp;Yr~qeJ
zkl!NInC}kcO}T<x4etQG0oR1cBo@OdqLcWZA3dB+F!MGbHDB+4?eJ`(?Zy;GE&O9~
zMENLb1iftgL7(^f+h^~~T9v(_uMhqQi^xSdP|Er{xCbxqym}c%&zkQW#h%l8jV`!;
zxYJNsI(sy&XVAUxhrEepg4Osf9+AxIAN2~8U^}qhWQWSMXM<!LhWwTiTJIZg>*C+n
z@ZL`&e8J;y<(NMd>e|_mPd6-!&tKc1e8VWcRji}@QiODcKMQ@~H0A#!#tRsyLEaXa
z8BF^|aJ33e+_f-x+|p~AOhHcOq<G6#FY7mhLPfV3(TmSQ;2C3a{GH}9hoUU=eb3oz
zG4MJL3Rn+&bs4B8<@%fcPo_44&M)ZD(vHo=ocKtZpL4N~bX$s1pR(bTfm9EL7Nwmw
ze~=(XFIj3cWJR(Y<&xOb)#IvEWi^KQA@lfar_Jc~+J3P*x#um<+q|GPnsPe2n-?;n
zNhcJkmpR@{3W^PRoWpRyz;Y%;tB8^4#ro0L^_@k>OIT);G#3$sM9fwxQaI<jGIyXC
zU);MwnP=15S6&#A3>TTnMZ9a?tk<B}56Ed~Wk%+;$MMhgtfan+uPr9dY}A}=UJ!;P
z5hIv8dALE*5+zu+Mh&RTtC}DBxaFVA@UlO~)a!o9cAODiV$py;R2Z*Qn3-mPkNdH*
zrgCaSy9{V7&zH)1PVp;bg>0ImBjd`2Wt|9=Uc=!<-p%e%l4FXIDF`&Y6q-a#PkKxl
z2dWWy+B4jYew0}4vIt7di~yOJ7w&kelTaFy3s@rdzQKcGs?JufTbF~Y_2mAnL=q8e
zuOC-`sah-Kr#YHGM&;q?aB`G0pHi10^}u_9K{9)N@9Nm{M$JB3c4_B#C5eZ1<+L*Q
z4c%+>L=Skl?F-jP{=-HN%+{APK}AMeUt@;e%xTM(Hb?D#=E3DnG?>vo3{}NKs2oPR
zRXd%kEuypNxIi{c@3vNTSXQ_J@1W;=P;&3haD_RYDZ>H7?(&wRCxcl!WVM_b(xcq2
z5^{pPnxCb*uIb8GsgXeH1@7`HEWdf<r8k1o9AXebmKKjsmuNe>=Vf}x!sZ~IrAF}Y
zh$vWApvL2!y&s<|fkj&{{ij8XNQ;OvrjnixZh<1TUVN)uF?NFk#6W<+!k@$eN+DT)
ziRTojVdk@m=JZ@0wyvt>y%frjXeI5XeOd${SU@o*)3lUT=GN6t9tmXnPmQi-=Avw+
z3vI7&XybA0niqTt8G&k<xGI}JerG}*x8Ov}Bi&fMj1ER(;(3^+f(Ny6?A`NjbWPkP
zzlB*@xo&^wi-WjZxs9={mNNmR#eV_f7+GhRg1td5-4Ep-02$-u9T~I1^n0sOJ;cX&
zH*_L5oRp+b&oid{V6-4$b=J_F@RP}8p55zg526tsijaYl$hBERX@hsq%?^i7u8hHy
zn-#n;9h!FJhan@{@-xQ*TCE-T;fHfoNc;nlEZw5@IF|aA)gbAb;u|P3{-LQ8v5)nd
zHuE;u6=1~kHZI6pW1S^yLG8G_Lm;dft#(pN5d0SilQ#xb)cEnNk*KH^Wn2=3EQ*Si
zQo=DzlJy!ef`vD50i_$|r`n(R?Z=PFWX(9}3(yJJ6#B{z9q4Xk-!1E@wn(Z+cp(=6
zD+UZ`I&9^<GKl{LY|)hVhopJXesNmm?vRW0H<nN?SQzmDyvZHScwQ80AR+1P{d)y=
zN4H#FUWUL_S(_pWX4H4g;rfoMa^np=YBqoKjA)|86Z`41nuisNaW1rEH77Po#crGN
z+$(&qiDCG5z(LiaiGyrI?(p%3#3W>E@q18z&-kJf0}?+Ty;Yp<m4<LIPUFN%UMpa0
z$rk?e<|1Dv-}J|P3*Ze@teYC{Wm2HOMGokRvu*NZQSBX$NqVGf2xI$R|Gv&C|A8FP
zDw)+5@4D`+X8;j}0N#jM42iIe70TUr=STs2Qbr;Oqi2A}2NM@q95Ca>H}5~l>BZ8K
z9DuQSyO$2nRW(fbwU%QirpBT49}gjI<n`b3QD7thjW>-O00TE9FiO!*)at@;p9lj4
zU}c<76ATd3@&bcfF`6pPCUQx3Lq;|tt8-J2nV9=-80<@1vs;z<>eS*hGE<fvVli!h
z<4{AG0ZHEQyUX{4P5Bj#nwm(yT_Hr0RC%Gi@cr6|ZP+!*BR_QF=9irHMJ~@e@<~^R
zzUu>SuIflh%vWJbuiA<+KT>Ny=9rp7S3$UA#}D1>#rBdxX=+eS`rmubAVl4n{qFi>
z;iqrhJBx3`2-+%A^ayk5+vNDS%nvY1FXlA%nl&o!`z#8!P1!~YZ~$hTY#QP!&OY*v
zYLdga9RU7KM)b(hr`*`^62a9i5}BILQ2(?vk52h`eHZ(UfJ<%6Oibc5kAJt{1Ukt`
zi!3mrHh1x7<t}KyTbl#y;iiv*($@_5(_3{vS8;j0-#^N?h^~`NKtg=3%@9*)s~T`=
z|85cX<x0X-JL@s9D0OtAA1)_Ua1gtxe0-PR9YBk+X~?c$mg`G}Cz(Tnl0o8Uy%G~;
z&<yO8t7W5aE=z{fqV9ulk60=J>lAZ&nQ0HyS@dbr?5u(yypMygutjBCE+gmPk=!t;
zrs_wR=C_BBZN>2n{n8$L2&Jpy?zCP_%tCmilWIn)LGQ#gV`@br49vschLo>0^+30V
zos!jF3o=x0=c{uC_KXNRO#bwrTCKFY1}yV6y2fKR^G?r!?<QZ?@Rll-0iWg0#r7n4
ztAaWM{upQi-O$tYuRn0sKH+>(fPnEg*C^&0mrxzLwliC58q5!)2FmRt9I9hOc?%nO
zZ4SMrvvW?w)H;T-Vz??6a>o4h@by~BZTzG=EFy`z`6R6uZtZt%h7H^1t4x?FMl>au
zoqo)Vc|(FOUYx&Dq~4kFDlhd!&+=kPVys@)q`|!cBJ_0v$qWsx9E44n;!Ds|*Q%*+
z2$Yg#_{V67|HzyAOLBwP`0F+7LYK*7D9LRrWUerJy~Z|S-*C{!_XS2=_mfvRf0YT=
zr$wqh{4VUx=q-=8l9sY?5zw?eF*#k;I(2HW2@4QIudv5DS?kMa!H5gT6bh2~bL>p#
zRvC=ERq6*4nn||4&(r(_(xx(W+{MAB87<-%@=MZ(nNBun%V#OHm@+A9Mncl7Pv?go
zT)M*2S<dP$ytPYRoDT2gYPKTS>>q!mA!FKIsJZ`uB{%a^;J_IHM?>n?4V^v<^S{Mo
zqVE|{J>h-|&CKwXC6b=STf@ZYK1r--NOaH((`zMQjG4(wcuayJUxRHO^ex@1HCsGm
zxOXG&t68EQfGy1dLl&(2iLe92EpwP(Vcw+q6=}>eL@QhWc6!&chHNKlxl9IC&FL^w
zCJ#*vsVS-1DQG<1;#6;YHaJjhZvf2+kEt!r{z|X;(fcbdCqLemKhl<C*KaIr38EOf
zB7YGeV$|i|X4y2>8>CVHi3vBv^O4BM{%8Yw3SH^e?=fQNNcn_IVnQzcxDFFH=5Kkh
z<F<v?cOpm&YI7Yvf#lWRTL1B7ozw6hv0T=gVl$=0N+)dd;<)xO&(74o>yx6#v91cM
z^6QAqGdAYV{YtuqBB!y4p)2`(Eep?0WCa*I&SSggl-8}NPR~akF{tKL(6QKx-*e*_
zUjrry=x2*uCe`#x;7_00=60Bw@4@t;P;7IOt^ed<PiQ9y5eDr5Je5oUWI4szj<#5@
z;+>_h$Pe&a-Bk>N4oZS>+SR5j)BX)&YIufSxSZxHK(@o<WPm$<n;m%#W7Y}u`sP68
zCr)gFpFdh2=oC06NZnvP%z*oE6whnuJWZQ7!;<yQ)~ms0z+x}=j6VAZKK<6g@_>D2
zCK)9%x_rJ$M(z?j`{dp9^g&uizdbzEz?zcL;@X7x=7XG<)+6(Yx*71OD@+S7=*29e
zA(EWuu)C1JY>NUwn3Y8$m?anAGmH@#Jq>${4`w=;EwhW^ozZCDll!@S1R;nU^M^RG
zah~nBdqP3H&~c(Je?2_Tg$*&;kqGp?+1@E7;%8A?4_J&EA9i9VAzH!vWETc2rskZ7
zt}wQ$_G>~hMvc<j3{8Y;lL+1IW@$0C;0+d-s>vrHx(vJH5*spwA`$@eU}1Dm8gV9^
z(q{YEM`2wBn5QW?XCn{-1vY5*%O$~^S<AU4EOU;Ua>)y9RQBWY>;_((YEYcJSgGB(
zYPB<eohlXdR|nUc3mY`rpQ`WwGqb>!<`CuKKUn@av;Qoz0t^o|`V=_y+pSb&zKx{_
zdDcTDXTZ!4C`GUn0sAEFYc?VK`KwCQd7I)9hM=hq>*_34Un{v$pCmX2dam`?aAxwY
zNZR_Hvx?o0PVQlv!#)#VoyUn45P_*~awWSiTSKzH(=uYGdYCPlWualK^1<lr81;On
z&R-db%+P*vj}0(~QFyZGA!tIK7vi8$@7Y>ryhx@z7^bWm&UvH0sr|MpkQY#))UW$4
z6muQ4jOEy50Q)o&esOLUC@+T?M*2x~e=R^moC;IUpRW~8roT=pT2qVd$3&NLe^Q2G
zL|#wm&jwAoo_@Wpd(hj<a^m?W22Xn3{`WvmK%6~6!z^Ssq^Y**iahPvd_^NpG5KMr
z9`v(-h3B35_q5gNM4YAtdq^dJP0rxZcf)tobupeG*lx#)8RGAr=&C&DS_{nR-02gt
zZ8oi|IC*&bgqk6$7if*h2iVJ%yElQw%)Rx%z`n8FMi%;RGS<S;Sq?Aijice6kkWrJ
zrBA^CYEBZ4w)6lCY#gpKENVC(Qs$S$eh+YSyt=+Q?|*nu<W>G4?R^=2fklxTw1u#=
zM*HGf8HaW3pR$BkHBQ(>*!@51)1o<K{6#u>u$^FaOIdQ+wWrbf=U$_*F$<;H%?^?H
zEQ+4<Q6Nz4-jsewkDS}6NZD+je^Ukk8m8!0mO8IjL80Em4vj+7aKU=`fTL4@k%oVa
zgWtY=t=7A9MZ@3go{L3@3s?1!s4T_`FZdw9SDhZT)#t$!lhRGqZd{%T*B=(vDXn1K
z3hQ@DFs!pgq|FN+X+$_Va^7();;4^B*W_if5jE<%n>2lqN=rNdfu`T!MM8;^)^WZ9
zF7#)=yTx>o|I{}rW$U9KB1^{u2UeO;Q-3s#0|@0+>tm@ySAzXl+;@aJxGH7FEvFie
z`(zo8=i`kY&)$7h{MZ?tpJ(W`KM#h?-iKUa3_J^XrZaD*#PbYo;tP`D3N<$FCJq4*
z+6qNFAq;Fwaxb)02Dw1^1vWvq;+WAe+imz!mex8`)#3U#KQ(ADPBeZs5j#7;o=}je
z1w-au8*mMm7`V4w6?$TO<L>i>nB}R)({G|{VE9Q=;6{OkWE2rG%%L{a#_8oPdUQTv
zj~;YoUchQEjn+9?k<#jPC_hjZO|_kmD3`<#-W%IpUV!X=;LwKR65R-*D|KA>c7RMD
zB%?-MVZ8iZ0uX~_*1v=8#G#J@sVs)Px}~<Ll6XTN8b<ln0Y%ngbrpl*zpr6Pi@pL=
zy*T#ix1W1`RAvV$*B-kz6jQizxVzTV-M!M6CEFFpQ!a!?cUZ6bx%nEjfoY)fwl!Q%
z39GS&wSxyN6!yaP#H2oRizTdJ1&p!0AUglG<Z(#drrd@Kgx4Jk&};@+VtZIMe08FB
zce$cR>|}3N$aeBMMeKP72#AxcjMC}wM||^>$C?{%;%f4rOAxm_+}^}i%imx@si{hL
zq!>;~-BO?W;8gNBNCtGMJWXWg<3GYXlVS=H2g}A+QPILo)m`gJ?l&GlT~D2wXv<0J
z;hRecKQ}2%(UYk42RS9PS->0}7Blf$T98?DH3mt;C{2ZIe=wW#_AqdqS%XTJBFERp
zv4fTqc1c$%=F9S?vzD5?yBb&Lnb^Nx0n$mVF{y<}X6CM}n*;c&ka_;WKqe1PO3L-!
z94mFtpT(Hng~51Fs+UhRw+#w1pUsPLiFI1>KWrpIj5a0AC+^6+`~sT9B}$y*qqdtO
z)_&4p>u={CV2b22YYy{n1y?De%0&l)oF32`Z5KTWRp}nQOq!xosM4bbl?wNgeZxe*
z`)>JU@!XnY1dc6c?vkq{=_S;iRV4#@)P%Ub#pI}5yhV{gLAQZduN(_4)VyCDIH&2e
z`OzxtLhaJ<>Km}aM=Qy;4H6mEQ`=vSfZLXn0*u*-7kbEe0kpucY+M$70~nu7r5M-K
zR=UPoSmFa*_mbZ!1NATB0P?G0Zru_wQSkfX@6z3_1GVB0R$$YJATl^^ULYLqBu6HB
z&V>@xr_#|RTP7b4*}|nkn#OAC3myJ#XN22@E9(hMrHzJg5%K*wvbv1}W<y8So2l(3
zocfJjwDz|;Ek18WZeo=e%EZ^4uzC{A<mH+#AVG|}Q|YE(LNN@BuH#+a`D&!8R@Y6-
zsNVZRGPoKpGmzTB3n$gM4eJr!Y^%&{h#r^+$-vV9G|l7tej2y;3RVSeyL?=m#fnKt
zFU=RQA-}8``Caot(^!LUx{!MwpC>)C)eLlvGd_14%n8^OKdyq+R09Ndjj+fj^L;iL
zeNDq2i702qBZh5ODMHNT3l~IK?!bC_!N85n+QoUpu@#}0bfq=2ppB2!YA8pA;w^)y
zlZoSsvcaj_sC9rzWU!udKX$G$9KPV1FIf0WG4`?>3g46Fl#Ieb-N^;n%VJzeVcrQr
z%6WWnT59yY7o&o8BbPHXCaY<DJaN5#LUw<F;;~c3L^A3ekqMy2?Ys6KK2#0g+*nP^
z?_v_~>cHjvOkQB2qz3i%IXRLe#)SS1r!;hoz)qBPoX6z{su5;oA%^vPQ+tBJSqlUP
z7ef~Lx2z-GjoONgk(+lcOxfzx<4pzCAGREX&)5yVEcbS;d}S3b?rJ8SVr3MN<C#9h
zmNftI7^&g0CGw5MKb*ICJm(AZ!?KIyT+e@3VVChdyyn0;Yn9o{WrEo33)xQGfAsC@
zlgx=TPVNq}T|70s!057`e^<pa)bw)CZMbn}M0~UCS1z<*+p<P#`TEv?%4zWj@*`fZ
zYMJ_42eYVcRImYu5sc1lCO;sJgGUN-NNh=~%z+skmUzg?rL7tAoO_tRtxks~e+^nX
z#sx8?9g=<=<i$~t{{$%DDe2zP7a&NRDD4lPJzmx+A7+aY?><?h3e3Z-nSl>H{9$U>
zMq{zZlM12|Ge~*`Hvo>>7!=H?_7C9Y!^^#Q3%o^)UdA4CR%E;?c&%=<)(5jMWKzzb
zd=xyLg><xub>y?cZlNE=-S@RH(=fk$v>@_VJn;NQxeI9wBet6#<^A=FNoI%!?|5&3
zggZbL9W3;?%98t5qKF)Zxx)`lqYMT%ws*b`-dDp5zr_FgiTV7{E4fe6>B@YK;wk&?
z8=Qno!{KBl2<o_@-VbPfK}yaihPB^E$g1HY4H{?KzY_^6)j7!SGwOS`cTB=sB{K&H
z&UMRd8NKlXscgr^vk_Tp`4ybl)<1bnQ{@xbI`f8lBK~#FTl2D|c?CE9P11BqjydmZ
zl!)ExQ_P^R*0w5oUqE@R0g~gnFP^J)KMils7vz-$_b-JWum8%5SVa}aZ{A(3k-o==
zzqPsfP3-V_;(Qlx<Dm5gOI@A|I75E#<f%~*ryor|E?i+=eHv3MEZ1g)_6EV=Y8!TF
z2M|Bs=NFG3u&5UXD5E)s>wb<FVrPb>5l)O``5}5x5*A~D+WK$-70X_m=WPys=|vF*
zujJ?;r3I#6ty@=OJCnXQF3}uo+|U*{{)0M+8HDWY^N?MKU_<EV1v4G*)>uQLn41bU
z{bCbLTFI})3U=WpI^DO6X{zJpGwxHIr!KTIs%$8j7t49`wp9|dt#T5TLnpI$_#nrj
z7M7vumfRZGTIs|QlYj2uENi;NrGSa4=_St%Pu=#>ACNV-G~yerR3M&|wBa7^Mi0Jz
zRq!NUk}15Dyl`W!2#pSRo==yHQ6$NKNLMSL=UCSKyV@u8A0E$QgkuD4&S_{DhB>es
zpbE73t=uxaoJAEdgU$mwAxr_7QL2?4QnQ$AM!%<XIr*C3uTiNOB@W_p`m?^hU$gs#
z-GUSl_`&CEem1;p7qd<gKEHMYTjI?4ZAwZFI;BM`ei!L&2q|P!ySwOCMMtf;`$)Aq
z{$>{7N5s+qsHoH2twtWU15zbCVPWkKS~J=3_~Z56&v)<$cl6IDf-HUtq^CQb@dY!|
zCo??X6+jH=B$)U}IB~!PMjRb<k0xBFP{|rWt_2P|@F=GM^kQ6dSR^hz4>zQXESC9x
z76K2zsgLyi2ijrT<seT35#XIn5ZR^AW0^43@(0I4Ijv*klSa0f!Q*}@==ofe9#<!6
zkOX7uPy;J0au7)mFwY&Qokz(iV|-x?K>lRf{&z95RW&G%JU)u7l2+rZ^(wt|DdK^X
zvb5dK@`(4*EW_uqIUbpsn_>$Yhypsx5k07Srqw8o&d$=K2dg?j3WT-w7bTA_r-=ZZ
zyjh`mbbQabF-^V4Pwczn@97yD<;iUfV7DY{(1{K=-^@=wk(N7<!Z?NQ;zV%LSBksc
zt-YVPCxs#8l&Pkil#{^Nju1daO18!BYW<R#J}|(3^`J0s?5d34MS>fpAaj`A#fi-=
z-QK0aD6wAr6Kyf<7^me=4%|+fsvO$4u7|~g<LG}}k+t@_(Fx#mV4noG>2f_{i<vn{
z4Z7mvs`9uK5Db=dU;<Yioj<jZVTb){iza{R{f8PdbXW%LurD@I3GBe*fP+!~722{D
zq;X+}YID}{oY7#o_cF!t>)IgJNkxq5op678G)HytFQip?Q;A5Zj&ayqDQuVKhFv!B
zyTlapsfVk#ld6YGZ_9%UOdeLY@c8Ujgl0qu0{?rqP1<WtY$2rJ);)0*8+Uxr`D`F;
z!i{gO-8Lb;1~zFA>v3q@wbajbJu0z?Aw*O~4v*8FErCRE5-7f5p#9j|h)cf#Lih!&
zFcog)S-QT%SsZlYzKG_$pItGYC)des!#!0Q2);O7O>#w^NLUBZVxh{U^vLZUC6|{1
z!Fc}|D_d}{%btLtV|4}ahUYZa%pBB4IX9W5(%}lZrJ?uLI{sP71eA{(cRaqaw$d`<
z{<9g<Mg}*(opxT6c(&*=HK_a%Sdy(HoZ<?W6v8cF6M##o4{wNxtzYQ}p_e}xq;#+=
z!ju;Q<6w?uE{I^N;0dkZEib@@a9%8}8S{bPWvCpaEkCdPwY!^#ojqtXzi`v<G(##7
z0Y~Q_NWJ6ZeXG}<&CJW&bK<65|ITYS!HX&BV1u)|(=VHCFP%28QmJd~&ar1Y>F5HM
zDEX74MeD>oAL+7Qy<F=p()+8MWhm%spQw2t4lWUSN3?@11{U#2vIeH9+H5t|0Da0o
zDxEP~x>J~UOIXaW>seysmP&sbm~H!KyJCQT;Zz7D;Q~rb*T=v_*q`Qa_bEfQY62mn
z3$g0{@8m59_ENR7%okrkD5d2dM^2;nn_F)gF(CbRrV`q2tFmr@+B`(SVe+Y=qtLo4
z;9G$oGsYa0W*3AjSyHkTlnx>}kazLqrPfIxz^tN2SR&K9x7U1RpQRDQOg!-aU=2Rs
zwxq0q91m55%uFswH;V(v^_a3lf1xxn5Se@gKL#G6T;R}d{R_#xv-n+raZ!o2a3MO&
z!#lnI*QMo6GY>#@^GRnRG}@)4ptSi{=wylj|JDUGgsuTR@6eZwFM3Z-OV|QXhwLB0
zq;{KLs4icJn;soXbF{oLZ@NMKgdyOq(@j$pSw9{|5TA@1%hNz$JxxE1!@v|`<ksB<
zWh2|Lw?<x;Ag{ne?wr~jk6qn$1A~i!!UbvfAcJH`s|VgwE9hWjWbt6@Yd8kYf)2*l
zU`NvA&=tlA)kIg~rfJN^#No+*!@|KFPAqlf>wl8w#0&R}_^YVK&zII*2gKc1Jt)};
z<+Uguvs^e)vfkj~9d8EY;ISz%d9eU=qComhe(02XC!Kqj6J{_F^NnY5b@Q1ttGqdC
zqH1_YO+Nqm0^qY>b{k;17rY-&%v1U$8Pe$8E>6UVhU|fC9q$vu`Ye4@I+uB~b79c+
zgb>0%IAF-o5{_Q97Z0(z80*ZU6^1-ipBpWC{1$hX(xcsa6(7qr+{8gutj*nemZ`3@
z0m@%_Ks~nchTMOE017<<Bf93)_?Zp;7BSb+mZcHKvX~hBwu<W$v_ki_L`3-uct2lH
zcvQ&v*=BdhjFujZs>+im<|4$P>(5496*CZ=n(<qDh|tCicrIZhicF5KuDu|6Kne=x
zo2l#JufLgU^BlS4L83+;K=&~?0LBA30He9;L}w)Ir9M;33}%htP>j>*him>akbu9i
zMfS?rr|pi-vdgp5Qbh7>E&^Zh*3M!EBD}{bR36&SvuE=_A|E^!bOS&Z*J>-EfSohP
zEc(c94bk^6acs=K6KerC891c4dk<@qO}swBWljxLQ`zf>#7vdYH80y6KvQNjNmMQd
z9v2rUw)ew#Sk%WssR~UJ6=@a@FF6p~40Qz>5Om%L9he=@M#@$`aG9d>+Sr?u{cvPj
zax#}t@^uUyitKT)6@H&A;31-mMsaN&BIKdKC<yS>dkkt_3>-RG+;~-7F3f|hVXPvs
z5uqwTwR{QmJBn!T4!7gdFQWI`1eYGU25j*D31@gsWleT(8{G&>Ykd8X3)_nW<=$e)
z+XII?iLTrk*{1E`2_lX^l?sF2er1vxtgtiPz>?&<O<8~d{XWvc4C<d45(Uh7gN1l$
z4Gt1p(iBI!?H_IRlzac2pEv%Hojn(;ZMZm)M|@&J&BERe8{{Zdlw*xzMDL>qZ?&>3
zJxNC_FPlYyvEj}uIq(ZQ!{aE?qDZCr`JSP(Cd7<+XAH-8aU=H?2;uIpKAaZG9t2eV
zwF6<6imrjA0Lk(NaKO%^{V0Mim)s|I{WJ^ox{K7-%=MoFAa@}x-+d!Oeor8N5XiT)
zZtPeB4>x}xVfh*52y%k&;#2S?9>TTB`a_VV0<PhnBVQ<Kj47u=Cz>=W_z4xCilzGH
zJKxw7o0#w0H!>;7TuLMRJriwjeuy|$-o(Fil;kdmt}*!>atRSi&41z0V(k5kVj7|x
z&%>RBgOkHGy()tyjUt*Wcy#t}h@J|j1k20Kc*!P&;)}8U9`BubDA}+`{j3gEk)Hk|
zgsY^ff$FL(gXi{mjbrgW;&*NvGo}&Hp#pV!ogpeC594lmxuB-@G2xttG+&<ylSRL6
zJr3uiq3}@oedDZ^z|b)e{*!moB<zNQz5Pa{d8HK!v=)DX$K@!*e!IV=^zvNXdJC~Q
zEMH?jh$;NnV1Be#4;}X<NQ4L)Io}npw?#$@E-5Zj7O;_lW-9Z>y4Y^r;*#vQLoG^Y
ztDz!1k`!=H5@JZ-5=h)`2%m5sK0d0bg3fOg`r;DD^*QVxER`Ck)zs7s2{Rf`&uOZh
zU@vPHQG#cIsL~+~CfPUq5&PBx`$?j81Ip0yt`ToYXL38eJE3Eh6$*c6Bwv$_P<-<X
z(@^EFSH;+pU9!2k7-jo%x1~C?;<4Z-6*KI)pR~{>CmDw-B}RLH@~8TJ@yXX`JUH`o
zRlOe&|2vx&*2R%uTlApGf|e#>-@n(r+^V!3Soc~Pb^b!Oh~-3R=7maZYUU{m1+B`Y
zzk)sjDJ9}uDg(dD^S+C<zSBxdlCQ5?Ker0t@3(!j_7Q`|<~i#(;=;f9N@_(UfeQwQ
z+012!c{qT~{A^@>zh(VVPwiU67;WG88b^!5N5w?qM|QAtc?h^wsbPJQW#iF1;8IV!
zlTuwLU+zx2uMvwMJ&BdM8W(i;?2JeITf8;fCbO-S%4MR|-&&cOzn8V;KBZ==9{%9G
z{i_daFZTm;2o6fCuX|aZdhYBEY8pu^0WwE(!$R*ex!c0}z2u@usZSXrB?$MO<(i#Q
zYyQRDWE=EAo@xX=^mfCZNvNbuF)f8JTE4k+R`vdlS-fnRqh8IY)hB;Nx?Q(#cnWT}
z7S{{OxDhE*-LJcbez`v%-!<FLB{`19Tl4dL%tUi}aA2i++5Xx4!i76M_kA}3zo$3b
zc;o<TyYX>-a+MU}KF)%3Fjdk=JF64!D3tb&S5=^Wz!s4UZcAc<-^J@g-v<e^Hdg~}
z4dA*}SFhjIakmWx!j;QbBz5Oji^`)a_@;Qn3`kML=~u6&DpZS=!%QY8n7WMhJF5?S
zJTm@V{^AFdaI;N_>oeDFbg(iURPOq2)BZzy5_eyWIt{AJqDl<LXiKr1FnRxC%tdw9
z-KK6nKxk@7+_BGW_W1(!GEu-CemuOpMdkT4PYpK+<t&QFMQw|{6vrp=z|pBq96C>L
z27yb>cklt>%6=TL)&nR^Ju0y*MGXcB9ExI&U@2gT86N8koOq-pv%)-=_tjSpfWCPb
zCHY<Jp|7;V!fSO~Cr1n7dQ9dqF)^W`;k*rdlF*1?w7jIMmzP&}QPM&RSq%j*EuqCG
zL^DJ-^(1frd!s?tsL?`665)|?b!cJo{nfC|n=<ct7)A2ZPDJJMNJBqN-{Us^C4|Ef
zD!I7aibUp}oGcn%*;W?<*UB<|R%77FHe9S(E>BCoBNB(lO*K@XFPMhk%LSPS5YNfs
z)G0RGJl$&-FWL~G6|&(Lbrkg2op2SP0{1xRuwvOy3e`}xCL@b_wl|_cebD^?pBix-
zB@%iEjI4c-e!@Md45ian${ii~J#=6*RWU`|Lv5m=YB%<xTB`tNIgl&0s+1&XNy_QE
zGK!+*ogK4nJpQG|s+4eZA|*>UqV3n-#;kcvJ;LvU&%`G?RwIyqXV0ux#PZ!Zyh%sk
z<6V!Ki7A+8cZX(WfSws3)`8XG0Lr+QD)4D7{I>pw^)E~jUpqR=+qw`{PJIulj(4gX
zCn_u=w4B~D5P#<6X`$8vNqAod{D7R^BFG#2=*<0+yk>PM-7)Fe6**^2OwKQKe!#?|
zufB;~?_HDCOv20v9kti&+)*x=@iJqn_Ha6NB7l1LEc>(7vt+PQmbzHK#sQG}n91Iu
zVm(FW)Y66n{AggMucouYMXW~NnQQ2R<VqSB3n2}xk1)%k+ck}bnpgd?mrSe%>*u#J
zBW-?PbHMz*pmMP?;C#NzG>g`a_$Apg;Xh($&V-u>k}Mo{`{>`QF3e+R;{1ZWl4qws
z)8vDbGxrbUk~FO2HyaWQ`SG;@M;tUdzE)bV`Y*XY%tvhf>^_`W^9pQkJUw396l6KS
z)?B|ksaO1X?yLR5VxIRgW>~}fXm3NAc>WVEgMOnIly!b#!L(92`L14d(!^KLoOZ$@
z(VVr32KG+LD|O*{9!M#;XE25uHXw3^IdH_HU^=Wa82n5`f|YWCOT(DM@s+q|FH9s!
zuZrt2Ulstwd<?qAaY5yX;YWgLIE|1^N{q)=w~%c;X6VN!-{E3CHkP%<)00S9`j_C!
zeEPeX*7JW&@E2<94TWiG{XS>He6p$gk~4E=?8j%BUdM-4#yj9TPVTToupy7-w0*!H
z?%(C`x>|n$9OlZhnVX-_pykw?1+76PJn_?`E$`Dqqa!UGbm=TIo$5lC+6iseUSY2+
z|MOx6nRlQX*o=O^lj1nPg0+8e_1ZX*)V>>B9+F{DeyW;B|J#Zln%u-$13^{{VwD4N
zU>6qT!qn~mOpXv;6|Q#oC3oLlg@UX8wji!p-**9d;rUJ1A2-V$V6-!+3gqX91lJLM
z&SgWaOfUB<s=_AqO|s<;r{yhDtc9aXgV$cWhkdN}5cW(jV0{!K?~rdW4{ix%sbTDC
zS(E10g{6*s(|Aa)gXxxbo-zb~A|5D6^H%J(3>nS`K2`5o8LI}FLmy^oINre)J(!Pk
zcr+czP_#h}lIDv!hyZZk6J5%We)KGKlnt+duLV_M)@9ft8u@zW#dkU^08!L*BRkVh
zT)*U%W~$}qF#+g=?~U9l|Cgc>c-1Ys6I+M?f6n1v09J_>nLpz6Y$WD8qS+LgK$A)d
zFB9?cicHaZulf;024!SAnAIyL-((k1$kr4oyQ}i@$8Br`@CZX%D8=_h+B;6x*J{xz
zMbXrkel7$hw$8N0o7Mn*$H2F`v&L++7=4fvBw8SX``9JsW4Tg!XW|J^cUZo=Ls1Vr
z{3oNg)z7yi79jv{1el79LN*zD?q=pQ{G!`Xthd&jd65&e9UPMIQN93>;CNg|&m$8$
zkk+ffjj#y;$ch%eCi*tg%UxOv)Om?D6PeOH+Mp~o<21j<Hue)v0Zk}l>i6@2!sgI#
zB*@wfQ$6->JQJ2E`g%$#yjt5o%c7oXxHp!gS-P}-k+Y`xcAv8*ZTZy4N!MSFRv?Y~
zyQ*+Y6|Kheup9V9-3rj?%itit>Jb+diWsl9OG^Ai>75Jre=R1j1*`)HJIr<TS?^}5
zUH5#l*D(#>e%k^zIo^OF*=`-jV{eyv7*}nX>uAd_UVJ!hRNBB?IQ;^hxL)u&0a<W!
zm-;-4LIJ~U><{ea4vlj+9WPm)2&hc$p4p66f_jF#Od3HN6*0M#cr+=??Rt80++k#+
zaBZ>mboXZJHRVE>)UL`afXlga*=xNEB@L?%+y=sVox0$}LLd2Lu{SV+F%@*N&&AFC
zw!L;~a*C1XaOq-BLz4ciO8jzQ*y0PsHRa00;FfFS;e>g-!P7A2H;TOV+uH-G)iQGL
z)X>2`AW_DwO`X;(Al!cfMSJe(9<2-&U%%}4&b{Nou&;Tfh`BeDzj;d&XDGRI7`e#<
zinuW6FeUe&G~DK&Lnw64>sA&i>5Lo?oWG%UGZlD-Vs-3Riohkp4m(y>?7j8VAHbrd
z0QW^FBmFHX@l`Us;b^l<Sj6>LuQ5Q#UXsR78uXsq>fGh3X<|dPZ_OCdczpMr(Ssu3
zXUG5flF^%G5I4au@{ew|qVX1Q+_QDul2Bw!EjLub1{aXf5_`RuO93q14bL9wbbHO7
z<HOx4ufrAL2foqAvXoBkbgn_?BF%20_oq%zs7`U84dg1jxa_2=G*LP_w9+ztDKpIE
zD`13J57ljbqYeD25;H$H$8FT0KP2&pRq6Ru1w((ZuRP!$H#`GzMg9NDO#eYyMn*0!
z0@;w3tXYuG3!{-)pv1(n{`sLP|H1;HHS-{dbnBqw+(cip%fS96UBb60Cu;5%ko-Nz
zpMwQjiqe|6GgnwuQua{VM)|Td$i{P@1^6t!#TTeGasTkarDwOkXOc2HMO)TS4~2gb
zi78f;d*wugs4Cx2&)L(9WRT1HR|d@wFlbbo=g!FM*ROlBOaTI|Cv?VgHEy(Be?(Ru
zeQ$U?13}}UN@0&P%C@t=Hyg3=^XH5=T;#2^8{6eFM;`qTc3w0_-p5r3g=JK6S9zQC
zSH{F|p>->MruG-Tl2p_Ag*i=o;!}_Jal}f_{!)%+`roCSD75wYP20eUMd-curW=n}
zY~zi*_N`0npHh5Q0f^Frl>J2}D-9hkHJZwnkFH()Sg1}T&<ldRn}sgheCkM}m-fKX
zQ0|Vly_~TwQ{=aA%gfIz9}jtrn9xo*_ds2Vsri~7$KLcke)d3u!vzV5pS2SX{;BJK
zZJ@ac=yx}mjO{T~pFK#YKzQ3dTx-Ne9wSeTR-vGbz+961*mM^XK@;xu@&venXeTHZ
z@{T6z-CgbN?NwC5-}MO0In+qN{Ox*g8+=UHwKU?n;$2QOG<xw`q{@*6#HXJ_4eAO0
z%m6mz8Q&zr)Gd|N7JzETr^<S`?L}Ib&`O7&^(svD!pfm7&CrLo>M5_}<mAEw?yAN%
z<WUtBJs3jLtG0PG5IFN;dppmpYcgJ3k6`huQQbqY1A+4Ye0Y&j<H<_()a{nC9!{--
zR*SS=f#Yf!Nieb%1g964OZ1m%$_8e81J?89>SC3ZxqONl%#OSA6<q9ax#AgRSl8>p
zsU{5k0NYU;$O97+APu9qJfqf=l9D32`k{q3|CJ|ES_NLYjHCkVFUW?>?GLhMTWWlG
zXb{DTScv67?lt1MJ26}|QosI1PJLy$=!>VEnv(3SlUk1j;^pOTg~Lu!^YrHi7ajl?
z2UD9*+Bw)KpHl2!{?GM*E>ozABL!SQ`PU5@CZrK)rHvpGrcvP=l9OBHGr6RaGjydx
z?uI**|CKz~qoQa1+47)j%T-Q(Z-wH_Ck}b@CQmhO5~P>zt2NgTM<vc*LYFS4Hf0Ty
zdFRYKU3OQf#$)M-RPj0cGc&E?dn5Qb_DBmGn^iovlwRO<aNJLeTcg&cAbZ^WU_V==
z&_{BhB9Wqy4@?1#iD^7|HIBoK8Y(d$IDhHwxBh+&j@H55Dep#*b>6#IMO>x&WHe8<
z)FR2qF0B?W3nqubjBo#5m~*3g<NF7s1b2(7g7M@9LC^nMAlz%SgAF8cVfw)P4_9kJ
z_U8>;Vg6ChuPet8*8;Zl3g^30_$~yP_ZMh!O@VxjlIJmi0xpNJiG%XYWlEl;#^ar_
znRFHw7CKQEY0E@oh4{S1)N>TeAY27>#l^WaL5x#6;#DN&9%R4+e1r!F!gMR18aQ@C
zhUA?5PLf1X(dQz?_qlM`k2cyFa0#i^b}+G{>nb%Paw()Oz)q&Uoyt0@C*g{;FBfyD
z)HBiFS2VR%bwjw-PZXFIr6e})QnR_d#m?J;xt#3#NQCiCA9S!wZxVzQGJSHF`CHNQ
zw+_3xT14in3;5b4`XddV?ntvoL#1u`$6<s`5C2zh?;THd-^Y*FRgzMO$_Uw;h|EJF
zn`5tR$;zG`tB_Jg87VRf*<@vttPrv{*&KTudwgG~>$<wSuKWA_{rS89xF7fJbUvT=
zd5_n8KA-RWygYPI)?k`iip?Ocq0a(<S#(BIG^#((Voq9J&EhPU5L%^HI?M?oynqXH
z_QDZ^wd!DDdt_!m@9<e}DZJRIEp9o@5Oc%EYM?+?=kf<f#R;y|<B?ayy!T&oCsOdH
zj%MqZfuUdS%T0uAr!X_#T8obZAJcX8!4I`0ypk_7(;T0b?0f+Wh$lOxnjM!s=zSjx
ze8ZzWV9ZHG-4pmOs(;-01yt`4?t?FQWH7yF_SX*g?wDLESb?~$Crxbz++xkj#@uzQ
z-d0iV9m0gTxgC238FOsYt%W9*;m)RRG6<;%|M?S6(o{~1CL~0l-;6<AK?;>Tq?6MW
zTg*)|^U1YR&*kgFWtXJ5^^}#bay*0*)5%Tn0QmSt*1hM|n(v963^iy|Pn%haKmXL(
zL^=V+%?dSJ{3JhAz&3V4Qw@;#3;p>sP}I6y(p7%Fqv1_tB&L=axiPoy6DqpP%z6{)
zfkA^6%6_mueJ~?-^hncpb8#@SS~i@qB+YzRL=Uec@SqgjMjy_$pMn1i$y*rw6LSf1
zFzk@^rKB%e*b}Ip!xV6tLsxxMQE?^1?F$_>YIf}Xds_9rA}$k4Lmxzr%Y2WZpdi#w
z>{_CUQrI)Dl+4c#+Vw7tRNN_}JJeF<prp#C?_fd1M!@zo!ER4yWh7yb^^(BeIPd-7
z7Yer<N3jr;>6cBybT|6J6;OL`8$&1&ir6H5n<pQ|DeSg1RA8xQYs;BgpunB%Ey*di
zzamk5zsz+}(s;fr%?T2xqt#HKeK=P>oBigAD=G2bU-BM?DHS?b^;eo70YE>7K=)Y{
z=_ffn8hQu7<K2u-ohil{t?tNtN%+X=TKDyumj=j}RR$F(%7rfl3&e>N4WXmp0}`cz
zb&G5fru9JpPeZJHK5^}9dHEwVHxd?Pu==Z*;N7j|`0(&fuqSentO%$jzqW3P=DTj*
z>N)%FiIT`_EgZwS5tb8X^W&GXzuz$de!q6N6I3Oklrm7-Jx1$zyUS@k#7n?#QTRoV
z*w$s-6{U3Z0JRUXMAwD@2<Nx;>A9km5YG%iPIbODHSNMqR5qV!jfFtmSCP}8d^;gU
z*N9~8nb5&5#(JP&4pKKkn6R%r-a9yJtS2C(^7G2p&izAPeRFQq4Us!DE*9MPU{!GR
zKy6YU2O#X!SR++|3ZdX%inh+)X|eNm>X2m`;|hRe+ggz=krs^y=)H@TqkIs(S;V8=
z{83gnEYoIuan2^h_4gNEjZFplwo|E0p3d#>Z`-1Gn%Hu#`0TI3q*Y^A0tL!#rUfuR
zd0eJi2&lhAxcwp472W|I1ySs)lTn{+hj$@Zy2iQq?xYXY!!+BJ4V(bZwH?oVHNen)
z3}-Pg?yBQCuazIwP)CEqt@!*BN2&9i<8sB8iL}Jj;lUn-TVA5$*3vL{nqif<MuukH
zO{liQRE?x-WI!%7!4+`!>{%7>x{F#yVi%WBY9A+Id=|#xv8QOz3!w{~-?1{)Tc>5s
zv6hV-Q`^7vvF5x}c>(U;LQhsqkS2h>9<)%7kTorT44ZBDKtMEUlSP*=rKzbH)RP@s
z;kmO`;jvY@(IJl%J8+H{^)h<jH|*%>7&O?Y;sPnX#Tk@tmA4mfAK0kpoTaJv1&Ofb
zzkM#E6R*!CUYx=SL}UD&EBE_#<(O#bp-xhBvjkn@eSmULX-GyWaBu|oY2b7d`!7d(
zXxqipwx2j6#;LV;aLC=a5Pr+Ul;RpI<PzsT9=NcuP#;VIfwR|WrB`ZTRXC$!Q%g&v
zN8iQQ3=o#?O+blc9t<%=S-gGVOyxOClCWc`*ifD0w)vh=4LiA3_;_^W83(mu@5@Q~
z0I-8(jycx<g*w(cOr@JcdA<#?rH5avKj0Toxjp`z6d>gR$S(W14`4#mdx=kg4Yq@V
zjFM6-zz&A1e2&7xE~t}UGdjjgqN`KoeejCoPEUpwK}Vp9JP63aDTYl#j#)jrnTp1_
ztoLw?LH^Z`Bkxd=wXa~`gt3L3+s`k(+ec?W0DvlFFY<+;f8oYE$)rwJTF?&sYg}+t
zn<@&P2w{f<<*zDP1LN1b>Zx%j2bd0VuR-JF8zc}SfOq7%h);1N({=Idx^RA;m5?0M
zXUO3si7|r(mVQ=|Y+CS7Lb-)(hl=xCh0Z2!3!^qHB0Ql!Q*R?h`jnkTYC3!5_?)Lz
zmmGGf6tM@|u{+<GjC7^AfaxM@cHFU)QYc>Cp{oW|u`{gG!bpWj1<FNi`-d04&(Xow
zcH5mdwoSp(t)DgbHW#1o#(S>eT_IuEJ{qx1iDmS9YXmS)o?{3Erb{hFF@~`@vMSfR
z7n+?DlGltb5{b)@-~4kSU^dd#(|nH?$$MPZv%dwM815H@n78W1g;-3x%*rDa;POm^
zUj#|&+ecNA9?U_pay?!Nsu3O#3j-jiNxh?4*vZK${=xJcYM=ew)YQ{8$MPRego+(P
zDX*4O&~BtW>rRo0k0(S8NP)4F3o)>F)Xw6x19EHvccS*_7z=C+UcgA5YSKWyt+8iZ
zFD`hJ1|Fx*UcBr2U2J|K@ca%PJ)O!SlM%^dsKq>1?8z~#S}>rUza{T_yiWb;v{M@b
z_fDOjavM})O;BWg3|wUkc|>$ldJm=|tH2szt!Ow>bO(Ad+fZVI>gZ6i{AI6_JY~BT
z9UEa!GSTdJ`?7b$Wd#0Q3Stomb)m?gKA2pg6f4wdA>KvoKNr3C#m-F?as5hSZ@vN!
zo#AfnD3tp@g6t$Xum1j*Iqvt&x+4brZn?VNXo3z!SbTgAI;zlo6<+ztqFp=yyHrQV
z#Z}Fm7y5E9>pK&nGwL2}p`JOzBumWE`zHxvZ5gnNBO-p(PP<y#^?fu}<xoMBeXw3~
zbo<CB&I9I5^=5*U85+*r)dWf*=VEZ0PL5W+V4`545Fpka^4<GJiWwDoqjG@b1B)eg
zu%Y(mj89#wHduSe%#EGFCPx{d($ev+vGciXQf>?StiIBecxHHb-=^_Zg(eG)e-bwg
z<d}{+(=~q7#;i)R+(p<Rz4~sk>Jq}xo4lrvwX6*WNIq7VYb&tU<45k$kAMt>G5{ls
zI{5m{?1YxSOQd>VzIofuOuU$R>)Z8KVY}UpIaTc<TYdZtofWMn9ER9!F{<Qn!V6cy
zVkYPoTH)Z}^gKO#O(|5~Ba&5Ppc3KebtR<~iVNyZY^R;Gu9CDlJ^Hgo2Qy(2zdZ^@
zn{L2jUB*bG`{UV+^w38T6OOv{>cctyqEuwj{$A{04#`}8bhrmzuo6O;^73-9p7+em
z-YH*tcHGi+3yBMSh#}AK9mjE!W85T5Wx%=L#G1}1PW^1iCpT{Z*tQp14J>LO_Tf-V
zQ@TVnBv(M;{ghfm5SbIyJx!(3G;fJJnF@4aEgi%=>XL^>;lB9u3^y<Sp<yV6Q?b%>
z#}1n#JeY}ftH!zf`4%=hA@Rm^Ye6FC0X|p7yNM;`huz&zJl8H`C*+URIGQn-S8p&G
zM-#QXn0fQIxO2S`(croS7YjP$AYnP$i9b?_+C0SM_*5HS<}wiR+_q;)6A(}wzY<v0
z<8H*#pBIIey>NcB+OBfv)CuV19WL7WlsV6-vOKXh@K`J)?SlXtdPqt3(D(E+w}Cj8
z)Q6k>F$ABIkj&mPFff4BzdN~tE>y%34lOjHJGmC&znjxz1yIvDc-4GcP&rgV1m-{!
zuAY2%Dhd)~L#i73r_SR(4%koyj?=x9^~n`g`%_%Z_j|L4HMI1T4F|%T@aV7f4yDD>
zGyL$2;`j0bhybv5K0tgb4!Bvm?_7)3x29O))IKN(E_|$6h}yg$BamHEbIg9XNb2+|
zwdW)-+Dt|tIS2e;WAi6`5Asw3OQrLiJI`idb-|#mfzyyJK|&ktI+m7sLE*=7Y*{uK
zxONa<iwmt9#zG+u>yfYkfJ0TneZzOymN#VJ=aSZ;Q~k_YbLCMn)LzAQXA?pFR^EE3
z9(%;Vph8>O6M_WImrUTJs$g4p6Cgo<>Ncpo`c%snfXnz^l_mvG&Gqc0k}-$M0OLj5
ztnHj@0#;K{<0oK~SYjlJ1hN3I4<a1JmXzuJ{Xr6THP$=47v}&Qm2W@VSH6^V{SkpL
zVe`UJNj~3UGZ(f54K~RIb8^#)3R)mESSFUI`Si2JTUFCa82Ui7u_EDIHQ+4Kjv=Y@
z4Q-_H*z>{Vm7?mMTZR?k3-srKu;eCg-$IFQOc{LPf6WaOk|LFbbqEaS=YC+l8ld>u
z86Ywuo=`ubYMYbxBHFh&E!Et>AZ{ZLZFM#$@`ef%KYvj|!e@gggyPQ7NhUi9Bkpp#
z?o;$a9Usaordm5RvA#4B?}K=(Qd1Q2&W^*ZwF*q&Cw@=GA66euE=8eTPMyCpJ6i~%
zU4UCPf?psop-Xo>sr!WqKpbPBZf)~~YyQT&B>Mx-jIY!|&9l3gg%Z_~FSRCw6I6Bd
z?WNV^*v?_pU6Lpb5}Ew_0F!k0YVVMrwcW}ocz|D$Y>H88if41@&8mPUcOAV<BED{Q
zfU?j(f>LxCDKK?yA613sY!Sde#@jb!1IVuDeS^PjU)mAr<)H~RBo2uhYb^jqE-&HH
zoWy=ldwa3<2lU}3=+&;u*b~jcVG(HTU?D}Pnd;eZrKTzG0%C<VYRU~}+7|nT&nzX7
z6&+s`_D3<!__E+}0*31vK&ND89{P54*of&S%L3DKQLFSEhL^L2Eh$=j0Klx2%f3wh
zgp}z_vQ*U-(}!KDkwCWykYPGBe~ff*I&!)=l|OEZO7i3-MaiB1`J%PcOMF{N!;Ip-
zb(@GiAhmV@!4#5}&Lrv4EMc{VVu3h9fVRD0hIyK#=^avY=isr0op7uJZ@6}b%%^j4
z=G4HT_xG<?$q~U=RY7_=Sl2Yb*HQ{{xw}!_L|pbR>m;Xn(*ms3gcyKo5ya;QRyo{0
zO#`g~df8-PwVkKa)TXOG4wdTB0mersIs%V``KSv>j=Tn-gqslorvnt0W%Ddy&g`+r
zp6tA6?h7SPXF%eFKnPERB^!ldahQ+Frq3^e&0vI6iVb9cX2pBw_wPr7G;-i&n3fy2
z%3-^IyD2FIJU%J#nJ-SlC|Iuk`CObsw=NrTyrk=dcBO|8w~Allwyz7WfX+2Qq*<=o
z?e2~_-O!=Cbqq~bOR+ASNv|g~^-==O@4ufgj&2;i!{iSDaVFX00@V`>w!tTlr<>2d
z`Bj*?a6(gs_Ow5WoFjF#9z+zy5>R1X$1r-8mZ5xMoA@v(Xfn+o(bro2<;^=}o}$p9
zQQ#!8pjKJc6L&dp_7083s<*AED3@meQFQpimYRlran1Snca``BcgSc!gm_s~uFb;0
zV5HwXKI=?!r9xO!sbRXSa*0-sfh+WYi5q$*@5G4*lk=(LJnW_tuuq8gf<RhZ0+YWi
z_kc3y_7t48^OQm)^J!HIiR3i&Ct%6DK6-Y>9mD$T0DKuHQE$8mr5~HYvdM9!rE`&W
zjS&v-EBoRi*laW|rAEoe1T+d}2ey;HdOy83i|L9HFFbXQe8^+Df=4!8HXprpJ@|6Q
zrLj$2z$%BSz=}4V{?6y-ZjLRnoW^5^brMOlXA^Y?p7@QictoO_^1J)rvSUo{2UMhu
zNY-3UrY1_1DoN)`{Oq6@WTh&73H>fE&lZS*++1AC@1Jvu)71;HMW~?{PZagiCi=e!
z0)nDyJpdqnGD4I1mD|8c!<(+YXa(!7dyXZ*`PKb?>qtiO)vTKH6&AM6CrdFXq4X4Q
z7lWI8610nGyanqE@u)xg=%sSQ&XMzeUU>bi<fAPXH=N98iU6J0)xxjp;xbau+hsA`
z`G8P94mhJng@8D2f|^OtofS$^OLyFZaHSJp-+CX{*Fwsd@vc70>s2$35Kd1K&k9rl
z&K*g!Uj99({og<*@O*d{+N3U!th)m}ZakVdpq!Z$_NgX{VWrvi5LP}IO(t+P7F?aJ
zs0GVN8F){fWZ7H%9A=IIV=O~mYE3R@NovvR%Pim8BoN)vU-i=YG9z`#u>8S1at_@B
z<?IJgrx>-bIhXe(?++gK=l1HzqF(XSjW^-UMxLA!j!<ti$^{;TX8}x4eF~dp2i~Ln
z-RsTDJ;`pg=dTESkJbz5a!^C^HKu0`lX8AxVt@!uv$qnbh>wUeLR_B{3~Mk&MpjN1
zXBql7rM_!fMI!2tpReG>z9PbQkDCx1lEWJJkkeS=CpoQT2LA-h;NMA}J5Hjw#i7p)
z&c+E&2T7-K?X!)l>GK%Kv;cx@83=}qDLkNqC3X2$x(e3TV7Dj<@l&X6w>jT~3I_Cg
zuvM0}4w!!J<T>0N0b=pf*hkUz4sB6x_md;#&-5<8M}45V^->8$X#t}sivaj1m}ezx
zdJgD`Qv78)_EQ)jtmQrO!Aj+04Jv}J^YGE4avS(49Xk4CWg!^lci6;emf=lP=>2r+
z&?Uqj->uvE=<D{*{E)ny2$I%JT6oDVz}9qN(TK_GP-!){ddVg7^V?X*pnJ`>+HKCW
zr2=5A0G$J;dR}HmEm5;oFLxL+OTr6xVcIzQ%1sT044oR#Du{6WB;xu&qt8D-^n?%f
zf$XX=AP1epHzXu>eh#iN%3;%Oh^z2jTy<m^C+tG~pC~up6X<>{2>A5sIT<Dr>JFXP
zn_~80hOufH^!g7+_!`+1+OS;$!|E8$jvc^CL1smG0gOF;F!mj&5yd<}HmM`U9y$Y>
ztiwu%I|<t?{%N4yVIg=;RL6P>D!{%fu*(UphNxku2)mHHCJ-T7dbGr%-!Qu#IU7xu
zx4@E9Dl3-)H1_A$?}34xyA9>?IVf?U@veW8lF@tW{E1vu0c)azzy@|a2a=4(bWW~R
z2VN?Z4U4VOA~xoPb8y)41Ktx31K1GHE?GXD!&d#F(O4syg_j0&FKUP+PtyR+ILrXx
z(1S4S1>*E4No{poaI#borhmj(L-S^&1)4V#M;EZ^%ZqQoNbSHmeP%-`NX-n+b<d<a
zu+OMowgPNZ6@HaJDJ)&7a-JF2-8$vA4Wi4bO!3FnIr}7`hzmSs0f-48G504FhL=i_
zZU!1#i<2M2OcE@*KipdS86JL^naG736p~;%!whCOcfeC?T0&Osd?E&?BXAL@Y{6L1
zR!adpPdLKsLpK+N3su=OwB^Hd9l&psNzssmue*cqntR&!6XdnZdo1KOMxA}%mFdP;
z*g-$XSqt|%B(Z#K1C<bMI?H3-YM-SZI?!5TmOz;m?+m<qNxf_%uSRBIWpJHSc%F-2
zhi>eTc;5Nz((rD6Soz^c#GVEPk;ePyMJ;>GLkPv6+N~(dcff%Ne~S$x>GA%5{lBsF
z8Rnt<Vj`<aY9GHRvQi#Mw)F<3k;QC@#)P&wE-Jc_PDx$K@LIXu-mor@xlkloLh@5s
z{004I2@YAe_bP43s{Wymw}n-t?E52oMLX?2sxU=A-MuMfS57zcX&`v%!HPqocs-*n
zX5spzX*pd3mDYpFAhY!EATR(^h7jorbH)`nV)lKxk3-?TwU@8FxUinylR8M+^wfA|
zL*9;zuel|0*ns<<f7juGVbLwAy(%%;i}#FJQ{yzaO4*}BkYKm`{i&#|WJ^!bTqCJ|
zy8V8MttN%NG8@$*&~?2?mMuNSbX>FTr+)B@?={$Qmv^gmeP5|723`p$3qU+1{^Q-N
zB;gTs;8U(wdlla<k5V~JiP=dij^(lCPzrc|h-TGK5rVPrd>}9Bd3vf=os*U#;O?@g
z#$&5t(e3wNx0TY33&ssnLmxF~?=qp)D`t5x9J1vnSx$Z&n+|o}EPj?1?TauU?G|q_
z8xo${*1c<Rz*-U}UQw9emSI)!A^kzb)%vp~h?JM?UmaLx4D4SfZh6?9vuv`F7dqvV
z*>(js|LD&#68<4U6!cW2KUpr6r<r2;Ynn<?uIi=k>i*?}Hf8VXI-grKL4-Ah%OzEV
z84}#b{BFJb_PTpT^mK-2Sy!=(6n@{fD&3h}6B8wEe_n>g=eQYZ7l;_y<*iJ-x>P3_
z5-KwT)mOI9CyzvYORmJputq7M@p?CG71JMNq@b!M9~%j$;*iNZ41(6&9f|0$s8HG6
zSI%eCb>aoVCRA2qC->^f0NTDz*c0j}?1@gN8k>#_T_dQ7$#00EmV2j9omle2woAQ8
zXpS#gd52JQ;#D+eK|jk?MdIC9glhI>lez`#3~9c{o85X=YN=Y3;iy-G(dzkCv>M}|
z5DX#MSC8D0;4`}~8=8=Zc|!-qZi-)<$TX-q2Stz?^S-}%k-;|o?)D2A?cmbjRV~aP
zLb|b3{3`idZGx32_ZCnK-T_~m+hd-|BARVlD&?erS8d5&XF%H0^Fn3s)yC<80#PT(
zh&=tC=!PxbJdJ;Q<?A4|SK3K+lJ7MxlGK>_x^^HgNLZY4F`yE;wLI<2n?z8_95%oG
zR4;#%kS~x&q@*~LHlO1Chw(lVTI;FBhWZROhN(~Ya_(`xWH50Wj_aJQkUgs|I9^PW
zxGvC?HTLNXRrSK}CgJp>cc-VM-m0R?uT({)X>~5rqafQgBkj2Ey+n@xH7`lokW;QJ
z>pH0Y1<0sr+EC=Cr_c;tR7WQAdGIxmVK~uFT*We8c-6UiAQ%Uh4a#~?{{A`4{IqPP
zmj{N4xC`(g&mrO~(+(-1du&miE!rV4^tGno%Hu{;N|Ett1D0is`pdlo?lP2RNF-%<
z{!rFfu3nLm;(s?~Q!vma3(qpV7i!yBd)=irc}kAnjlEH?$vwhP&aA<80X4~}5W-b0
z9HQ87SctmV#6x-3)QTfoE9t!*b3;=AinjfJuw#@p!T(JC_Y*bOymKi<>8;-1y)CpE
z;!;{OtjsB$;y_GE#Kr5O7OdxDtbftKwOcGWV=(}gjtP?Lnq(lgeqO%4NqTU5?&XIh
zFTSV)4T|Ux{P;Xl2B|{kJNY?PD!z64P7*F&v6z<m?X^WTSxb-o{U%|H&fRZB;^5T(
zwkWqkRcY-vA82qL&TH`8-{5*SdaQ*1cBO^Ia<g-R!rUtfvv2NTEV@#f=o8pNbYG1j
z(kU}*YzisTx_dGnoDR3rq&k~Um0{^-63A=jBlW@SlBG@-X@D7LnVQKus_34fPokvA
z1*gW07yRNJUstCFyNOxctOagNQGT=ang*}5eTtwE90wukGo!oP5q14;g%8amN~9&<
zb>&RV&aF;AS*vwVGZisW1ETa(l<jP8gT^OAZt0T4$0~E-CpKN<W_O}>kpi98)Jg&B
z51vL7O)w-p=9ls@?ov@vG~Q!Y>{^~v+1ZF`u@SDKXA8I&Bi8X?BlBXwqO7(18w<rM
ziLdr<d%J`3lLuj!g7}+Pr-aj)#w+-)#H^hk$o<bTF?uh1WhrtDx=P|Q7k(Nn^|ozs
zOc02miJzAJL!>L<4O~%#MQgascZ==4J*u<hD<*yR88GYSnYp4ibG1;?cCf~vV};$~
zu$KjC5sS-wh7RK^EkmzD=p~4LpKcemE8nZ@mDlnr;!mi?>r+0-7_E#jJtt~eZ_YKf
z<0#uWxEyNJ`EG(C%3yPQ0{QdSq6+Y>z%Q$jZOP0mi@Cw2Tht;DjssUIFbc{_V7k`b
zQ_OQp(N+Tx1kXZeNCq;w7{tm)hmkW7uqil(O``*yJ#y`yzuLO9CrIOe62{xd%*t9i
z+0p!^eUt@M&KhNRGnm#weGK@`nn<kenEYQH13?K2_#w9I+5o1w2+w^pNlyqYE;hTN
z&f>trBKU2`;I{=w>*(YV?0y!|$APelQ4r4`rSy7j3T`{Px3~x)BV-fC6O-XcosTAo
z4y9+H(4*jZ;WS3_V_eUO(rKFG{!c!BB#P)X-@uOIr%Zg<F#=;_KTu>_g-{RfrFw|{
z7or&O^Wm%SPp?vVb_BH<piX62{rP<N(`P9JILMe-8Hafs8n*!2O7R$<*bG~zxLG5i
z-3N+pK5?Wa?-Sh1RK8wQfoSeD9<PZ1<8z?@meQ7F*YNGAmHF;#X22KwpCqUH@&%&j
zgX?!U>wC}21&ap+^1$lLB#hCp-v^02G2$rCqao>x|NUUSXW_oEXUTtGakazUXe>|B
zBM6?v_}i0Cyp$HxKAcLY{@)LP{J_Y*KLTU2z#6{4$3#fRYkI<jghzoFyFvdr_j8iS
zo+@Z>d$j?SlBNbroq#lCh49ji)VR&ep>p%O55wCTr@9OqR00iBn>5}<-z7<(O(eac
zX<7e_n(E*of64V#DE<9CA1Mf;ox$SfGoC63F6`>zO<9(;mK}~{%$>?!k*{n9I^B)l
z8GQNI45lEe(o>9|?56Hgn7!k+il-OUwg7cy*X^|j)~@7_@zr4e{aS_r)3g*u-+;@y
zKEWy&{$24w`XU45WJ#zdQtwO5(3{u4EkGyL69Z(+`3aVdxTH|Iw<v@m7c(V~M<UEF
zRv_k|0pI%*jaes(=VS9&Gbbe+1!$o(SXEdc7XIJndr>f{H=q4wm|qQR$m6i5x2X2#
z^_d0lc2u9K*S$z$=VLN?Ch>)F6EHLhFIZr=lseL5!vN{AoH!aNFdGoNIdv&}ba)|_
z_J96W1j@vyKY+5Ws;kI!#ysA=v^hMsbbMLu=)tKI7lK|Tud5xs43mk?t9tpxuRBw`
z%d^}x>0@S^gq57Iwp_K=OD5*V_ZW?^0#7%VlU>YrNtdyq^rHaS^tUht4XSOyW!FSZ
z_RRrbn6`Mfzo+U_KUC5^HUdNP{s=+$n=PPy#}{Gs-J!ep&%C@s*$!0PuL;4W@)Qsj
z-cw>SdM+qv5=?Ygn@feX`$aUL^~eMBU<oItrfXS7OBZx-y&~zo7`=pn-wHpl{9j9<
zg2WGs=dA$10d2Gpq4dhgS3F|Iwzn%g`0AZUwA6~9PSqo$Kb&EBsl(V-o>O;V#vvV~
zws+@*=0MuKQ{H(iFZF<LBYi$=LW$qGTc|Ab=VlY7k#FxsWRQGg6WWPT<1E?WlJ8m5
zc}Ii2<KoxsCwQ5}+YGpUZE0x{B9WmjCq7Zr;K{T4yktkMN>VhA=gxsfE`R{rs`Usy
z*)shC0j}(1?$oo&GIH)zHurT)y+Z_OwrYRekG9UKp*Y96zs^9M(jqaoc23wX-TO&V
z9Qx&M(czv_;#=9HA6`Y9t`OH>#TtjVuY!m#(xC;-8_{LUmO}}~iM!{>X>oDMKMOYt
zu`GW(#FRx(7u_hVdM0tEnLN<hwWq07D#mP4`ju+ct;DjW%8cHl3aiYpyX~d=1QlBM
zNd`Le+veTx3_3scv?;I{{v`Gm)9}=VN|GhbAZrK&IVj4T|1pS<I>Q{^n<O>oyB`od
z*YbJdsg`&9@KW}HcT?1J>)uwCO`QNePX4Fqgy(m+)sAlEcU0;U9-2@F6^8M8q*(Mb
z&d9RvcDts|1Q#9NK?xb6#R%=(rkWaj3gMD3lz~&*i{JMc)B89j0vG9f9J(*V!~cZ?
zTu(a^F=ZDYFLs`6CwSGSz3QiuDqSiVX^4JltJLi@r?T#c7oYecVTeR3WBQ^^q16@F
z*RQiTf-1keJ>1Bb^5KhL<#XrCtcZoXl1_uYI+4OKAz7!5PV?@`Q;?{`G3V5FRYuV9
zC-tUBGB|{(ROf#G1HE%MCEG&tQp%CbJZ9ld)xB@~%R%A@*LThvGPR5Iao?Ldz1>QO
z$s<usw3Bib2K^R<nEvGG^VNH{|M3Ta6?|@su1+F5`>LA9iB_^Qr@y$dLNWS=^-uwe
z2#>0|urQk=^#zj7b^*$+^}v*}1RZOlCeh|oUAwbjYis6llBM2J?U_02BW}e81SbzE
zB3$yj61zIHW4uP(dr74}>NRj`Fg8}l{P)fECB69z4)QpL7e~C16RpFjpndnXf*hX%
zon{t8PO3<;DX}(@-r4N39|^cPB&k&&-2MQaw0(`>`8OX|_GU!aN*jl><5-u2o1!u%
zOId^rE?wS}RP?d}HVo9Zuvy=)Q{oM`7L==<nxwj#cEf4R@ig-vbNg#C8mdpza;gpt
z`~uEFLzmhr{&N8m-cWRQ$uN6&4Azq3F)HZn(n^)kIf~~2&myG~<5*woS3S&zTWyFU
ztW`k^);;vU>vr}1Lo6uiOP<Ob-o^PZQM;8R1v=}Qx`nj8ea+qp%)-KDmic>!%ia8S
zx6HqBc~9mtai@K|mfYOAq4Z;Dp2cAfBS}sWwBK5GX92A<{iNzWBN-oMqMH>fMlvP@
zumf!y_#@7L1|MI*aeuaK6j0%Q`gJr1{&lRpe9;zq-70J0e(^n!-<iBe=OBj<`zA6x
zJY2tQQ$DAhGuU}?gqR^cWLT6y1vwSV^CLSB+CN8*k-dsb_LAjUa>qw^jNX<~Aj)hd
z9(=zr?rJ&mQKLIV6)9=^N=pXh5m2Y>Ui=x@VBP(Xg1c{1N$1Pr%+4?yZb^<^UVlb)
zfB4ga$J;9Mludq~W0zZ+n$qtSEhQqI^@<(orqNxPlDtY}hVP^P`Ly!R17G1a2o;#v
zc|ERRBzH2mUsJK<;9f^7$<`^X|9$`)us}k?i&+&Z4ikBt3RBVbhRP>ccUnKHJXj94
z_?~d+M^L0wX*@IDJvuyGEXy%JGoYb(cINDonGd3C9pl?^>-r7S$0(5{Ue&<q=W(`=
zQ0QO^#y>Bt`a1?1AXY&t9yhiObzAUU`9x#(0-bYl+bn;Y<JwtWchm1HSS(7n;9Bvv
z%8nXXm_NaUxuSY_WY>?%q8PLJ&II#zLT87&eKzfm<ek+<qS;tWs&eW7+AQ#yLFXwk
zDz@34X2i@BL3##loO>hYuC5$GChoQVvgt3M41V(S3fZ~K8gK_Obm}i;A(8;Y&OCBh
z`}HEYvSMu9_g9RTg1{npZjaj9^pq!mO`eW@DcYKunfWPHq$g`eo}kDk^vw58IAQEM
z`BRB3`9dN)&Ns^QTo-Zg6y5f#k(wz>GtVT@5{E*s?PhCED2ds>{i`$vW#T?wkOMOA
zc-|N#_q)$=sdhbk#MQMw8RH&$i@5Y0WKp#?HkPEwc1H8jDd}hmI`+0_-flkI>m84o
zr(CV_wQ>O9qUFv~$L)FAjD~;5C#Dhm6)TQMJfZ3%WVwytNXjj`r+stI+$r)PF~OSd
zoey`LwQgHGIXW6An>}N}&^hkZCyd$mYZ4R*rhcq)e2QXS7D;_)WwtQK<BF+e;P#OY
zZ~XSJ&4b3UhgZQ2T=^3yxQtJsQM|c#>Kw($D0-}YM=hqv^GD^St;;z_V^fFFi(pob
zBTpO3UAUJ>#f3p^2elarN+MjA*^!7nqyhh3*U2%(|HN%{BP?rM-_|S6j|`rt^%;8(
z4*1IT)#tDbw=-@ew(>LFvFc9e+YL{PSBiK0uEufg%!AvpGlmOll_)D8MCE+oXW>1C
zwW$w|53YE566l+BT>m{V3*10aE&Pq)W5RK&S786znvF9j87ughK^eI{TWe|9-<>c2
z2Iabp@d-hbHP}dftz{T>BP$zV&UD|1Z@DY}ugI5~sMa0=vEH~@JlfvxhGZ+Q?L~K}
z-BU3YEzx3|T|VUemIM2TnyLHy@?OEh{VFA<QRdt%>1UU4E7Ss1mR{YScP;dEO9PPt
z(kl6+BS%JJ@X!B*WYWu+{VJ_d|Es#`?&iUnnbD*z*|GZ9++^EJZS>2kR%R!Vh%Iru
z*R$Jg=3T9g+_t9DQ*Hsl;%fG44TC|M24I<R7dy*(i7hvkRK`$Th+sNp<N?jPdYk>f
zWAP(4wVU|J9mijoIwjj!*!QnuW4(HZw}P7D^X?y<@6!8Z-0+cmM^LaNK+ohAtcjq!
zCYN^ZyH_qVdo;Df^MNAVj<;{Ex+Z?7>Z2bq0S(YYC&}~}waO`$A@}(z%qW}hL$p{N
z-ppZ*j*q(7VfL;Zw*7a6Sl$;saS9~9Sk^A8HdqDuRJ(rqPk5AwLU12LT4C&C0IeSo
zyo6p=9VJ_TuJR5-pEKtkYxZPmEsyN!cBS3HV(Xfj3I53UoLo&&_W9vKZPLfuebe{}
zQ=HUeiSqS?fTpJ6spLRw=sDjdA$Qnc`tUj)-RkeadbIv$^HA8jH>>kwu7P6o;(C1<
zisn?US~qP_GKCm!+cx(8!e4oh<m7U~X%puSCLD;EEjugy(pS)*s|&5AQQUu{>t0VK
zy;)Z|dW1{;$<PKjb;T#A;_;aeZc^{!{O;X%uSn=(<~4Cf%BeFY2gy;YND*L2%pyMg
zc+Ry!sf_s|mPk}1pn>fy(gmE8k7u^KzlN<3{GA~#3QC@ACiw`Nz<hUx@Q>K7Ya%{7
zyFd<)n)@*1K8b%HQ*zlr>VSqi#BE{iTWf1}Z1{E4>b$QPy2sBSa%`2w5nu9#1aoS1
zl5_fro6bKnr4P&(OJ7r}abH$n+cJ-1$THpr?tFFLNq$V%{ApJwvkRp6jsNRA(Y|H-
zbr!3;)IuWtxd7huGHmlGIifIQotugU20l_`*vxWnv(232TVu60=e_pE#>O<Qs%j59
zCL@PZ2VI{;0KsV;fIg06;&;05a=C5A-D>PkyZdI{%c+4vsX=Mui98pT(&%}b43La?
zzon&?p=(uBW<K1{#F<I%=XoFOnnkr{;d1l?6oMw2QdsQlPk`M^YA;b%pEEpQIq1Yd
zx`UMJdalvtc;rhnO1;_~AA(n3o7|IDKYuZcY2sGDIORF++r%;!CC9&rP77@+#GKmV
zRm*;W5jz~^>os7~P0L7O2kvh0GKxp`^zR{3kO9)+R>Z_Ig<n9g-S?|ZOiaSUYZu$#
z<T_Fae{F4*+8N&Br4liDo1Qb^{Eg<hfV0EYCW;n9hxlAt+G5*Ba^nXY%tyq3^)yLh
zBq`0FA@<6#@~HHx%Qqv_5<1$Y#rmfnfQrs_ImLvc&)Y=z@BVi&h_L6md!8kc2b1x>
zknnrYA{ExFU?E{Ztzar@MFhtbSdP*xR}fSg+#B9CZAtB)q)ALyHsK0--@6WZa_F0*
zSjd2-e$S~V`sUN5lFy%d^~yG$yUJbtaI*iomWg)!B)7-L<Bn))14x{CP5u7+HR6|5
zJV$pbjZ@zFK|puG^iu6D?Wr8E4WqG~#lf?%?%eBD^KXFRc$bv!x7|%iyxN@SG04D^
z88!R(DRkdM9+TF6Btbi{@oF~4k+FHZZ}^egI-2wRZsGl6%wjfqskALfc!GXEs*jYK
z-J-lpn&uhZeqLYscS&Q`8Jg7N7v^<j@F%eMTmOBuA1NI*&O<7ReGXQ!@Ymm4p{>8G
zFuvYL_VdQdzj9}MXHl+!-9ICW+28gi*(|$mQAWS;ZHP4f_4kdNh?%VZod@kbfb3X(
zMOXj(OKyFGBF?FnzVGH8MG#7NyBirN@<)NLOAz9>`8h!@lft7UoA354AqiAuet+wC
z>|3YG<XteHmgBmK=WDM1_C3ECyt7rk-NcDfI03hQEw79(O7mzdR=a7e-JzC9`ie`J
zirsl~E8Z^xAE3ffCrm-WKH2SBkG)d$PxG^#71ulJ-t1E<qNc38^1xXkR)~*@X{LCB
z6+-9qb`nzpXMhz>DYrq1DM%Kd?$`Kg>@b;|QO)MxUK?|;|Ki8_?93Z_Y<SmM1m~JV
z!HArI{mS(t;l#JbaIg43Z`9Iz&{7*nob~v210dz}i)@Fngza)xjX0mQoc08SPwBR5
z`7?zNXbdJK(>aJQ?B$Q^MxLys7w=PB_X1w}*soZh;f6!%jK15j2B4GiGxf`Eknh#X
zZ<kxJg*UG5nO=bs<X>L+WdItB+Xlq|{Q%?mnK-w&A}>`0S$YcSa{pCsk^vkagl!Wc
zpcliu5RPtCMj(Dw)1=7LAtJr8&`Hi>3czqJ0~ePn{t<5SD7ZWQzYl2v<#>N$a$XDN
z<*SO(yjanUP~q$~;TkEjMK~HDUH8wP?odX6Y-u>)X{WC=!DImc<EU)F%!h9P28Q3=
z`Oi^GdWS0Iw(iMnK5{K=7lmsqQsbz8tp?rApH!y*`MV!_E>^m%!g0YNQo2?9UIbmd
zcmB@uQE3+Xc9fS$l{)o}^tn|Fj&r6yD$8Csj%ve|s!ug!Y$qgKi;jBx_Foggm}(wR
zL!B7XiXafR?Q%HVtyaNIR<Zd(_)5x$8}7(pBu=7lu<4>Wwt$PRhIz;5cS<5c)194<
zwwTgXzP%@D5>`o1;cn!x%#N!M;0dcTs#*31UCJH<+w#koLCE>HpL3#{xY4GARSqW!
zmHxHcHQoHjKPz!Bory#_l9b$PV=<8Zd`$W2$J&I-;m#OdUUjMD%8_De>kFCb5hp4P
zHSaBK9h$Fc$d?_Jw2+$l1uywXW_^6vwEO&vW*%dNu>!{6m1s_8Nu}3GjnOQk<%GP|
zG$Zwo4w?E-|EfOJEIYaGZlPXf#90`&aGE6Tg@a(Awi^o{dsbRq<7_8aMY2`8O5*c&
z?Q?XyL8lE~;x`OjMb9$?=#g`fstxxXKVfw#F(g+YQCuN5^L6vK`Zd-*fgVoiz5gs?
zk8KGGpX*l3lowP4o#Xp>x4ig=BaB0rCExRTDQ-jue56giFOzN>vq?7G)NJ#;PZ>s@
z`ULK?@*{dsksduUKBU<v?9Nf2;;T|!pX*BVcO|N-tv@$?22jILfGc#F*R<9H227yP
znZ%SVJq+&xE<=a!aK(l(`&Zj%Qr4yS1N-JeGGgB7rbefa_Xv|p`#FH1pb%-hA(shz
ztH<LCzbu=dhwqB@<-ZT#%HCVb|2N-;PNgDF>OyuL+)rjw_fXWM1kIAq++`J&5m%Z!
zH>D|oyK4K<7j0>XE19nIoD1}HvgB|bJi4WnJO6JpB!{^_T#5l>w)(@5p!GGk=|A)&
zW#1~zU}se%OZ#y1N8XF=EZyQIaQ~H^ObOa@*&!&g`b>I?7iG|;jo#-1=_!L}Jf8gP
z?A<~DE<2?AwXj=u5SHw9YPu!nFS^WbQe41!@=In~1&&qoX;yL@$sVaG@5-e_x;nT2
zNCw^UKPO3`6>g>)VOya5mklUEWgAve&0hl~JiZTLsAuAR4uQ022tf8X)<eY(uXS~G
zpBcw@srAy4N%_e=Ot2u;$WLSml52arWUzY;&8&ZYp+y2=mTq;WeQ;G7S^JvEk$s-p
z+K<XnXGy)m<ywS#rGJ7{@F}9ui<{@Cc|<P;ow=cO7fI*;!U$^`VRiJgQJ|8uH{{gz
zf2R?hKj*btcbWS~IEvOp<d^}om}0i)>2M=4yWkiaxib-@b4ydR#=e|L<}GF9$qcKO
zdokQiQO8(260C58Ym?%3%RjHkv(%P<M0#O1>SP09YH=g~Gy%l@od61YjqNGyi<-ll
z17a}UuuAk4ge`8MsUk~L42&B9>jxiKxJ`*)n-!-pD}mYgC;kEjyZ|$!1RxVc={W|H
z_+r`pASP0K)9=)|Bv8=>)APGo)I$J8Py?nGpIs;KB-=Vx!X*w-Ch_DvsX>7SQ4?43
z58pV1hsi^9V{zSbs6&EZ@c#@E;N>+!Sc(WK6>u|j%wsi59L@GA5hz|cP%l$c06ry0
zKw4bTo&7^nT%kUJmk78a!WR$flUNH;g2n@pfqtx_(5^r=P=oFoHHI-TFM|$N5crs)
zf0<FCRC8HbJk1Fhrsw2KY1nZ^a6&C+v2gn@cuWbNSkguCKVzlyAcXcC5j2?sMrZDS
z9S5S3700*7K%57;EwkFEL|O(9rtG}eV~CL=tI#y79Dl|p3aD}5P#L-nyQrR91X;hh
zqZBLmU`gCT$x%sW?w{KwWZ@QAYRSJW^^tQs1D5{qMem`*FRq9NmUq>jYuca*;yXYd
zA&nFD+KuPRzE=>MP-#muCO>OvbcOp<;3)OPO<W4;O-8UkwAe~G*q>05_PGI{!>a!q
zfdNfs)Aw-<NX*K=Q9>H7IN^T?A-g_p$UoAxR((TiPiD4-eS_;-2<c$$pUXxkeEF}b
zkh;*?FCi6V-8<GOO|@*%wx7(PmeS&H-PDAolNNL;0YPEraK`7*9LxFGhB9h~X-ccw
zJ+A}Z5yC_>*<Vkl$D^M3af(9PmEo_k2S>!`ALSgyK-ZR<&x%CP3HX2@Br^%5vkZ-l
z9$?6|#PH8dO}Q)%U_J?3kvq-dRlIq8h*M8w8k4kd`nDAe@vod0`>>p<)#-_l49`u$
znK;8jG{h>HsH%M&YfzFZ%g8Qe1!`tQyz?5%w)MB<8SuaL8K?P6?{PmZ)Iaar_HZ@L
z{@Zq2Wvc4beogb|&;GK8q!-1>?o;>oLx1-v_Kex<@+hgxwi3t2?RZXm;+OOMun|ZV
zsdECAJMCPyoI~8EDxHcn)2JEs1AP1&k7*1PGUEpy+_r8NKJp!nJ=_EFu!_xrd71TT
zj@Io1>eeh(%zUzSa1-{<s=sQ+ELuoJ35L8$O9XV6;G{*?vB?FWc>{3|g4@e>#xsA-
zpBRY(w&*9j(ZlsNv1TUf6CPWKeV=T~CXfQF8DF~V*^NP7;IGG7CdUPtLc6hcqXa4j
zXMvo$4jKnqqU)sYYmF&NLUWT8cI6Ixo76DvFP$>f^-CUva%=sov3VeYDPY=dTO5>-
zK3rWmiZpk@1I~@;_)|KdRHAxxe98|teQG3+?5C;4NMr22kwU}#S2;%E2!#Gi6m{Q)
z*sCWe0=}v-^`Yl(%XHPz{3mO>(i-M17Hx*Y%)bCy7s@QkRZZDSrt+F|N{<e4yIfqa
zxvvnW&Uh@JtJofw=PX;udENE?b~6xSM#--SF!pKouwk3wSVR2ukfb$<)jbq{mFK<3
z2;jOL3fi8fri^$;sN{cj%rJ27$KuS+TvXVIAB11(H5KXI(@+rvyX=O=cfw7qe$ltL
zf@c}L_9}f<OzXe@R_!t0Wn#ocaMq_7qU05`+*#kpk;)Xi(YE{8W*E3T^k%ndQ*Zh0
zgK#3)Hb1{63m_B`h`og>Da{<VuL2jU9R?y1-1gIg8bX!Z(}7H}v<C^cLVf068~y^V
zbw~u(9rwU{(ZAT8M2X1DggDYf-TrN_HuX1+>?{*kn3QCP{5`J9;%M*c;ns6UrE`r(
zBGxe3Mt5{_0A}{HfkU^eCJ>(f1Hn_<{1gx~my(HbyIYVNe%9&F*T#LfM7E3ZQ<qc|
z75Uh^yHaBqO)h1Aa+n*nF=)WN6tWFmb1Ji#+Qsgo%Drfh)EVHIJKIL4v)x#{F?|m7
z|9*9fKls2Mpk2_27|1DS^XtMaRkTeXO&3+=`|zu~!Cfc8yB$SV@s#;`0D;lxB`SK5
zs6$QXo?Ne)H<R%tj95t|&8&H^+ca|FTQuKZgqlz1L7k{)@dbcbGJ!=4won>Vu=3mb
zO2|c5N}leX%Jlx5s+NMqC`_Ag9iA;Zt(R!QkRwtjDG&W+<8`ltmxwP}aMs<s)B7gw
z=0Fd1S%#}R`rZmUeTrJ`)>?->?*+zQw0-Ukq1yvm*fR5fZyDw-*fJtNx6FknD7hJv
z(RcCta8<19s<?(26itd!b$0Q0w0Dvl%JV)UH#`-yLfy*6iqxv~PA@O?ty&HX1NHAr
zyGW5-H+TfH>YIhlhe8i}d<nPQfLZa|eC;bE$tqSu-gdSMsBwOuN3*P>LANY;*}C+$
z;iZ5n>tiG9@5v3)4yV*Z-92rYE_vcDdjd1PdrO#GIYnt0{FQP0GYnx%PE_{oYlNt|
zh<_ci?WDL4>a-}4fyIjv4*_X8oL6&Qj=xS$!;D)d4eyGXis7rSs2-8&!kkcP<<362
zFz$GTM{dBymG7C^i!uZ$O*KHZyPLNUKue44!hJUDJAhj}hHbJG$9{RUfj2@YQ7-<5
znQKb^ida#Nl+Vd!Paw2q5x9|oM}6paDaw|g)m-UcznDi7kyu_WV{$Z9iEy4=WqP~4
zIk>DHzhLMsX#eALo>?<z@ed?r+&(fu?~WT_=l^b*wQV37Q&aSwa&0-pvDVLQCbp&2
z2tOh48Qs-BT5ATGLc8KIL#DU(<419Bho7sdXCtp;;hulj_d3Pk-rwB%?I9{i$wAfN
z_2JMqsA4ACZ#2Z4JNl&j>rg*ITZXQdAof>k28(<oyPP1_<sY)IvGeg5SZ#>^2<6)f
zUATneSF^)>_s?&%#EVR96DvUs!vrqRV_L`D(4|G}iRZO@O$#`v*r4A~3T+z%-JMi>
zGn<`Ul_Jw1p(Zf?RLh|4POc??PCf``{bndZ3w&(m#_q4bRjavU-$x);)cy~4Anr@2
z7*m`x&j{mtKO2+#4D}p+djIY5kTSx>h`%5xjn~HDTC2aO7a4%(_S-t~C;(3N7ltL=
z_zQrAe-&=<v3l&k26*?i{XfHi>mdCBF#T)V$ry+JU$1Pq;&C5J@AW0mj9>p_Q-d?I
zD^Yj7A30>3kTPDu;;I0fW&8_~l&CoP3F$U(_BNX|08iS0dgE40Ci_3QC(s|PTnve>
zpMz)GC-ol?Y%Lw+{enEb@F3@(!!%LUlRY<nonU^~yIMob&}MN4LNEm&TiyjRg>KG@
zg~hD~@)?c*V_yn)rp<ZKsIV3TyI=&kDkh2>_lpZrnCQZJ@tak8swQu1U>I`GdTc0!
z?wRE8QCFhT8FRoWBm`>pb<mgedl=`vOZJ3F+_#Y%lu(B;z3Y4M@pnMV1JDyNQowEj
zupOaz7+}1yfAFWrgNep|CVK&<5&KyfJ**4%GkRI<ti%752?L%X_OloCKwA0v+5gvr
e&H#7u==ihixV??<B9@QAe`IefNoI>1`TieZIw^Gk

diff --git a/docs/assets/img/resources/documentation/crypto-providers/gpg-signing-flow.svg b/docs/assets/img/resources/crypto-providers/gpg-signing-flow.svg
similarity index 100%
rename from docs/assets/img/resources/documentation/crypto-providers/gpg-signing-flow.svg
rename to docs/assets/img/resources/crypto-providers/gpg-signing-flow.svg
diff --git a/docs/assets/img/resources/documentation/crypto-providers/signing-flow.svg b/docs/assets/img/resources/crypto-providers/signing-flow.svg
similarity index 100%
rename from docs/assets/img/resources/documentation/crypto-providers/signing-flow.svg
rename to docs/assets/img/resources/crypto-providers/signing-flow.svg
diff --git a/docs/assets/img/resources/documentation/double-authentication-proxy.png b/docs/assets/img/resources/double-authentication-proxy.png
similarity index 100%
rename from docs/assets/img/resources/documentation/double-authentication-proxy.png
rename to docs/assets/img/resources/double-authentication-proxy.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_01-create-app.png b/docs/assets/img/resources/scim/scr_01-create-app.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_01-create-app.png
rename to docs/assets/img/resources/scim/scr_01-create-app.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_02a-select-app-registration.png b/docs/assets/img/resources/scim/scr_02a-select-app-registration.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_02a-select-app-registration.png
rename to docs/assets/img/resources/scim/scr_02a-select-app-registration.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_02b-create-app-roles.png b/docs/assets/img/resources/scim/scr_02b-create-app-roles.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_02b-create-app-roles.png
rename to docs/assets/img/resources/scim/scr_02b-create-app-roles.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_04a-select-provisioning.png b/docs/assets/img/resources/scim/scr_04a-select-provisioning.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_04a-select-provisioning.png
rename to docs/assets/img/resources/scim/scr_04a-select-provisioning.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_04b-basic-provisioning.png b/docs/assets/img/resources/scim/scr_04b-basic-provisioning.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_04b-basic-provisioning.png
rename to docs/assets/img/resources/scim/scr_04b-basic-provisioning.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_05a-mapping-part1.png b/docs/assets/img/resources/scim/scr_05a-mapping-part1.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_05a-mapping-part1.png
rename to docs/assets/img/resources/scim/scr_05a-mapping-part1.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_05b-mapping-part2.png b/docs/assets/img/resources/scim/scr_05b-mapping-part2.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_05b-mapping-part2.png
rename to docs/assets/img/resources/scim/scr_05b-mapping-part2.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_05c-mapping-part3.png b/docs/assets/img/resources/scim/scr_05c-mapping-part3.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_05c-mapping-part3.png
rename to docs/assets/img/resources/scim/scr_05c-mapping-part3.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_05d-mapping-part4.png b/docs/assets/img/resources/scim/scr_05d-mapping-part4.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_05d-mapping-part4.png
rename to docs/assets/img/resources/scim/scr_05d-mapping-part4.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_05e-sso-identifier-on-signpath.png b/docs/assets/img/resources/scim/scr_05e-sso-identifier-on-signpath.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_05e-sso-identifier-on-signpath.png
rename to docs/assets/img/resources/scim/scr_05e-sso-identifier-on-signpath.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_06a-add-users-and-groups.png b/docs/assets/img/resources/scim/scr_06a-add-users-and-groups.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_06a-add-users-and-groups.png
rename to docs/assets/img/resources/scim/scr_06a-add-users-and-groups.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_06b-test-provisioning.png b/docs/assets/img/resources/scim/scr_06b-test-provisioning.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_06b-test-provisioning.png
rename to docs/assets/img/resources/scim/scr_06b-test-provisioning.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_06c-validate-provisioning.png b/docs/assets/img/resources/scim/scr_06c-validate-provisioning.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_06c-validate-provisioning.png
rename to docs/assets/img/resources/scim/scr_06c-validate-provisioning.png
diff --git a/docs/assets/img/resources/documentation/scim/scr_07a-start-provisioning.png b/docs/assets/img/resources/scim/scr_07a-start-provisioning.png
similarity index 100%
rename from docs/assets/img/resources/documentation/scim/scr_07a-start-provisioning.png
rename to docs/assets/img/resources/scim/scr_07a-start-provisioning.png
diff --git a/docs/assets/js/main-bundle.js b/docs/assets/js/main-bundle.js
index eeffcaf..73bc6ea 100644
--- a/docs/assets/js/main-bundle.js
+++ b/docs/assets/js/main-bundle.js
@@ -1,2 +1,2 @@
 /*! For license information please see main-bundle.js.LICENSE.txt */
-(()=>{"use strict";function e(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var o in n)e[o]=n[o]}return e}var t=function t(n,o){function c(t,c,r){if("undefined"!=typeof document){"number"==typeof(r=e({},o,r)).expires&&(r.expires=new Date(Date.now()+864e5*r.expires)),r.expires&&(r.expires=r.expires.toUTCString()),t=encodeURIComponent(t).replace(/%(2[346B]|5E|60|7C)/g,decodeURIComponent).replace(/[()]/g,escape);var a="";for(var i in r)r[i]&&(a+="; "+i,!0!==r[i]&&(a+="="+r[i].split(";")[0]));return document.cookie=t+"="+n.write(c,t)+a}}return Object.create({set:c,get:function(e){if("undefined"!=typeof document&&(!arguments.length||e)){for(var t=document.cookie?document.cookie.split("; "):[],o={},c=0;c<t.length;c++){var r=t[c].split("="),a=r.slice(1).join("=");try{var i=decodeURIComponent(r[0]);if(o[i]=n.read(a,i),e===i)break}catch(e){}}return e?o[e]:o}},remove:function(t,n){c(t,"",e({},n,{expires:-1}))},withAttributes:function(n){return t(this.converter,e({},this.attributes,n))},withConverter:function(n){return t(e({},this.converter,n),this.attributes)}},{attributes:{value:Object.freeze(o)},converter:{value:Object.freeze(n)}})}({read:function(e){return'"'===e[0]&&(e=e.slice(1,-1)),e.replace(/(%[\dA-F]{2})+/gi,decodeURIComponent)},write:function(e){return encodeURIComponent(e).replace(/%(2[346BF]|3[AC-F]|40|5[BDE]|60|7[BCD])/g,decodeURIComponent)}},{path:"/"});let n;const o={1:{eventCategory:"free_trial_link",eventAction:"click",eventLabel:'"Start free trial" link clicked'},2:{eventCategory:"buy_link",eventAction:"click",eventLabel:'"Buy" link clicked'},3:{eventCategory:"contact_form",eventAction:"submitted",eventLabel:'"Contact Form" submitted'},4:{eventCategory:"subscribe_newsletter_link",eventAction:"click",eventLabel:'"Subscribe Newsletter" link clicked'},5:{eventCategory:"page_time",eventAction:"more_than_2_mins",eventLabel:"User stayed more than 2 mins"},6:{eventCategory:"scroll_50",eventAction:"scrolled",eventLabel:"User scrolled more than 50%"},7:{eventCategory:"scroll_80",eventAction:"scrolled",eventLabel:"User scrolled more than 80%"},8:{eventCategory:"mail_link",eventAction:"click",eventLabel:'"Mailto:" link clicked'},9:{eventCategory:"click",eventAction:"login",eventLabel:'"Login" link clicked'}};function c(){t.set("sessionstart",new Date(Date.now()).toISOString(),{expires:1}),r(0)}function r(e){setTimeout((function(){i(5)}),1e3*(120-e))}function a(e=.5){let t=!0;document.addEventListener("scroll",function(e,t=300){let n;return(...o)=>{clearTimeout(n),n=setTimeout((()=>{e.apply(this,o)}),t)}}((()=>{document.documentElement.scrollHeight*e<window.scrollY+window.innerHeight&&t&&(.5===e&&(t=!1,i(6,window.location.href)),.8===e&&(t=!1,i(7,window.location.href)))}),1e3))}function i(e,t=null){n("event",o[e].eventAction,{event_category:o[e].eventCategory,event_label:t||o[e].eventLabel})}function l(e,t,n){const o=new Date;o.setTime(o.getTime()+24*n*60*60*1e3);const c="expires="+o.toUTCString();document.cookie=e+"="+t+";"+c+";path=/"}function s(e){const t=e+"=",n=document.cookie.split(";");for(var o=0;o<n.length;o++){for(var c=n[o];" "===c.charAt(0);)c=c.substring(1);if(0===c.indexOf(t))return c.substring(t.length,c.length)}return""}function d(){document.querySelectorAll(".information").forEach((e=>{e.classList.toggle("active")})),document.querySelectorAll(".show-less").forEach((e=>{e.classList.toggle("active")})),document.querySelectorAll(".show-more").forEach((e=>{e.classList.toggle("active")}))}const u="acknowledged-cookies2";function m(){s(u)||(document.getElementById("cookie-info").classList.add("show"),document.getElementById("acknowledge-cookies-btn").addEventListener("click",(function(){l(u,"true",7300),document.getElementById("cookie-info").classList.remove("show"),h()})),document.getElementById("refuse-cookies-btn").addEventListener("click",(function(){l(u,"false",7300),document.getElementById("cookie-info").classList.remove("show")})),document.querySelectorAll(".show-more").forEach((e=>{e.addEventListener("click",(function(){d()}))})),document.querySelectorAll(".show-less").forEach((e=>{e.addEventListener("click",(function(){d()}))})))}function h(){var e,o,s,d;!function(){const e=window.location.search,t=new URLSearchParams(e);t.get("adgroupid")&&l("adgroupid",t.get("adgroupid"),365)}(),function(){let e=document.createElement("script");function o(){dataLayer.push(arguments)}e.setAttribute("src","https://www.googletagmanager.com/gtag/js?id=G-CX618DRF59"),document.getElementsByTagName("head")[0].appendChild(e),window.dataLayer=window.dataLayer||[],o("consent","default",{ad_user_data:"granted",ad_personalization:"granted",ad_storage:"granted",analytics_storage:"granted"}),o("js",new Date),o("config","G-CX618DRF59",{anonymize_ip:!0,domains:["app.signpath.io","secure.avangate.com"]}),o("config","UA-119338300-1",{anonymize_ip:!0,domains:["app.signpath.io","secure.avangate.com"]}),o("config","AW-744401159",{anonymize_ip:!0,domains:["app.signpath.io","secure.avangate.com"]}),n=o,document.querySelectorAll(".btn.trial").forEach((e=>{e.addEventListener("click",(e=>{i(1)}))})),document.querySelectorAll(".btn.btn-primary.footer.buy").forEach((e=>{e.addEventListener("click",(e=>{i(2)}))})),document.querySelectorAll("#helpdesk_ticket_submit").forEach((e=>{e.addEventListener("click",(e=>{i(3)}))})),document.querySelectorAll(".btn.newsletter").forEach((e=>{e.addEventListener("click",(e=>{i(4)}))})),function(){if(t.get("sessionstart")){var e=new Date(Date.parse(t.get("sessionstart")));if(e){var n=(Date.now()-e.getTime())/1e3;n>43200?c():n<=120&&r(n)}else c()}else c()}(),a(.5),a(.8),document.querySelectorAll('a[href*="mailto"]').forEach((e=>{e.addEventListener("click",(t=>{e.href.split(":")[1].includes("@")&&i(8,e.href.split(":")[1])}))})),document.querySelectorAll("a").forEach((e=>{if(e.href.includes("/Web/Home/Login")){const t=e.href;e.href="#",e.addEventListener("click",(async e=>{i(9),await new Promise((e=>setTimeout((function(){window.location.href=t}),50)))}))}}))}(),window.ldfdr=window.ldfdr||{},e=document,o="script",s=e.getElementsByTagName(o)[0],(d=e.createElement(o)).src="https://sc.lfeeder.com/lftracker_v1_3P1w24dnWAB8mY5n.js",setTimeout((function(){s.parentNode.insertBefore(d,s)}),1),function(){let e=document.createElement("script");e.setAttribute("src","https://js-eu1.hs-scripts.com/145110231.js"),document.getElementsByTagName("head")[0].appendChild(e)}()}function g(e,t,n){function o(t){return t<0?e.children.length+t:t>=e.children.length?t-e.children.length:t}let c=e.querySelector("li.active"),r=Array.from(e.children).indexOf(c),a=e.children[o(r-1)],i=Array.from({length:n-1},((t,n)=>e.children[o(r+1+n)])),l=e.children[o(r+n)];a.classList.remove("out-left"),t&&a.classList.add("active"),a.style.order=t?1:"initial",c.classList.remove("active"),c.classList.add(t?"show":"out-left"),c.style.order=t?2:0,i.forEach(((e,o)=>{0!=o||t||(e.classList.remove("show"),e.classList.add("active")),o==n-2&&t&&(e.classList.remove("show"),e.classList.add("out-right")),e.style.order=t?3+o:1+o})),l.classList.remove("out-right"),t||l.classList.add(1==n?"active":"show"),l.style.order=t?"initial":n,t?(e.children[o(r-2)].classList.add("out-left"),e.children[o(r-2)].style.order=0):(e.children[o(r+n+1)].classList.add("out-right"),e.children[o(r+n+1)].style.order=n+1)}document.addEventListener("DOMContentLoaded",(function(){"true"!==s(u)?function(){const e=new XMLHttpRequest;e.onreadystatechange=()=>{4==e.readyState&&(200==e.status?"EU"===JSON.parse(e.responseText).continentCode?m():h():(console.error("query failed"),m()))},e.open("GET","https://pro.ip-api.com/json?fields=status,continentCode&key=eJ1eA5qDeyPkvao",!0),e.send()}():h(),document.querySelectorAll(".revoke-cookie-consent").forEach((e=>{e.addEventListener("click",(function(){document.cookie.split(";").forEach((function(e){document.cookie=e.replace(/^ +/,"").replace(/=.*/,"=;expires="+(new Date).toUTCString()+";path=/")})),m()}))})),function(){var e=document.getElementById("show-older-releases-link");e&&e.addEventListener("click",(function(e){document.getElementById("older-releases").style.display="block",document.getElementById("show-older-releases").style.display="none",e.preventDefault(),e.stopPropagation()}));var t=document.getElementById("changelog-component-select");t&&t.addEventListener("change",(function(e){const n=new URL(location);"all"==t.value?n.searchParams.delete("component"):n.searchParams.set("component",t.value),history.pushState({},"",n),c(t.value)}));var n=document.getElementById("changelog-change_type-select");n&&n.addEventListener("change",(function(e){const t=new URL(location);var o;"all"==n.value?t.searchParams.delete("change_type"):t.searchParams.set("change_type",n.value),history.pushState({},"",t),o=n.value,document.querySelectorAll("section.changelog div[class^=change_type-], section.changelog article.release, section.changelog article.release div.component").forEach((function(e){"all"==o||e.classList.contains(`change_type-${o}`)?e.style.display="block":e.style.display="none"}))}));const o=new URL(location);if(o.searchParams.has("component")){let e=o.searchParams.get("component");c(e),document.getElementById("changelog-component-select").value=e;let t=o.searchParams.get("change_type");show_hide_change_type(t),document.getElementById("changelog-change_type-select").value=t}function c(e){document.querySelectorAll("section.changelog div[class^=component-], section.changelog article.release").forEach((function(t){"all"==e||t.classList.contains(`component-${e}`)?t.style.display="block":t.style.display="none"})),document.getElementById("changelog-feed").href=`/documentation/changelog/feeds/${e}.xml`}}(),document.querySelectorAll("div.carousel").forEach((e=>{let t,n=function(){let e=document.body.clientWidth;return e>1e3?3:e>700?2:1}();function o(){t&&(clearInterval(t),t=void 0),t=setInterval((function(){g(e.querySelector("ul"),!1,n)}),3e3)}!function(e,t,n){e.querySelectorAll("li").forEach(((e,n)=>{0==n?e.classList.add("out-left"):1==n?e.classList.add("active"):n==t+1?e.classList.add("out-right"):n<=t&&e.classList.add("show")})),e.querySelectorAll("a").forEach(((e,o)=>{0==o?e.addEventListener("click",(function(e){g(e.currentTarget.parentNode.querySelector("ul"),!0,t),n(),e.preventDefault()})):e.addEventListener("click",(function(e){g(e.currentTarget.parentNode.querySelector("ul"),!1,t),n(),e.preventDefault()}))}))}(e,n,o),o()})),function(){document.querySelectorAll("header li.search span")[0].addEventListener("click",(function(){document.querySelectorAll("header li.search input")[0].focus()})),document.querySelectorAll("header li.search span")[0].addEventListener("focus",(function(){document.querySelectorAll("header li.search input")[0].focus()})),document.querySelectorAll("header li.search input")[0].addEventListener("input",(function(e){0==e.target.value.length?e.target.parentNode.parentNode.parentNode.classList.remove("with-search-term"):e.target.parentNode.parentNode.parentNode.classList.add("with-search-term")}));const e=new URL(location);"/search"==e.pathname&&(document.querySelectorAll("main section.top-section h1")[0].innerHTML+=` for <i>${e.searchParams.get("q")}</i>`,document.querySelectorAll("main input[type=search]")[0].value=e.searchParams.get("q"))}()}))})();
\ No newline at end of file
+(()=>{"use strict";function e(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var o in n)e[o]=n[o]}return e}var t=function t(n,o){function c(t,c,r){if("undefined"!=typeof document){"number"==typeof(r=e({},o,r)).expires&&(r.expires=new Date(Date.now()+864e5*r.expires)),r.expires&&(r.expires=r.expires.toUTCString()),t=encodeURIComponent(t).replace(/%(2[346B]|5E|60|7C)/g,decodeURIComponent).replace(/[()]/g,escape);var a="";for(var i in r)r[i]&&(a+="; "+i,!0!==r[i]&&(a+="="+r[i].split(";")[0]));return document.cookie=t+"="+n.write(c,t)+a}}return Object.create({set:c,get:function(e){if("undefined"!=typeof document&&(!arguments.length||e)){for(var t=document.cookie?document.cookie.split("; "):[],o={},c=0;c<t.length;c++){var r=t[c].split("="),a=r.slice(1).join("=");try{var i=decodeURIComponent(r[0]);if(o[i]=n.read(a,i),e===i)break}catch(e){}}return e?o[e]:o}},remove:function(t,n){c(t,"",e({},n,{expires:-1}))},withAttributes:function(n){return t(this.converter,e({},this.attributes,n))},withConverter:function(n){return t(e({},this.converter,n),this.attributes)}},{attributes:{value:Object.freeze(o)},converter:{value:Object.freeze(n)}})}({read:function(e){return'"'===e[0]&&(e=e.slice(1,-1)),e.replace(/(%[\dA-F]{2})+/gi,decodeURIComponent)},write:function(e){return encodeURIComponent(e).replace(/%(2[346BF]|3[AC-F]|40|5[BDE]|60|7[BCD])/g,decodeURIComponent)}},{path:"/"});let n;const o={1:{eventCategory:"free_trial_link",eventAction:"click",eventLabel:'"Start free trial" link clicked'},2:{eventCategory:"buy_link",eventAction:"click",eventLabel:'"Buy" link clicked'},3:{eventCategory:"contact_form",eventAction:"submitted",eventLabel:'"Contact Form" submitted'},4:{eventCategory:"subscribe_newsletter_link",eventAction:"click",eventLabel:'"Subscribe Newsletter" link clicked'},5:{eventCategory:"page_time",eventAction:"more_than_2_mins",eventLabel:"User stayed more than 2 mins"},6:{eventCategory:"scroll_50",eventAction:"scrolled",eventLabel:"User scrolled more than 50%"},7:{eventCategory:"scroll_80",eventAction:"scrolled",eventLabel:"User scrolled more than 80%"},8:{eventCategory:"mail_link",eventAction:"click",eventLabel:'"Mailto:" link clicked'},9:{eventCategory:"click",eventAction:"login",eventLabel:'"Login" link clicked'}};function c(){t.set("sessionstart",new Date(Date.now()).toISOString(),{expires:1}),r(0)}function r(e){setTimeout((function(){i(5)}),1e3*(120-e))}function a(e=.5){let t=!0;document.addEventListener("scroll",function(e,t=300){let n;return(...o)=>{clearTimeout(n),n=setTimeout((()=>{e.apply(this,o)}),t)}}((()=>{document.documentElement.scrollHeight*e<window.scrollY+window.innerHeight&&t&&(.5===e&&(t=!1,i(6,window.location.href)),.8===e&&(t=!1,i(7,window.location.href)))}),1e3))}function i(e,t=null){n("event",o[e].eventAction,{event_category:o[e].eventCategory,event_label:t||o[e].eventLabel})}function l(e,t,n){const o=new Date;o.setTime(o.getTime()+24*n*60*60*1e3);const c="expires="+o.toUTCString();document.cookie=e+"="+t+";"+c+";path=/"}function s(e){const t=e+"=",n=document.cookie.split(";");for(var o=0;o<n.length;o++){for(var c=n[o];" "===c.charAt(0);)c=c.substring(1);if(0===c.indexOf(t))return c.substring(t.length,c.length)}return""}function d(){document.querySelectorAll(".information").forEach((e=>{e.classList.toggle("active")})),document.querySelectorAll(".show-less").forEach((e=>{e.classList.toggle("active")})),document.querySelectorAll(".show-more").forEach((e=>{e.classList.toggle("active")}))}const u="acknowledged-cookies2";function m(){s(u)||(document.getElementById("cookie-info").classList.add("show"),document.getElementById("acknowledge-cookies-btn").addEventListener("click",(function(){l(u,"true",7300),document.getElementById("cookie-info").classList.remove("show"),h()})),document.getElementById("refuse-cookies-btn").addEventListener("click",(function(){l(u,"false",7300),document.getElementById("cookie-info").classList.remove("show")})),document.querySelectorAll(".show-more").forEach((e=>{e.addEventListener("click",(function(){d()}))})),document.querySelectorAll(".show-less").forEach((e=>{e.addEventListener("click",(function(){d()}))})))}function h(){var e,o,s,d;!function(){const e=window.location.search,t=new URLSearchParams(e);t.get("adgroupid")&&l("adgroupid",t.get("adgroupid"),365)}(),function(){let e=document.createElement("script");function o(){dataLayer.push(arguments)}e.setAttribute("src","https://www.googletagmanager.com/gtag/js?id=G-CX618DRF59"),document.getElementsByTagName("head")[0].appendChild(e),window.dataLayer=window.dataLayer||[],o("consent","default",{ad_user_data:"granted",ad_personalization:"granted",ad_storage:"granted",analytics_storage:"granted"}),o("js",new Date),o("config","G-CX618DRF59",{anonymize_ip:!0,domains:["app.signpath.io","secure.avangate.com"]}),o("config","UA-119338300-1",{anonymize_ip:!0,domains:["app.signpath.io","secure.avangate.com"]}),o("config","AW-744401159",{anonymize_ip:!0,domains:["app.signpath.io","secure.avangate.com"]}),n=o,document.querySelectorAll(".btn.trial").forEach((e=>{e.addEventListener("click",(e=>{i(1)}))})),document.querySelectorAll(".btn.btn-primary.footer.buy").forEach((e=>{e.addEventListener("click",(e=>{i(2)}))})),document.querySelectorAll("#helpdesk_ticket_submit").forEach((e=>{e.addEventListener("click",(e=>{i(3)}))})),document.querySelectorAll(".btn.newsletter").forEach((e=>{e.addEventListener("click",(e=>{i(4)}))})),function(){if(t.get("sessionstart")){var e=new Date(Date.parse(t.get("sessionstart")));if(e){var n=(Date.now()-e.getTime())/1e3;n>43200?c():n<=120&&r(n)}else c()}else c()}(),a(.5),a(.8),document.querySelectorAll('a[href*="mailto"]').forEach((e=>{e.addEventListener("click",(t=>{e.href.split(":")[1].includes("@")&&i(8,e.href.split(":")[1])}))})),document.querySelectorAll("a").forEach((e=>{if(e.href.includes("/Web/Home/Login")){const t=e.href;e.href="#",e.addEventListener("click",(async e=>{i(9),await new Promise((e=>setTimeout((function(){window.location.href=t}),50)))}))}}))}(),window.ldfdr=window.ldfdr||{},e=document,o="script",s=e.getElementsByTagName(o)[0],(d=e.createElement(o)).src="https://sc.lfeeder.com/lftracker_v1_3P1w24dnWAB8mY5n.js",setTimeout((function(){s.parentNode.insertBefore(d,s)}),1),function(){let e=document.createElement("script");e.setAttribute("src","https://js-eu1.hs-scripts.com/145110231.js"),document.getElementsByTagName("head")[0].appendChild(e)}()}function g(e,t,n){function o(t){return t<0?e.children.length+t:t>=e.children.length?t-e.children.length:t}let c=e.querySelector("li.active"),r=Array.from(e.children).indexOf(c),a=e.children[o(r-1)],i=Array.from({length:n-1},((t,n)=>e.children[o(r+1+n)])),l=e.children[o(r+n)];a.classList.remove("out-left"),t&&a.classList.add("active"),a.style.order=t?1:"initial",c.classList.remove("active"),c.classList.add(t?"show":"out-left"),c.style.order=t?2:0,i.forEach(((e,o)=>{0!=o||t||(e.classList.remove("show"),e.classList.add("active")),o==n-2&&t&&(e.classList.remove("show"),e.classList.add("out-right")),e.style.order=t?3+o:1+o})),l.classList.remove("out-right"),t||l.classList.add(1==n?"active":"show"),l.style.order=t?"initial":n,t?(e.children[o(r-2)].classList.add("out-left"),e.children[o(r-2)].style.order=0):(e.children[o(r+n+1)].classList.add("out-right"),e.children[o(r+n+1)].style.order=n+1)}document.addEventListener("DOMContentLoaded",(function(){"true"!==s(u)?function(){const e=new XMLHttpRequest;e.onreadystatechange=()=>{4==e.readyState&&(200==e.status?"EU"===JSON.parse(e.responseText).continentCode?m():h():(console.error("query failed"),m()))},e.open("GET","https://pro.ip-api.com/json?fields=status,continentCode&key=eJ1eA5qDeyPkvao",!0),e.send()}():h(),document.querySelectorAll(".revoke-cookie-consent").forEach((e=>{e.addEventListener("click",(function(){document.cookie.split(";").forEach((function(e){document.cookie=e.replace(/^ +/,"").replace(/=.*/,"=;expires="+(new Date).toUTCString()+";path=/")})),m()}))})),function(){var e=document.getElementById("show-older-releases-link");e&&e.addEventListener("click",(function(e){document.getElementById("older-releases").style.display="block",document.getElementById("show-older-releases").style.display="none",e.preventDefault(),e.stopPropagation()}));var t=document.getElementById("changelog-component-select");t&&t.addEventListener("change",(function(e){const n=new URL(location);"all"==t.value?n.searchParams.delete("component"):n.searchParams.set("component",t.value),history.pushState({},"",n),c(t.value)}));var n=document.getElementById("changelog-change_type-select");n&&n.addEventListener("change",(function(e){const t=new URL(location);var o;"all"==n.value?t.searchParams.delete("change_type"):t.searchParams.set("change_type",n.value),history.pushState({},"",t),o=n.value,document.querySelectorAll("section.changelog div[class^=change_type-], section.changelog article.release, section.changelog article.release div.component").forEach((function(e){"all"==o||e.classList.contains(`change_type-${o}`)?e.style.display="block":e.style.display="none"}))}));const o=new URL(location);if(o.searchParams.has("component")){let e=o.searchParams.get("component");c(e),document.getElementById("changelog-component-select").value=e;let t=o.searchParams.get("change_type");show_hide_change_type(t),document.getElementById("changelog-change_type-select").value=t}function c(e){document.querySelectorAll("section.changelog div[class^=component-], section.changelog article.release").forEach((function(t){"all"==e||t.classList.contains(`component-${e}`)?t.style.display="block":t.style.display="none"})),document.getElementById("changelog-feed").href=`/changelog/feeds/${e}.xml`}}(),document.querySelectorAll("div.carousel").forEach((e=>{let t,n=function(){let e=document.body.clientWidth;return e>1e3?3:e>700?2:1}();function o(){t&&(clearInterval(t),t=void 0),t=setInterval((function(){g(e.querySelector("ul"),!1,n)}),3e3)}!function(e,t,n){e.querySelectorAll("li").forEach(((e,n)=>{0==n?e.classList.add("out-left"):1==n?e.classList.add("active"):n==t+1?e.classList.add("out-right"):n<=t&&e.classList.add("show")})),e.querySelectorAll("a").forEach(((e,o)=>{0==o?e.addEventListener("click",(function(e){g(e.currentTarget.parentNode.querySelector("ul"),!0,t),n(),e.preventDefault()})):e.addEventListener("click",(function(e){g(e.currentTarget.parentNode.querySelector("ul"),!1,t),n(),e.preventDefault()}))}))}(e,n,o),o()})),function(){document.querySelectorAll("header li.search span")[0].addEventListener("click",(function(){document.querySelectorAll("header li.search input")[0].focus()})),document.querySelectorAll("header li.search span")[0].addEventListener("focus",(function(){document.querySelectorAll("header li.search input")[0].focus()})),document.querySelectorAll("header li.search input")[0].addEventListener("input",(function(e){0==e.target.value.length?e.target.parentNode.parentNode.parentNode.classList.remove("with-search-term"):e.target.parentNode.parentNode.parentNode.classList.add("with-search-term")}));const e=new URL(location);"/search"==e.pathname&&(document.querySelectorAll("main section.top-section h1")[0].innerHTML+=` for <i>${e.searchParams.get("q")}</i>`,document.querySelectorAll("main input[type=search]")[0].value=e.searchParams.get("q"))}()}))})();
\ No newline at end of file
diff --git a/docs/blog/_posts/2019-12-13-an-analysis-of-secure-variables-in-appveyor.md b/docs/blog/_posts/2019-12-13-an-analysis-of-secure-variables-in-appveyor.md
deleted file mode 100644
index 67b154c..0000000
--- a/docs/blog/_posts/2019-12-13-an-analysis-of-secure-variables-in-appveyor.md
+++ /dev/null
@@ -1,155 +0,0 @@
----
-layout: post
-title:  "A White Hat Story: Analysis of Secure Variables in AppVeyor"
-image: '2019-12-13-bg'
-date:   2019-12-13 11:38:20 +0200
-author: Daniel Ostovary
-summary: 'We discovered that the encryption of AppVeyor secret variables is susceptible to Padding Oracle attacks.'
-description: 
----
-
-SignPath integrates with other systems, so we have to understand how they work and what the security attributes of certain features are. Any over-reliance on implicit or explicit security guarantees might effect the entire code signing process. 
-
-For this reason, we routinely analyze not only our own software and services, but also certain features of third party systems. 
-
-In our analysis of AppVeyor, we looked at the encryption of secrets, such as SignPath API tokens. Note that what we have discovered is not an exploitable security issue, but we thought the entire analysis still makes a good read for people interested in application security. 
-
-SignPath integrates with AppVeyor builds to verify the origin of build artifacts before they are signed. We recently investigated AppVeyor’s “secure variables” (aka “Encrypt YAML”) [feature](https://www.appveyor.com/docs/build-configuration#secure-variables). We discovered a few interesting things, which we describe in this blog post.
-
-# AppVeyors Secure Variables
-AppVeyor is a build software that is available on-premises or in the cloud. AppVeyor can be connected to a (public) source code repository, such as your GitHub repository, and be configured to automatically build a new version of the software whenever code in the repository is changed. The AppVeyor build configuration file (appveyor.yml) can also be checked in to a source code repository to make use of its collaboration and versioning features.
-
-However, certain information in this appeyor.yml file might be sensitive (e.g. access credentials to other systems or services required during the build) and should not be visible to all developers (or to everyone in case of open source projects). The AppVeyor secure variables feature allows you to encrypt sensitive data before putting it into the appveyor.yml file. So only AppVeyor can decrypt this data to obtain the original value and use it during the build process. These encrypted values can e.g. be used in the appveyor.yml in configurations for environment variables or within webhooks.
-
-The first thing to be aware of is that secure variables are only protected from users without write access to the appveyor.yml. **Users with write access to this file can obtain the decrypted value**. A user with write access can do this by e.g. just printing the secure variable to the build log (the secure variable is automatically decrypted by AppVeyor).
-
-## Secure Variable Encryption
-We analysed properties of the encryption of secure variables.
-
-We found out that **the used cipher is a block cipher and has 128 bit (16 bytes) block size**. The cipher type and the block size can be discovered by increasing the length of the plaintext. If the ciphertext length increases equally to the the plaintext length, the used cipher is a stream cipher. If the ciphertext length increases in blocks, then it is a block cipher. In the case of a block cipher, one can easily find out the block length by observing the increase in length of the ciphertext.
-
-Furthermore, we found out that the used cipher mode is **CBC**. For that we performed the following test.
-
-
-
-Our test used the following text (unencrypted) as secure variable:
-
-	Bearer SecretToken123456789012345678901234567890
-
- 
-
-The hexadecimal representation of this string is:
-
-	42 65 61 72 65 72 20 53 65 63 72 65 74 54 6F 6B
-	65 6E 31 32 33 34 35 36 37 38 39 30 31 32 33 34
-	35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 30
-
- 
-When using the Encrypt YAML feature for this text, AppVeyor returns the following Base64-encoded encrypted string:
-
-	FVwaQuowgIbDmPo987vdYrmGEHeelN7l6ni8MTzouU3jtrE8/9w6tYSuq84DHJbXhMQKpxqfZOTRIH0g/flKjg==
-
-After Base64 decoding, the hex representation is:
-
-	15 5C 1A 42 EA 30 80 86 C3 98 FA 3D F3 BB DD 62
-	B9 86 10 77 9E 94 DE E5 EA 78 BC 31 3C E8 B9 4D
-	E3 B6 B1 3C FF DC 3A B5 84 AE AB CE 03 1C 96 D7
-	84 C4 0A A7 1A 9F 64 E4 D1 20 7D 20 FD F9 4A 8E
-
-Here we can already see that our encrypted ciphertext has 16 bytes more than the plaintext. This is probably due to padding and allows us infer that the block size of the ciphertext is 16 bytes.
-
-
-
-To find out more about block size and the mode of operation, we modified the following bytes of the ciphertext:
-
-<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>15 5C 1A 42 EA 30 80 86 C3 98 FA 3D F3 BB DD 62
-B9 86 <strong>11</strong> 77 9E 94 DE E5 EA 78 BC 31 3C E8 B9 4D
-E3 B6 B1 3C FF DC 3A B5 84 AE AB CE 03 1C 96 D7
-84 C4 0A A7 1A 9F 64 E4 D1 20 7D 20 FD F9 4A 8E
-</code></pre></div></div>
-
-This ciphertext decrypted to the following text:
-
-	Bearer SecretTokL        Q4▒u5i?y▒▒'15668901234567890
-
-The hexadecimal representation of this string is:
-
-<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>42 65 61 72 65 72 20 53 65 63 72 65 74 54 6F 6B
-<strong>4C 09 51 34 FD 75 35 16 69 3F 79 FD FD 27 31 1C</strong>
-35 <strong>36</strong> 36 38 39 30 31 32 33 34 35 36 37 38 39 30
-</code></pre></div></div>
-
-We can see that a change of the third byte in the second ciphertext block changed the whole second plaintext block and the third byte of the next plaintext block. This perfectly matches the behavior of the cipher mode CBC (as displayed in the following figure). 
-
-![CBC](/assets/posts/2019-12-13-cbc.png)
-
-Generally, in CBC a change in a byte of a ciphertext block at index X directly affects all bytes of the same ciphertext block and the byte at index X of the next ciphertext block. The observed behavior further confirms that the encryption algorithm is a block cipher with 16 bytes length.
-
-Our test didn't lead to an error, but decrypted normally. From that we can infer that **the ciphertext is not integrity protected**.
-
-In many cases missing integrity protection has security implications. In combination with the CBC cipher mode, this can result in so called “Padding Oracle” attacks. These attacks exploit
-
-* the lack of integrity protection and
-* some properties of CBC mode and PKCS#7 padding
-
-and allow attackers to fully or partially decrypt ciphertext! This means, AppVeyor is potentially vulnerable to Padding Oracle attacks. Notably, as laid out at the beginning of the post, anyone with write access to the appveyor.yml can decrypt values by design. Thus, a Padding Oracle would have no security implications in AppVeyor anyways. 
-
-For more curious readers, we briefly describe our analysis of a potential Padding Oracle in AppVeyor.
-
-## Padding Oracle in AppVeyor
-For a Padding Oracle to exist, it must be possible to distinguish the following cases (e.g. by different error message, by timing, or other means) when decrypting ciphertext:
-
-* A given ciphertext decrypts to a valid plaintext.
-* A given ciphertext decrypts to a malformed plaintext (e.g. with non-ASCII characters) and has valid padding.
-* A given ciphertext decrypts has invalid padding.
-
-This information, combined with the knowledge of the functionality of CBC and PKCS#7 and some basic logic, is enough for an attacker to decrypt most of a given ciphertext. To confirm the existence or non-existence of a potential Padding Oracle in AppVeyor, we performed the following tests.
-
-We used a secure variable (encrypted Bearer `SecretToken123456789012345678901234567890` to let AppVeyor authenticate against our web server.  On the web server we received:
-
-	POST / HTTP/1.1
-	Authorization: Bearer SecretToken123456789012345678901234567890
-	Content-Type: application/json; charset=utf-8
-	Host: 54.69.243.156:8000
-	Content-Length: 8858
-	Connection: Keep-Alive
-	
-This matches the behavior of **case 1.a**.
-
-We then modified the third byte of the second ciphertext block and again let AppVeyor against our web server. This time we received:
-
-	POST / HTTP/1.1
-	Authorization: Bearer SecretTokL        Q4▒u5i?y▒▒'15668901234567890
-	Content-Type: application/json; charset=utf-8
-	Host: 54.69.243.156:8000
-	Content-Length: 8860
-	Connection: Keep-Alive
-
-This matches the behavior of **case 1.b**.
-
-Lastly, we crafted ciphertext that causes bad padding. For that we changed the last byte of the third ciphertext block. Due to CBC mode, this change should not only scramble the third block, but also change the last byte of the fourth block, which is our padding. Since padding needs to have a specific structure in PKCS#7, this change should cause incorrect padding. We used the following ciphertext:
-
-<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>15 5C 1A 42 EA 30 80 86 C3 98 FA 3D F3 BB DD 62
-B9 86 10 77 9E 94 DE E5 EA 78 BC 31 3C E8 B9 4D
-E3 B6 B1 3C FF DC 3A B5 84 AE AB CE 03 1C 96 <strong>00</strong>
-84 C4 0A A7 1A 9F 64 E4 D1 20 7D 20 FD F9 4A 8E
-</code></pre></div></div>
-With this ciphertext we let AppVeyor authenticate against our web server one last time. The result was:
-
-	POST / HTTP/1.1
-	Content-Type: application/json; charset=utf-8
-	Host: 54.69.243.156:8000
-	Content-Length: 8840
-	Connection: Keep-Alive
-
-This matches the behavior of **case 1.c**.
-
-Can this be a problem? Yes it can be! This behavior exactly matches the definition of a Padding Oracle. An attacker could now continue this attack as described in [this blog post](https://robertheaton.com/2013/07/29/padding-oracle-attack/) and could obtain most or all of the plaintext from the ciphertext. Particularly, if an attacker knows the initialization vector, he/she can obtain all of the plaintext. If an attacker doesn't know the initialization vector, he/she could obtain the plaintext for the whole ciphertext except the first ciphertext block. However, in many cases the first ciphertext block can be guessed or obtained from the system.
-
-Conclusively, in this article we showed:
-
-1. The functionality of AppVeyor's secure variables.
-2. The encryption used for AppVeyor's secure variables.
-3. How a small mistake in encryption could, in principle, lead to Padding Oracle attacks that allow the decryption of most or all of the ciphertext.
-
-This post was written together with Marc Nimmerichter from [Impidio](https://www.impidio.com/). All findings were responsibly disclosed to AppVeyor and only published when we agreed that they contain no exploitable information.
diff --git a/docs/blog/_posts/2020-08-26-on-the-importance-of-trust-validation.md b/docs/blog/_posts/2020-08-26-on-the-importance-of-trust-validation.md
deleted file mode 100644
index 4067ed9..0000000
--- a/docs/blog/_posts/2020-08-26-on-the-importance-of-trust-validation.md
+++ /dev/null
@@ -1,60 +0,0 @@
----
-layout: post
-title:  "On the Importance of Trust Validation: Microsoft's Dangerous Mistake"
-image: '2020-08-26-bg'
-date:   2020-08-26 00:00:00 +0000
-author: Daniel Ostovary
-summary: "Our discovery of how Microsoft didn't verify the validity of timestamping certificates on VSIX packages"
-description:
----
-
-Last year we discovered a vulnerability in the Visual Studio Extension (VSIX) installer, which comes with Microsoft Visual Studio. When verifying the signature of a VSIX package, the VSIX installer failed to check the trust of the timestamp under certain circumstances. This vulnerability allowed an attacker to apply a non-trustworthy timestamp without users being warned about it. 
-
-In this blog post we are talking about this vulnerability and its impact. The blog post is written in cooperation with Marc Nimmerichter from [Impidio](https://www.impidio.com/blog/on-the-importance-of-trust-validation-microsofts-dangerous-mistake). The here-discussed vulnerability has been reported to Microsoft shortly after its discovery. We will talk about our experiences with reporting this vulnerability in a later blog post. To understand the vulnerability, one has to understand timestamping in code signing first.
-
-# Timestamping
-Unlike signatures of TLS certificates, signatures of code-signing certificates may be verified a long time after their application (e.g. a software publisher may apply a signature on an .EXE file in 2018; a user may use this .EXE in 2024). Code-signing certificates have a relatively low validity period of 1-3 years [[1]](#1). As a result, upon execution of a program, a user may be presented with a certificate expiration warning because the code-signing certificate is no longer valid at the time the signed program is executed [[2]](#2). Simply giving a code-signing certificate a long validity is considered bad practice. Instead, in code-signing, so-called timestamps are frequently used [[1]](#1). These timestamps are provided by trustworthy Timestamping Authorities (TSAs) and cryptographically guarantee that certain data existed at a certain time [[2]](#2). This means, when applying a timestamp to a signature, it is cryptograhically guaranteed by the issuing TSA that the signature was applied at the time of the timestamp [[2]](#2).
-
-With such a timestamp applied to a signature, **the validity period of a code signature is extended** to the validity period of the TSA's certificate [[4]](#4). The validity period of a TSA's certificate is usually relatively long (typically 10-15 years; e.g. see [[5-7]](#5)). 
-
-Timestamping can also be used to **keep signatures of a revoked code-signing certificate valid if and only if (iff) the revocation date is after the timestamp date**, as suggested by RFC 3161 [[8]](#8).
-
-It is important to check the correctness and trustworthiness of a timestamp [[3]](#3). Otherwise it may be possible to maliciously alter the validity of a code signature.
-
-# The Vulnerability
-In the case of the VSIX installer, an attacker was able to apply a valid code signature to a file using an expired code-signing certificate and a self-created non-trustworthy TSA. For that, the attacker had to apply a code signature using the expired code-signing ceritificate, backdating the signature to a time when the code-signing certificate was valid, and apply a specially crafted timestamp. This timestamp would have to:
-
- 1. contain the certificate chain of the self-created non-trustworthy TSA
- 2. be dated before the expiration of the code-signing certificate
-
-Before the vulnerability was fixed, the VSIX installer accepted such a combination of a signature and timestamp, i.e. it did not report a non-trustworthy signature/timestamp. This behavior shows that the VSIX installer did not correctly check the trustworthiness of a TSA.
-
-# Impact
-We discovered three potential attack scenarios for this vulnerability. One of which is infeasible due to the way the VSIX installer supports timestamping.
-
-**Scenario 1 ('reviving' expired code-signing certificates):** The vulnerability allows an attacker to craft malicious VSIX packages with 'revived' expired code-signing certificates, i.e. **use expired code-signing certificates to sign VSIX packages**. This is problematic because owners of certificates may not protect expired certificates anymore or may not revoke expired code-signing certificates in case of theft because these certificates should be unusable anyway. Attackers can abuse such certificate 'revival' to sign malicious code, which would be accepted by the VSIX installer without any warning and subsequently executed by unsuspecting end users. Essentially, in this scenario an attacker would maliciously **extend the validity period of a code-signing certificate**. There are no specific code-signing certificates for VSIX packages. So any code-signing certificate can be used to sign VSIX packages and subsequently any expired code-signing certificate could be used for this attack.
-
-Imagine the following example: On February 20th 2020 an attacker steals a code-signing certificate that expired on January 10th from a software publisher. The software publisher has not detected the theft or has detected the theft but decided to not revoke the certificate, because the theft was after the expiration of the certificate. The attacker now wants to 'revive' the certificate. For that, the attacker dates back the system time to January 9th 2020 and signs the VISX package with the expired certificate. Then the attacker timestamps the signature for January 9th 2020 with their self-created TSA, using a timestamp that contains the timestamping certificate. After that, the attacker distributes the VISX package to end users (e.g. by publishing it on a website, by performing Man-in-the-Middle (MitM) attacks on a file download, or by putting it in a shared directory). When an end user executes the VSIX package, the signature and timestamp are shown as valid and the VSIX package is subsequently installed without any warning.
-
-**Scenario 2 (applying short-lived timestamps):** The vulnerability further allows an attacker that can intercept and modify HTTP requests/responses (i.e. the attacker is MiTM) **to respond to a software publisher's legitimate timestamping request with a timestamp with a very short lifespan**, without the software publisher being warned. As soon as the software publisher's code-signing certificate expires, the signature would become invalid unexpectedly. This could heavily diminish the usage of the victim's VSIX package, depending on the number of new installations. Timestamp requests are often sent via HTTP (see [[9]](#9)), so Man-in-the-Middle attacks are not unlikely.
-
-Imagine the following example: An attacker is MiTM in the communication between a software publisher and their TSA. The attacker has set up their own non-trustworthy TSA. Today is July 15th 2020. The code-signing certificate of the software publisher expires on July 20th 2020. The certificate of the TSA that the software developers trusts (i.e. the timestamping certificate) expires on January 1st 2030. To extend the validity period of a signature, the software publisher timestamps their signature with the TSA they trust. The attacker intercepts this call and responds with a timestamp that contains the timestamping certificate of their own non-trustworthy TSA. After signing and timestamping their VSIX package, the software publisher tests if the signing/timestamping worked properly by installing the VSIX package with the VSIX installer. The VSIX installer will show a valid signature and timestamp without any indication of the validity period of the signature or the timestamp. Consecutively, the software publisher starts publishing their software as usual on July 18th 2020. In the first days several hundred users download the VSIX package. On July 21st 2020, first users report that the signature on the VSIX package is invalid because the underlying certificate is expired. Now the software publisher has to quickly publish the VSIX package with a new code-signing certificate. 
-
-**Scenario 3 (dodged a bullet - 'reviving' revoked code-signing certificates):** Our tests have shown that the VSIX installer only checks if a code-signing certificate was revoked, but not if it was timestamped before the revocation date. This means, the VSIX installer rejects all revoked certificates regardless of the timestamp (i.e. it does **NOT keep signatures of revoked code-signing certificates valid iff the revocation date is after the timestamp date**). As a result of the VSIX installer's behavior, this vulnerability did not allow to 'revive' revoked code-signing certificates. If the VSIX installer allowed revoked code-signing certificates to stay valid iff the revocation date is after the timestamp date, an attacker could have **'revived' revoked code-signing certificates** (i.e. make revoked code-signing certificates valid again). This would have worked similar to the example of scenario 1. Instead of backdating the signature and timestamp to a date when the certificate was expired, an attacker would have backdated the signature and timestamp to a date when the certificate was not revoked. Needless to say that the possibility of 'reviving' revoked code-signing certificates would have constituted a critical vulnerability. Essentially, Microsoft unintentionally dodged a huge bullet by NOT **keeping signatures of revoked code-signing certificates valid iff the revocation date is after the timestamp date**.
-
-# Security Patch
-Microsoft has informed us that they were planning to fix the vulnerability with Visual Studio 16.3, which was released in Fall 2019. Old versions of Visual Studio will not be patched, and thus will remain vulnerable indefinitely. Unfortunately, the release notes of Visual Studio 16.3. did not mention the here-described vulnerability in any way [[10]](#10). However, in May 2020 we could confirm that the vulnerability is fixed at least in versions >=16.5.2047. 
-
-<div class='sources' markdown='1'>
-# Sources
-* \[<span id='1'>1</span>\] [https://knowledge.digicert.com/generalinformation/INFO1119.html](https://knowledge.digicert.com/generalinformation/INFO1119.html)
-* \[<span id='2'>2</span>\] [https://casecurity.org/wp-content/uploads/2013/10/CASC-Code-Signing.pdf](https://casecurity.org/wp-content/uploads/2013/10/CASC-Code-Signing.pdf)
-* \[<span id='3'>3</span>\] [https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/01/26/security-considerations-for-code-signing/final/documents/security-considerations-for-code-signing.pdf](https://csrc.nist.gov/CSRC/media/Publications/white-paper/2018/01/26/security-considerations-for-code-signing/final/documents/security-considerations-for-code-signing.pdf)
-* \[<span id='4'>4</span>\] [https://www.xolphin.com/support/signatures/Frequently_asked_questions/Timestamping](https://www.xolphin.com/support/signatures/Frequently_asked_questions/Timestamping)
-* \[<span id='5'>5</span>\] [https://support.sectigo.com/ES_KnowledgeDetailPageFaq?Id=kA01N000000btid](https://support.sectigo.com/ES_KnowledgeDetailPageFaq?Id=kA01N000000btid)
-* \[<span id='6'>6</span>\] [https://www.sede.fnmt.gob.es/documents/10445900/10577712/dpstq_english.pdf](https://www.sede.fnmt.gob.es/documents/10445900/10577712/dpstq_english.pdf)
-* \[<span id='7'>7</span>\] [https://www.digicert-grid.com/DigiCert_CP_v403.pdf](https://www.digicert-grid.com/DigiCert_CP_v403.pdf)
-* \[<span id='8'>8</span>\] [https://www.ietf.org/rfc/rfc3161.txt](https://www.ietf.org/rfc/rfc3161.txt)
-* \[<span id='9'>9</span>\] [https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710](https://gist.github.com/Manouchehri/fd754e402d98430243455713efada710)
-* \[<span id='10'>10</span>\] [https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes-v16.3](https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes-v16.3)
-</div>
diff --git a/docs/blog/_posts/2020-08-26-unfulfilled-expectations.md b/docs/blog/_posts/2020-08-26-unfulfilled-expectations.md
deleted file mode 100644
index fef0326..0000000
--- a/docs/blog/_posts/2020-08-26-unfulfilled-expectations.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-layout: post
-title:  "Unfulfilled Expectations: Revoked Certificates in JAR Signing"
-image: '2020-08-26-02-bg'
-date:   2020-08-26 00:00:00 +0000
-author: Daniel Ostovary
-summary: "In April we became aware of a conceptual security issue in the JarSigner. The fix will be shipped with the release of JDK 15"
-description:
----
-
-In April 2020 we became aware of a conceptual security issue in the Java JarSigner. The JarSigner does not check certificate revocations, which breaks JAR signing to some extent.
-
-In this blog post we are going to talk about this issue. The blog post is written in cooperation with Marc Nimmerichter from [Impidio](https://www.impidio.com/blog/unfulfilled-expectations-revoked-certificates-in-jar-signing). We have reported this issue to Oracle shortly after its discovery. We will talk about our experiences with reporting this issue in a future blog post. To understand this issue, one has to understand Certificate Revocation Lists (CRLs) first.
-
-# Certificate Revocation Lists
-If the owner of a certificate wishes to revoke their certificate (i.e. invalidate it, for example, because of compromise), they can request the issuing Certificate Authority (CA) to put the certificate on a CRL (e.g. see [[5]](#5)). The CRL distribution point is indicated in the CA's certificate [[5]](#5). Often, a verifier of a signature checks the certificate's CRL to see if it is revoked [[6]](#6) (e.g. the Windows signature verification of an executable). 
-
-# The Security Issue
-We found evidence that there was some CRL check for JAR signatures in the past (e.g. for Java Applets in JDK 7; see [[1-3]](#3)). However, a source code analysis of the JarSigner of the JDK 12 and a review of its official documentation [[4]](#4) show that CRLs are not automatically checked, neither by the JarSigner nor anywhere else in the JDK. Instead, as Oracle told us, developers are expected to call the PKIXRevocationChecker explicitly to check for revocations. 
-
-# The Impact
-Since the JarSigner does not check CRLs, any stolen and revoked code-signing certificate can be used to sign JARs without the JarSigner warning users of a revoked certificate. That is unless users explicitely check revocation with the PKIXRevocationChecker. As verifiers of a signature often check the CRL of the certificate, users of the JarSigner almost certainly expect the JarSigner to do so too. These users rely on CRLs for security, but the JarSigner does not actually provide this level of security. 
-
-# Addressing the Security Issue
-Shortly after discussing the issue with Oracle, they created a ticket to address this issue ([JDK-8242060](https://bugs.openjdk.java.net/browse/JDK-8242060)). This ticket is expected to be resolved with JDK 15, which is planned to be released on September 15, 2020 [[6]](#6). Users of the JarSigner should note that this issue will not be addressed in older versions of the JDK (i.e.  JDKs before JDK 15).
-
-<div class='sources' markdown='1'>
-# Sources
-* \[<span id='1'>1</span>\] [https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html](https://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html)
-* \[<span id='2'>2</span>\] [https://blogs.oracle.com/java-platform-group/signing-code-for-the-long-haul](https://blogs.oracle.com/java-platform-group/signing-code-for-the-long-haul)
-* \[<span id='3'>3</span>\] [https://java.com/en/download/help/revocation_options.xml](https://java.com/en/download/help/revocation_options.xml)
-* \[<span id='4'>4</span>\] [https://docs.oracle.com/en/java/javase/12/](https://docs.oracle.com/en/java/javase/12/)
-* \[<span id='5'>5</span>\] [https://www.csoonline.com/article/2607448/revoke-certificates-when-you-need-to----the-right-way.html](https://www.csoonline.com/article/2607448/revoke-certificates-when-you-need-to----the-right-way.html)
-* \[<span id='6'>6</span>\] [https://openjdk.java.net/projects/jdk/15/](https://openjdk.java.net/projects/jdk/15/)
-</div>
diff --git a/docs/blog/_posts/2020-12-21-evaluating-sunburst.md b/docs/blog/_posts/2020-12-21-evaluating-sunburst.md
deleted file mode 100644
index dab0899..0000000
--- a/docs/blog/_posts/2020-12-21-evaluating-sunburst.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-layout: post
-title: "Evaluating the Sunburst Hack: Causes and Future Prevention"
-image: '2020-12-21-bg'
-date: 2020-12-21 08:00:00 +0000
-author: Stefan Wenig
-summary: "How hackers exploited one ISV's software to reach political targets - and how software industry practices need to improve"
-description:
----
-
-Sunburst/Solorigate is already the most discussed hacker attack in living memory, maybe back to when Iran's nuclear program was pushed back years by Stuxnet. But what do we really know?
-
-Several U.S. agencies were infiltrated using versions of SolarWind's Orion software that carried a backdoor payload. Given the scope of this software, it's not surprising that a successful attack on Orion would also pave the way for hacking customers. So rather than examining the exact nature of these backdoors and how they were exploited, let's look at how the software was hacked in the first place.
-
-Tomislav Peričin of ReversingLabs did an [exhaustive analysis](https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth) of this hack. By decompiling several versions of Orion, he showed how the hackers inched their way from a careful proof of concept to a full-blown backdoor through incremental source code modifications.
-
-## Two possible attack vectors
-
-What's not so clear though is whether these changes were committed to the source code repository, where every developer could see them, or injected on the build system.
-
-> **Update:** This article is based on the research by ReverseLabs. SolarWinds has published a [statement](https://sec.report/Document/0001628280-20-017451/) that says that the code "was introduced as a result of a compromise of the Orion software build system and **was not present in the source code repository** of the Orion products."
->
-> So it wasn't attack vector 1. But considering the careful way the code was inserted incrementally, it's still a vector every development organization has to watch out for.
-
-Looking forward, this does not really matter. Both ways are possible attack vectors, so we must consider them all.
-
-## Attack vector 1: modifying the source code in the repository
-
-Now here's a no-brainer: If an attacker manages to modify the source code without getting caught, the modifications will eventually turn up at customer sites.
-
-So what can be done to avoid this?
-
-In short: create and enforce a task-based review policy.
-
-The code modifications were carefully placed where they would not cause suspicion. For instance, the code responsible for starting the backdoor thread was placed where legitimate background processing was done too. The string obfuscation should alarm careful readers, but that was done in another module, where nobody would have much business anyway.
-
-Those were clever measures for sure, but they would not go undetected in a task-based review. Assume that the team has the following security measures:
-
-| Policy | Implementation |
-|--------|----------------|
-| **All source code commits must reference issues** for developer tasks, such as issues or stories | This can be implemented in most version control systems. E.g. Git provides [server-side](https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-Policy) [hooks](https://stackoverflow.com/questions/14151775/how-do-i-set-a-pattern-for-git-commit-messages). On top of this, some Git servers provide configurations such as [regex rules](https://docs.gitlab.com/ee/push_rules/push_rules.html#commit-messages-with-a-specific-reference) for commit messages. 
-| The source code system is configured to **accept merges on release-branches only after successful code reviews** | Again, you can use basic hooks, or features such as [branch](https://docs.github.com/en/github/administering-a-repository/managing-a-branch-protection-rule) [protection](https://docs.gitlab.com/ee/user/project/protected_branches.html). Or use [dedicated review software](https://en.wikipedia.org/wiki/List_of_tools_for_code_review).
-| The code signing process only signs builds from release branches | If you do code signing from your CI system, make sure it is only configured for reviewed branches. **SignPath can verify the source of a build and enforce your branch policies directly**, so they cannot be sidestepped by careless misconfigurations or hackers with CI access.
-
-It's easy to see how these hacks could avoid accidental detection. But to work around a carefully implemented review policy, the hackers would have to hack the issue tracking system too (quite possible), create plausible tasks for creating a new background process thread (hm, what for?) and string obfuscation - now that should trigger some alarms!
-
-Also, make sure that your review guidelines contain clear rules for triggering security reviews. A very fine example can be found [here](https://docs.gitlab.com/ee/development/code_review.html).
-
-Thorough source code reviews require some effort. But you don't do it just for security, you do it for quality. Like most reasonable quality measures, they will pay off with reduced cost for support, troubleshooting and bug fixing. In 2020, there's hardly any excuse left for not doing them, so why not go all the way and enforce them?
-
-## Attack vector 2: modifying the source code at build time
-
-Now making sure that your source code repository contains only what it should is an obvious step. But what if the hackers didn't commit these changes after all? **What if the build infrastructure was compromised** to simply **replace a few files** before compiling the software? **What if it applied post-compilation transformations** to include the payload? 
-
-These are routine activities for hackers, the tools are all there too. So if they can get into the build process, or modify the code before signing and releasing, that's rather easy to achieve.
-
-This attack vector is much harder to close. It requires a **detailed analysis** of the entire **build infrastructure** *and* **every single project's build and code signing process**.
-
-Having done this for some years for a living, we can now safely say one thing: **this is hard.**
-
-Analyzing entire build pipelines for possible attacks from within the network is rarely done, and it's a daunting task. There is little know-how around, and still too little vendor support: CI systems are built for speed, scalability and flexibility first.
-
-And there's a reason for this too: CI systems are used for so many things today, some of them rather resource-intensive too. Think about executing Web test suites, for instance. Or DAST tests. They require a lot of analysis and troubleshooting, so there's a big incentive for handing out access permissions for components of the CI system too.
-
-To be sure, it's easy to come to the conclusion that a process is safe. There is this token or password that you need for code signing, and we're only using it in this specific way, right? Probably not: relying on a single secret and it's proper handling will almost always leave some room for attacks. But who has the time and budget to do a full security audit for every project?
-
-**At SignPath, this was our mission from the start:** Storing keys on HSMs is not the solution for all code signing risks. Neither is a code signing gateway that simply provides HSM access using some finer-grained access control and auditing.
-
-Our customers need a simple way to make sure that **every signed and published release** of their software
-
-* can be **traced back to a specific source code version**, without room for manipulation
-* **meets all policy requirements**, including reviews and testing
-* was built on **secure infrastructure**, without direct or indirect developer access
-
-To find out more about code signing with SignPath, please [contact us](mailto:sales@signpath.io). 
-
-### Updates
-* 2020-12-21 8:00 UTC: Added SolarWind's statement that the modified code was *not* in their repository.
diff --git a/docs/blog/_posts/2021-03-23-dp-api-encryption-ineffective-in-windows-containers.md b/docs/blog/_posts/2021-03-23-dp-api-encryption-ineffective-in-windows-containers.md
deleted file mode 100644
index 448299d..0000000
--- a/docs/blog/_posts/2021-03-23-dp-api-encryption-ineffective-in-windows-containers.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-layout: post
-title: "DP API Encryption Ineffective in Windows Containers"
-image: '2021-03-23_02-bg'
-date: 2021-03-23 08:00:01 +0000
-author: Marc Nimmerrichter
-summary: "We discovered that DP API encryption in Windows containers is not secure"
-description:
----
-
-We recently discovered a vulnerability in the key management of Windows containers. Windows containers used publicly available cryptographic keys when encrypting with the Windows Data Protection API (DP API). Furthermore, keys used in different containers by different organizations were the same. This vulnerability allowed attackers to decrypt any data that was encrypted with DP API keys in Windows containers. The vulnerability was confirmed by Microsoft and assigned [CVE-2021-1645](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1645).
-
-In this blog post we describe CVE-2021-1645. This vulnerability was [discovered in close cooperation](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1645#acknowledgements) with Marc Nimmerrichter from [Certitude Consulting GmbH](https://certitude.consulting/en). To understand the vulnerability, one has to have a basic understanding of DP API.
-
-## DP API
-
-The DP API allows applications to encrypt arbitrary data. An application does not have to manage keys. Instead, any data can be passed to the API, which then returns an encrypted blob. Similarly, an application can pass a previously encrypted blob to retrieve the plain text. The key used for these encryption operations is either tied to the user context or is unique to a machine (please refer to [[1]](#1) or [[2]](#2) for more details).
-
-## CVE-2021-1645 and its Impact
-
-CVE-2021-1645 applies to both, user and machine key DP API encryption within Windows Docker containers. In our explanation and PoC we will use machine key encryption, but the same issue exists if data is encrypted with the user key.
-
-Normally, a machine key is tied to a (virtual-)machine. Therefore, if an application on machine A encrypted data, it would not be possible to decrypt the data on machine B. When designing the Windows containers feature Microsoft did not sufficiently consider this security behavior. Upon researching DP API in containers we discovered that DP API machine keys were identical for all Windows containers with the same base image. This was due to the fact that DP API machine keys of containers came from the base image. As the base images are public, the DP API machine keys were public too! Therefore, any DP API encryption using the machine key in any Windows containers was worthless.
-
-Organizations that used DP API keys in Windows Docker containers to store encrypted data in a potentially insecure location, should consider this data to be compromised.
-
-## Proof of Concept
-
-In the following of this section we demonstrate that any data encrypted by the DP API machine key of a container application can be decrypted in any other container with the same base image. The following test setup utilizes two virtual machines (VM1, VM2) generated from the Azure VM template “Windows Server 2019 Datacenter with Containers- Gen2”. Microsoft already patched the base images in their Dockerhub repository. To reproduce this scenario, old image versions are required.
-
-First, start a docker container called _Alice_ on _VM1_:
-
-~~~powershell
-docker run --name Alice -it mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 cmd.exe
-~~~
-
-Then, encrypt a file in the _Alice_ container using the powershell script vault.ps1 [[3]](#3):
-
-~~~powershell
-C:>powershell.exe -File vault.ps1 -StoreSecret "This is my secret text" secret.txt
-C:>type secret.txt
-AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAm+1a2TNbiEahEIB4y/C3vQAAAAACAAAAAAAQZgAAAAEAACAAAAAdbJ9ZanY929j39ZLgabsaE5hRS4TLkCaaaRqb
-+n3ZXAAAAAAOgAAAAAIAACAAAAC7fHbsKHCTaMhsWIVMYwUZezbLozItcqExHdg9EJcfDiAAAABFv2EHA5TTqb8I9I+BZrfQS5ViD93KZlL4FoYIBldGY0AA
-AABdx7adlANRnw1shJTOtE6cYTAeqmb1yTe9adcSY1nBvtqlqSWQ/zwGaqfIfumuUm+o+ySwZXH/Su5GovJ8aUP9
-~~~
-
-Start a docker container _Bob_ on _VM2_:
-
-~~~powershell
-docker run --name Bob -it mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 cmd.exe
-~~~
-
-The following command shows that the file can be decrypted in the _Bob_ container:
-
-~~~powershell
-C:>powershell.exe -File vault.ps1 secret.txt
-This is my secret text
-~~~
-
-## Security Patch
-
-Microsoft fixed CVE-2021-1645 with the Microsoft Patch Tuesday of January 2021. Affected users should apply both, OS updates and base-image updates, to address this issue.
-
-Unfortunately, the patch comes with a caveat: The vulnerability appears to be due to a design problem. It could not be fixed in a straightforward way. After the patch Windows containers generate DP API keys when the container is first started. This means that all containers use different keys. There is currently no way to share keys between containers or transfer a key from one container to another. This is impractical as containers are often relatively short-lived. Moreover, when a container is scaled up, new containers will not be able to work with previously encrypted blobs.
-
-As a result, the DP API is currently of limited use in containers.
-
-<div class='sources' markdown='1'>
-# Sources
-* \[<span id='1'>1</span>\] [https://www.passcape.com/index.php?id=28&section=docsys&cmd=details](https://www.passcape.com/index.php?id=28&section=docsys&cmd=details)
-* \[<span id='2'>2</span>\] [https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN](https://docs.microsoft.com/en-us/previous-versions/ms995355(v=msdn.10)?redirectedfrom=MSDN)
-* \[<span id='3'>3</span>\] [https://blag.nullteilerfrei.de/2018/01/05/powershell-dpapi-script/](https://blag.nullteilerfrei.de/2018/01/05/powershell-dpapi-script/)
-</div>
-
-# Appendix
-
-`Vault.ps1`
-
-Script from [[3]](#3)
-
-~~~powershell
-Param(
-  [string] $StoreSecret,
-  [Parameter(Mandatory=$True,Position=0)]
-  [string] $filename )
-[void] [Reflection.Assembly]::LoadWithPartialName("System.Security")
-$scope = [System.Security.Cryptography.DataProtectionScope]::CurrentUser
-if ($StoreSecret -eq "") {
-  $data = Get-Content $filename
-  $ciphertext = [System.Convert]::FromBase64String($data)
-  $plaintext = [System.Security.Cryptography.ProtectedData]::Unprotect(
-    $ciphertext, $null, $scope )
-  [System.Text.UTF8Encoding]::UTF8.GetString($plaintext)
-} else {
-  $plaintext = [System.Text.UTF8Encoding]::UTF8.GetBytes($StoreSecret)
-  $ciphertext = [System.Security.Cryptography.ProtectedData]::Protect(
-    $plaintext, $null, $scope ) 
-  [System.Convert]::ToBase64String($ciphertext) > $filename
-}
-~~~
diff --git a/docs/blog/_posts/2021-03-23-experiences-with-security-report-handling.md b/docs/blog/_posts/2021-03-23-experiences-with-security-report-handling.md
deleted file mode 100644
index 438f875..0000000
--- a/docs/blog/_posts/2021-03-23-experiences-with-security-report-handling.md
+++ /dev/null
@@ -1,71 +0,0 @@
----
-layout: post
-title: "Experiences with Security Report Handling: The Good and the Bad"
-image: '2021-03-23_01-bg'
-date: 2021-03-23 08:00:00 +0000
-author: Daniel Ostovary
-summary: "On the stark differences of reporting security vulnerabilities between major software vendors"
-description:
----
-
-When reporting the vulnerability/security issue described in [On the Importance of Trust Validation: Microsoft's Dangerous Mistake](https://about.signpath.io/blog/2020/08/26/on-the-importance-of-trust-validation.html) and [Unfulfilled Exceptations: Revoked Certificates in JAR Signing](https://about.signpath.io/blog/2020/08/26/unfulfilled-expectations.html) we noticed big differences in security report handling between the contacted vendors. In this blog post we are talking about our experiences with these security reports. The blog post is written in cooperation with Marc Nimmerichter from [Certitude](https://certitude.consulting/en).
-
-## Reporting the VSIX Installer Vulnerability
-
-We reported the vulnerability to Microsoft shortly after its discovery. Microsoft is not only the developer of the VSIX installer, but also the responsible CVE Numbering Authority (CNA) for Microsoft products [[1]](#1), i.e. Microsoft is responsible for issuing CVEs for the VSIX installer. Microsoft has confirmed the vulnerability and has rated its severity as **moderate**. Microsoft provided the following explanation for the severity of the vulnerability:
-
-1. Revocation checking does not completely mitigate a stolen private key scenario anyway.
-2. No popular publisher of VSIX packages has had their private key stolen.
-
-Microsoft stated this vulnerability **does not warrant the issuing of a CVE** because it only has **moderate severity**.
-
-While we agree with the first argument, the second remains a mystery:
-
-* It's unclear to us how Microsoft would know about all stolen private keys, as it is not obligatory to report stolen keys to Microsoft
-* There are no specific code-signing certificates for VSIX, so this vulnerability could not be exploited with private keys that were stolen any software publisher, not only "popular package publishers" (see [On the Importance of Trust Validation: Microsoft's Dangerous Mistake](https://about.signpath.io/blog/2020/08/26/on-the-importance-of-trust-validation.html))
-
-Furthermore, there is no reason to assume that CVEs should only be issued for vulnerabilities rated higher than moderate. If that were the case, users would be restricted in their ability to protect themselves from moderate vulnerabilities. It should be noted that CVEs are frequently issued for vulnerabilities with moderate severity (e.g. [CVE-2019-1020019](https://nvd.nist.gov/vuln/detail/CVE-2019-1020019), [CVE-2020-128809](https://nvd.nist.gov/vuln/detail/CVE-2020-12880), or [CVE-2020-10643](https://nvd.nist.gov/vuln/detail/CVE-2020-10643)). 
-
-Unfortunately, Microsoft's decision on issuing a CVE was not up for discussion, so we contacted MITRE to obtain a CVE. MITRE is a root CNA and is responsible for all CVEs that are not covered by other CNAs [[1]](#1). After a short exchange of emails, MITRE stopped responding to us, even after another follow up on our behalf. Almost a year later, in late April 2020, we unexpectedly received a message by MITRE, asking us if we would still like to have a CVE number assigned. Despite confirming that we suggest to assign a CVE, MITRE has not assigned this vulnerability a CVE number yet.
-
-### Intransparent Fix
-
-Microsoft has informed us that they were planning to fix this vulnerability with Visual Studio 16.3, which was released in Fall 2019. The release notes of Visual Studio 16.3. did not mention the vulnerability in any way [[2]](#2). However, in May 2020 we could confirm that the vulnerability is fixed at least in versions >=16.5.2047. 
-
-### Timeline
-
-	15/06/2019: Initial discovery of the vulnerability and subsequent confirmation
-	08/07/2019: Reporting the vulnerability to Microsoft
-	21/07/2019: Microsoft confirms the vulnerability 
-	08/08/2019: Microsoft plans to address the vulnerability in Visual Studio 16.3
-	14/08/2019: Trying to obtain a CVE from MITRE since Microsoft is very reluctant to issue a CVE
-	20/08/2019: Microsoft refuses to issue a CVE
-	20/08/2019: No more responses from MITRE until 28/04/2020
-	23/09/2019: Release of Visual Studio 16.3 (supposedly fixed version)
-	28/04/2020: MITRE asks if we still want a CVE
-	11/05/2020: Confirming to MITRE that we still want a CVE
-	11/05/2020 - 23/03/2021: After further requests to MITRE no CVE was assigned
-
-## Reporting the JarSigner Security Issue
-
-Shortly after discovery of the missing revocation check in the JarSigner, we informed Oracle about it. Oracle quickly agreed that this could be an issue and informed us that they will address it by providing an option for CRL checks in the JarSigner. As the security issue is conceptional and not technically a vulnerability, we did not try to obtain a CVE for it.
-
-### Timeline
-
-	24/03/2020: Initial discovery of the security issue and subsequent confirmation
-	26/03/2020: Reporting the security issue to Oracle
-	20/04/2020: Oracle confirms the security issue and plans to address it in JDK15
-
-## Security Report Handling: Microsoft vs. Oracle
-
-The security report handling between Microsoft and Oracle could hardly be more different.
-
-While discussing the vulnerability with Microsoft, they tried to disregard the vulnerability - seemingly without fully understanding it at first. After a more thorough explanation, Microsoft agreed to issue a fix for this vulnerability, but, in our opinion, downplayed the severity of the vulnerability with at least partially invalid arguments (see above). Based on this arguments, they argued moderate severity and that no CVE was warranted. The unwillingness to asign a CVE and the absence of a mention of this vulnerability in the Visual Studio 16.3 release notes casts some doubts on their priorities: would they rather keep a vulnerability under cover, and produce a silent fix after a long delay, or would they keep their users informed to help them be secure? The former approach is commonly considered bad practice. 
-
-In contrast to Microsoft's security report handling, Oracle has acknowledged the security issue, without trying to avoid to take action or unreasonably downplaying it, and is transparently fixing it through a public ticket system. Although we wished Oracle had made automatic CRL checks a default in the JarSigner, in our opinion, Oracle handled this security report very well overall.
-
-<div class='sources' markdown='1'>
-# Sources
-* \[<span id='1'>1</span>\] [https://cve.mitre.org/cve/request_id.html](https://cve.mitre.org/cve/request_id.html)
-* \[<span id='2'>2</span>\] [https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes-v16.3](https://docs.microsoft.com/en-us/visualstudio/releases/2019/release-notes-v16.3)
-</div>
diff --git a/docs/blog/_posts/2022-02-21-cybernews-interview.md b/docs/blog/_posts/2022-02-21-cybernews-interview.md
deleted file mode 100644
index 149e14c..0000000
--- a/docs/blog/_posts/2022-02-21-cybernews-interview.md
+++ /dev/null
@@ -1,108 +0,0 @@
----
-layout: post
-title: "Cybernews interview with our CEO: supply chains and code signing"
-image: '2022-03-21_01-bg'
-date: 2022-02-21 16:00:00 +0000
-author: Stefan Wenig
-published: true
-summary: "&quot;You can spend millions of dollars for IT security and still become a victim of an attack on a supplier&quot;"
-description:
----
-
-Read the original interview at [Cybernews](https://cybernews.com/security/stefan-wenig-signpath-you-can-spend-millions-of-dollars-for-it-security-and-still-become-a-victim-of-an-attack-on-a-supplier/).
-
-**_If there’s anything that companies shouldn’t put aside, it’s cybersecurity because threats are lurking around every corner of the cyber world._**
-
-_Businesses of any size can unexpectedly fall victim to various dangers, including ransomware attacks, data breaches, or identity theft. It can lead to demanding a financial ransom, loss of sensitive data, or damaged brand reputation._
-
-_And while it’s only a matter of time when a company will encounter cybercriminals, there are various tools, such as secure code signing services, that can be used to prevent attacks._
-
-_For this reason, [Cybernews](https://cybernews.com/) invited Stefan Wenig, the CEO of SignPath – a company that specializes in safe code signing. Wenig shared his views about cybersecurity and the importance of code signing._
-
-**How did SignPath originate? What has your journey been like so far?**
-
-Back when I was in charge of software development at [RUBICON](https://www.rubicon.eu/), we had to sign some client-side add-ons for our enterprise Web applications. We purchased a certificate, which came on a USB token. That requires a lot of driver and configuration fumbling and is impossible to integrate with build automation. You end up with a tedious, insecure, manual process.
-
-By then, code signing incidents had started making serious news. Initially, this was about key theft, but more recent cases pointed towards a different problem – how do you make sure that you only sign software releases that were built in a secure way, from a properly reviewed source, according to all your policies?
-
-Later, some government and enterprise customers started asking for signatures on server applications too, so integration and automation became a key concern. Some customers prescribed secure code signing practices, so now it had to be automatic and secure, across a wide range of products and projects.
-
-We didn’t find a good solution on the market, so we experimented with a signing service that offloads code signing to a secure, isolated service. That turned out to be harder than we thought, so we knew early on that if we were going to do this, we’d build it as a product.
-
-Fast forward 5 years, SignPath is now an independent company, providing this solution as a Cloud service and on-premises to SMBs and large enterprises.
-
-**Can you tell us a little bit about what you do? Why is code signing needed?**
-
-Code signing is the process of putting a digital signature on a program before it is distributed, installed, and executed. Like a digital signature on a document, it guarantees authenticity and integrity. Authenticity means that files have been signed by the software’s publisher. Integrity means that the program’s files have not been modified since.
-
-Most current platforms automatically verify signatures when programs and apps are downloaded and installed. They all bring their specific formats and procedures: Microsoft, Java, Google, and Apple all use certificate-based formats. This allows customers to verify the legal name and country of the publisher. Linux and Docker do it a bit differently.
-
-Code signing can ensure that only trusted programs are installed and run on any computer or smartphone. So, at least in theory, if a program is properly signed by a trusted publisher, you should be able to trust it. But there are pitfalls.
-
-**How do cybercriminals take advantage of software that isn’t code signed? What is the worst that can happen?**
-
-Whether it’s viruses, Trojan horses, or targeted attacks where hackers directly attack an organizations’ systems: cybercriminals try to get your computer to run their own programs. Consumers face ransomware, theft of identity or financial data, or permanent takeovers of their computers into botnets. Corporations, government agencies, and other organizations also find that these programs are used to open backdoors for further attacks and to infect other computers in the network.
-
-A widely known defense against malicious code is anti-malware programs. They detect and prevent some breaches, but this is an arms race: malware changes all the time to stay undetected. And it’s virtually impossible for anti-malware tools to detect a targeted attack.
-
-That’s why modern operating systems go out of their way to prevent untrusted programs from running at all. Code signing is the primary mechanism to ensure and verify this trust.
-
-**Do you think the recent global events altered the way people perceive cybersecurity?**
-
-Absolutely, in two ways. First, there was the [Sunburst](https://cybernews.com/editorial/us-secret-service-vet-solarwinds-was-cybersecurity-s-9-11/) incident. In 2020, Russian hackers had infiltrated the software company SolarWinds and inserted a backdoor into their software. The software is used by tens of thousands of organizations, so they all had these backdoors opened. The incident went undetected for many months before security specialist FireEye found it.
-
-Sunburst also demonstrated that code signing is not enough. The modified software was properly signed, and not for lack of a safe signing infrastructure. The incident happened somewhere else in the build pipeline, but there was no connection between build policies and signing. In fact, signing only made it worse – it conveyed that it should be trusted when it was already weaponized.
-
-Similar incidents have happened before and since, but Sunburst made the big news. Finally, everybody realized how susceptible even the most security-savvy organizations are to supply-chain attacks. In other words, you can spend tens or hundreds of millions of dollars for IT security and still become a victim of an attack on a supplier, or on your own software development teams.
-
-And of course, more recent events put us all in a dangerous place. Everyone is very aware that current conflicts are fought not only on real battlefields, but economics and the Internet are weaponized, too. This is not just about losing credit card data anymore.
-
-**In your opinion, which industries are especially vulnerable to attacks carried out by injecting malicious code?**
-
-The most advanced attacks these days come from nation-state actors. So obviously, government agencies and their contractors are high on the list. When it comes to attacking nations, critical industries include defense, aerospace, finance, health care, and energy, especially nuclear.
-
-But nation-states participate in economically motivated attacks, too. And of course, classic cybercrime is still a thing. No industry is spared when it comes to stealing customer data or blackmail.
-
-Modern supply-chain attacks specifically expose the tech industry. If the first move is at a software company, attackers can potentially get at their customers. And since today all technology comes with software, this threat extends to the entire tech industry.
-
-**Why do you think code signing is often overlooked? Are there any other security details that you believe are often pushed to the background?**
-
-When you ship software to consumers, code signing is often required, so that’s an obvious starting point for many organizations. However, software running on servers usually doesn’t require code signing. So naturally, enterprise software and Web applications are often used without code signing.
-
-Sometimes software is signed, but the signatures are not routinely and automatically verified as part of the deployment procedures. Reasons for this include awareness, budgets, and prioritizing, but many IT administrators will also tell you that they don’t do it because too many programs or components are not signed, and they don’t see the point of only partial verification.
-
-Obviously, both problems expose the servers and networks to significant risk. Installing software of unverified origin naturally means that attackers can attack the process at any point of their choosing.
-
-**What are the best practices companies should follow when developing and launching software?**
-
-Let’s start with the obvious – all software should be signed before it leaves the publisher’s environment. This allows customers (or operations teams) to verify its origin and integrity.
-
-The next item on everyone’s checklist is to secure this process. Like almost everything in cryptography, code signing relies on the secrecy of private keys. If they get stolen, somebody else will be able to sign their own programs (or modified versions of your software) in your name. We already see secure key management for code signing as an emerging product category.
-
-But signing your software is only half the story. Our industry is increasingly aware of the need to design, code, and test software for security. But less thought is given to the fact that these processes are under attack. New versions of software are being built all the time, and every time you build a program, there’s that risk of somebody messing with the process.
-
-You want to make sure that only software versions that are built in a secure way get signed. And that’s really the hard part of code signing. How do you make sure that the process didn’t get compromised before you do the final signature?
-
-You also want to have some control over releases, such as creating release candidates and delaying the decision to sign and release. That might include automatic testing gateways or manual approvals. However, automatic verifications still have to happen immediately.
-
-**What cyber threats do you find the most concerning nowadays? What can average individuals do to protect themselves?**
-
-On an enterprise level, supply chain attacks are changing what we have learned about security. When you cannot trust your suppliers, how are you going to defend your own organization? It’s no longer enough to have systems and processes in place that protect your own infrastructure, you also need to worry about who you’re buying from.
-
-Is the software actually from the right source and free from modifications? It’s easy to check a signature. But you also start to worry about which publishers (or which certificates) to trust. Controlling the supply chains of software products is not an easy task. We see formal processes around that, with enterprises starting to track their supply chains, define technical and legal requirements and align incident processes. But software is made of software, so each supplier has their own supply chain, and that’s a difficult thing to track with lists and contracts.
-
-We need to get to the point where an automatic signature verification can convey security properties, such as the policies that were used when making and signing the software.
-
-For individuals, the best advice we can give is what you’re hearing everywhere: don’t mess with security defaults, don’t trust anything on the Internet, and take warnings seriously.
-
-**What does the future hold for SignPath?**
-
-We’re always improving our core product. With a new release every other week, expect us to keep adding new platforms and formats, integrations, policies, and other features.
-
-We’ll also extend our [SignPath Foundation](https://signpath.org/) initiative. Through the Foundation, we’re offering free code signing to Open Source projects. We provide certificates for each project, but they are issued in our name, and the Foundation is in control of the signing policies. We’re using the same functionality that enterprises would deploy to stay in control of certificates and policies across their individual teams.
-
-This allows users to easily trust the downloadable program packages just as much as they trust the source code hosted on GitHub. Open Source signing is currently a limited offering, and we plan to automate the onboarding process and open it up.
-
-Another focus area will be software supply chains. Standards around software bills of material and provenance documentation are currently evolving, and we’re going to see them adopted in a way that allows interoperability across the supply chain.
-
-Producing and signing these documents will be a priority for SignPath. Eventually, we’ll also want to verify this data for incoming components and allow our customers to build signing policies based on it. This will be a major milestone in our mission to provide verifiable trust in the software supply chain.
\ No newline at end of file
diff --git a/docs/blog/_posts/2024-02-22-new-year-new-faces.md b/docs/blog/_posts/2024-02-22-new-year-new-faces.md
deleted file mode 100644
index 718d6fb..0000000
--- a/docs/blog/_posts/2024-02-22-new-year-new-faces.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-layout: post
-title: "New year, new faces: SignPath expands the market going activities"
-image: '2024-02-19-bg'
-date: 2024-02-22 08:00:00 +0000
-author: Klaus Rathje
-published: true
-summary: "We will boost and expand the market going activities. With this move, we also grow our leadership team."
-redirect_from: 
-  - /blog/2024/02/19/new-year-new-faces
-  - /blog/2024/02/22/new-funding-new-faces
-description:
----
-
-**SignPath, the leading provider of advanced code signing solutions and build protection, will boost and expand the market going activities. With this move, SignPath also grows its leadership team.**
-
-It’s official now: SignPath, based in Vienna, Austria, has been fully independent since the end of 2023. The company was initially founded in 2017 as a subsidiary of RUBICON IT GmbH, a leading European software development company.
-
-In order to position itself more broadly as supplier of code integrity and SW supply chain security and to enter the international market more strongly, SignPath expanded its management team with the beginning of 2024:
-
-{% include image.html url="/assets/posts/2024-02-19_new_year_new_faces.jpg" description="New management team: Paul Savoie, Stefan Wenig, Stephan Brack" %}
-
-**CEO Stefan Wenig** will continue to lead the positioning, product strategy and thought leadership within the company. Stefan has more than 25 years of experience as a software architect and development manager in the IT industry.
-
-New to the management team is **Chief Sales Officer (CSO) Stephan Brack**. Stephan has wide ranging experience in positioning and selling security products with his own company Protected Networks. He will focus on growing and supporting the sales and reseller team. He will also establish the relevant content activities to support customers and teams.
-
-**Chief Product Officer (CPO) Paul Savoie** will strengthen SignPath’s leadership position in the growing market of application security and code integrity. Paul has been with SignPath since 2018. He will use his experience as an entrepreneur and product designer to build on and expand the vision of SignPath to address current and future security challenges.
-
-"I am excited that we can now start the new year at full speed to expand and optimize our product portfolio," says SignPath CEO Stefan Wenig. "We’ll continue to drive forward our zero-trust vision in software production and thus ensure greater security in the entire IT environment."
-
-
-For further information contact us at [info@signpath.io](mailto:info@signpath.io)
\ No newline at end of file
diff --git a/docs/blog/_posts/2024-09-10-implicit-to-explicit.md b/docs/blog/_posts/2024-09-10-implicit-to-explicit.md
deleted file mode 100644
index f7be519..0000000
--- a/docs/blog/_posts/2024-09-10-implicit-to-explicit.md
+++ /dev/null
@@ -1,75 +0,0 @@
----
-layout: post
-title: "From Implicit to Explicit: Why Code Signing is the Missing Link in DevSecOps"
-image: '2024-09-09-bg'
-date: 2024-09-10 08:00:00 +0000
-author: Paul Savoie
-summary: "By eliminating complexity, SignPath delivers a robust and flexible mechanism that fits naturally in modern software supply chains"
-description: "description"
----
-
-
-# From Implicit to Explicit: Why code signing is the missing link in DevSecOps
-
-"Trust, but verify": this is a well-known proverb that defined the Cold War era. Today, these powerful words alone could be used to describe the philosophy behind the security of the world's digital infrastructure, from satellites to web browsers.
-
-Thanks to modern cryptographic techniques, especially asymmetric key encryption, we can ensure the integrity and authenticity of billions of website visits and software downloads worldwide. Users can remain blissfully unaware of the behind-the-scenes process to benefit from it -- a hallmark of great security. This invisible protection works silently to keep our digital interactions safe and trustworthy.
-
-However, there's an inconvenient truth for us software professionals who see how "the sausage is made": when it comes to assembling software for professional use, the benefits of modern crytography, in the form of code signing, prove to be the exception rather than the rule.
-
-In this blog post, I want to emphasize the importance of explicitly establishing trust in our software supply chains. As more DevSecOps initiatives launch to build a more resilient global digital infrastructure, we can no longer justify trusting without verifying the software components in our pipelines.
-
-## Why DevSecOps Needs Code Signing
-
-Today, the importance of protecting supply chains cannot be overstated: Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains (a three-fold increase from 2021). The reason is straightforward: with the rise of DevOps and open source, software supply chains have rapidly grown more complex. This has created an attack surface that is not only much larger but also harder to measure and, in many cases, beyond direct control.
-
-Code signing has long been a pillar of IT security. Yet applications have grown in complexity. Applications often consist of hundreds or even thousands of components. Such complexity makes code signing seem almost impossible. Many administrators find that the limited guarantees of incomplete verification simply aren't worth the hassle.
-
-Where it is in use, code signing often occurs too late in the development cycle to be of much use. Typically, DevOps teams only sign the final, assembled software build before delivery. Even worse, software is often signed without any mechanism in place to verify the signature!
-
-There are many drivers behind lack of adption, including limited awareness, budget constraints, and competing priorities. The challenge is reminiscent of the problem DevSecOps was created to address: by integrating security and development throughout the entire process, we can ensure that security becomes an integral part of the software lifecycle rather than an afterthought.
-
-So why isn't code signing integrated in the same way as other DevOps tools?
-
-Code signing is the only surefire way to guarantee that pipelines haven't been tampered with, and that they produce the expected output. It's time we raise the bar to ensure the integrity of entire build pipelines instead of beefing up each individual step (code, build, deliver) separately.
-
-
-## The Problem with Traditional Code Signing
-
-Code-signing means attaching a digital certificate to software. Traditionally, within a Public Key Infrastructure (PKI), a certificate authority (CA) verifies the developer's identity and adds its public key to the certificate. The developer then hashes the source code, encrypts the hash (digest) with their private key, and combines this with the certificate and hash function to create a signature block. This block is then inserted into the software, completing the code-signing process.
-
-The problem with this process arises when the build environment grows more complex and dynamic:
-
-- In DevOps, build pipelines involve many steps that require careful verification. Third-party dependencies need thorough vetting before approval. Securing continuous integration (CI) systems is already a challenge for DevOps engineers who must balance security and velocity. Imposing traditional code signing can seem impractical, if not impossible.
-- Code signing solutions must be selective about what they accept to sign. They can't simply sign anything presented to them. Instead, they need to verify that each signature request is valid and comes from a trusted source, following a specific set of rules.
-- As more developers need permission to sign software, encryption keys must be both accessible and carefully safeguarded. Key management is a huge challenge in itself: code signing must use keys that are protected on hardware. So-called hardware signing modules (HSMs) were simply not designed to support modern CI/CD pipelines, which require flexibility and agility.
-
-In short, traditional code signing demands complex security infrastructure, often beyond the capacity of all but the largest organizations teams to handle. For this reason, code signing adoption by DevSecOps teams has lagged other software supply chain security capabilties, such as software composition analysis (SCA).
-
-But source code integrity and trusted build systems don't have to be daunting. Let's explore a few simple, pragmatic solutions.
-
-## How SignPath Brings Code Signing to DevSecOps
-
-At SignPath, our mission is to relentlessly simplify and abstract the complexity out of code signing infrastructure.  The result is automated, authenticated builds that eliminate friction from the development process, while significantly improving software supply chain security. Our robust and flexible mechanism is a natural fit for modern CI/CD pipelines and software development practices.
-
-We created a solution that enables teams to:
-
-- Neatly integrate code signing into your existing CI/CD pipelines: we enable fully automated code signing workflows. Our solution eliminates many maintenance headaches by avoiding cumbersome ad-hoc scripts that need to securely handle cryptographic providers and tools. Metadata from the CI system can easily be attached to signing requests, providing additional context. This allows you to know exactly what got signed and enhances transparency.
-- Deep sign software packages: we allow to sign multiple artifacts—such as executables, packages, SBOMs, or files within packages—in a single request. This feature is particularly useful when both application files and the package (or installer) require signing, which often creates a challenging dependency between the build process and the code signing process.
-- Centrally manage signing policies: organizations can define comprehensive, fine-grained signing policies in a central location. These policies control permissions, approvals, and origin verification, ensuring every signing operation follows strict security guidelines. Regardless of the tech stack, build process, or signing methods used, all rules are declared in a single location.
-
-As a result, you gain strong cryptographic assurance that every software release:
-
-- Can be comprehensively traced back to a specific source code version
-- Meets all policy requirements, including those for reviews and testing
-- Originates from secure infrastructure that resists tampering, from within or without
-
-## Wrap Up
-
-Software supply chain attacks are on the rise. It's time to raise our collective standards and apply the same security mantra when building software as when we deliver it: trust but verify, making the implicit explicit.
-
-By making code signing an intrinsic part of the DevSecOps framework, organizations can significantly reduce the risk of tampering, ensure compliance, and build resilient software supply chains.
-
-Thanks to years of experience implementing code signing into the most complex infrastructure, SignPath is proud to play a unique role in bringing code signing to DevSecOps.
-
-To experience the distinctive advantages SignPath offers, [request a demo](https://forms.gle/sAHSsxgASx2BYPzc9) today.
diff --git a/docs/blog/_posts/2024-11-29-building-trusted-software-for-macos.md b/docs/blog/_posts/2024-11-29-building-trusted-software-for-macos.md
deleted file mode 100644
index b8438bd..0000000
--- a/docs/blog/_posts/2024-11-29-building-trusted-software-for-macos.md
+++ /dev/null
@@ -1,148 +0,0 @@
----
-layout: post
-title: "Building Trusted Software for macOS: A how-to guide for digital signing"
-image: '2024-09-09-bg'
-date: 2024-11-29 06:00:00 +0000
-author: Paul Savoie
-summary: "To provide a great user experience, you must prevent annoying pop-ups and alerts by digitally signing your app to make it trusted by macOS."
-description: "description"
----
-
-The App Store is a powerful force in the digital world, serving as a portal to a massive user base.  Today, there are over 2.2 billion active Apple devices worldwide. Apple’s App Store alone attracts more than [650 million](https://www.apple.com/newsroom/2023/05/developers-generated-one-point-one-trillion-in-the-app-store-ecosystem-in-2022/) weekly active users worldwide. Often, however, it makes sense to bypass the App Store and deliver your applications directly to your users, for example, via a download from your web site. 
-
-The downside of direct distribution are the annoying pop-ups and alerts that can plague users trying install and execute apps. To prevent that experience, you must digitally sign your app to make it trusted by macOS. 
-
-In this post, we’ll show you how to deliver trusted macOS apps, without the added overhead of distributing via the App Store. 
-
-## Gatekeeper
-To protect Apple users against untrustworthy apps, macOS relies on technology called ‘Gatekeeper’. Gatekeeper scans software from any source, from an app store, an arbitrary website, an email attachment, wherever. The application that downloads the file (that browser or email client) adds the file attribute `com.apple.quarantine`. The quarantine attribute alerts Gatekeeper to both verify the digital signature, and to check whether it’s notarized, before executing it.  We’ll discuss notarization later. But the critical point is that your software must be digitally signed by a private key associated with a trusted X.509 certificate.
-
-## Formats
-Applications on macOS are saved in the `.app` format, a file system folder with a specific layout. If you want to distribute software, you package the `.app` folder using one of two container formats: 
-
-* Disk Images (`.dmg`): Easiest when distributing a single file/app. 
-* Installer packages (`.pkg`): Allows for specialized scenarios, such as running code during the installation. 
-
-(Refer to Apple’s [official guide to packaging applications](https://developer.apple.com/documentation/xcode/packaging-mac-software-for-distribution) for more details.)
-
-## Prereqs for Code Signing
-First, make sure you have: 
-
-* An [Apple developer account](https://developer.apple.com/programs/enroll/). It costs $99 a year. 
-* Xcode 
-* Xcode developer tools. 
-  * Run `xcode-select --install` on the command line 
-
-## Code Signing Certificates
-Apple software is signed using x.509 code signing certificates. 
-
-### Certificate Signing Requests
-Code Signing Certificates link metadata, such as the name and place of registration of your company, to an asymmetric, public/private key pair. You can request a certificate from a Certificate Authority (CA), providing the metadata and the public key. This request is called a Certificate Signing Request (CSR); the CA verifies that the metadata is correct before issuing and signing the certificate. 
-
-The private key remains under your control. It must be securely stored. Anybody in possession of the private key can sign software in the name of your organization. 
-
-### Storage of the Private Key
-Apple’s [documentation](https://developer.apple.com/help/account/create-certificates/create-a-certificate-signing-request) refers to creating the keypair on a Mac and storing it in the local keychain, protected by a password. To make the keys available on other build/developer machines, you have to share the key pair. Popular tools, such as [fastlane](https://docs.fastlane.tools/actions/match/), recommend storing certificates and encrypted private keys in a central location where they can be accessed by any developer. Of course, this introduces risk. It makes it easier for an attacker to steal the key file and encryption password to sign any software in your company’s name! Since no further authentication is required, this attack vector is especially dangerous when publishing software outside the confines and relative security of the App Store. 
-
-In the Windows world, the CA/Browser forum mandates that private keys for code signing certificates are generated on Hardware Security Modules (HSM) where they are protected from theft. It’s a good idea to follow these guidelines for Apple software as well. 
-
-Cloud-based code signing solutions ([SignPath](https://about.signpath.io), for one) make it easy to use an HSM for code signing. SignPath provides an option, via the web-based console, to generate a certificate signing request (CSR) for a  private key generated on hardware. It’s a simple point-and-click operation, with absolutely zero configuration or provisioning hassle. 
-
-### Creating a Test Certificate
-These days, everyone builds software on continuous integration systems. No matter which system you use, it’s a good idea to bake code signing into the build process itself. This will minimize the hassle of doing manual signing or writing scripts at build and release time. 
-
-But you probably don’t want to sign all your nightly builds with an official Apple code signing certificate.  It’s easier to just use a test certificate. One hitch is that you need to configure your system to trust that test certificate. 
-
-To make it trusted, you can install the test certificate on a keychain in your macOS system and enable the “Code Signing” trust setting. Gatekeeper will still identify and complain about the missing notarization though. If you’re doing manual testing, you can right-click the application and ignore the warning. If you’re testing programmatically, you can remove the quarantine flag. Use the following command to avoid Gatekeeper checks altogether: 
-
-~~~
-xattr -d com.apple.quarantine ~/Downloads/sample.app 
-~~~
-
-_Important: Apple’s `codesign` tool, which is used for signing software, does not require certificates to be issued by Apple. Package Installers (`.pkg`) are a notable exception. The `.pkg` format only supports official certificates by Apple. Test certificates cannot be used._
-
-### Creating a Release Certificate
-If you want all the Apple devices in the world to trust your application, you need an official certificate from Apple. Those certificates are trusted by default on all Apple devices. You can get an official Apple certificate from the [developer portal](https://developer.apple.com/documentation/xcode/packaging-mac-software-for-distribution).  Apple supports a variety of certificates. Depending on the chosen distribution format, you need to create either a Developer ID Installer (for `.pkg`) or a Developer ID Application (for `.dmg` and `.app`) certificate. 
-
-![Screenshot of Apple's Developer Portal](/assets/posts/2024-10-25_developer_portal.png)
-
-After choosing the certificate type, you can upload your Certificate Signing Request (CSR). (Hopefully, you generated the private key for the CSR on an HSM.)  Note that the underlying key pair must be generated using the **RSA algorithm** with a length of **2048 bits**. Apple will issue the certificate, and then you can import it into your code signing solution of choice.
-
-### Putting Code Signing Certificates to Work
-You can’t distribute that HSM-backed key to your build/developer machines. That key will never leave the HSM. So how do you use it for code signing in your continuous integration pipeline?  Simple. You just need an application known as CryptoTokenKit. It registers your certificate  in the system’s keychain, along with an identifier for the private key. During the signing operation, Apple’s crypto backend calls the CryptoTokenKit extension, which in turn forwards any signing operation to the signing service (in our case, SignPath.io). If you’re interested in the technical details, there’s an excellent deep dive into the CryptoTokenKit architecture by Timothy Perfitt on [this website](https://twocanoes.com/cryptotokenkit-communication/). 
-
-The documentation for the **SignPath CryptoTokenKit** can be found [here](/documentation/crypto-providers/macos).
-
-## Notarization
-> The Apple notary service is an automated system that scans your software for malicious content, checks for code-signing issues, and returns the results to you quickly. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it. 
-
-If you want to avoid warning dialogs during install, notarization is required when distributing your software outside of the AppStore. For more details, see the [official documentation](https://developer.apple.com/documentation/security/notarizing-macos-software-before-distribution). To automate this process, Apple provides the `notarytool` and `stapler` executables. The former uploads the artifact to the Apple servers for automated scanning and the latter attaches the notarization to the software. You will have to authenticate against Apple using an [app-specific password](https://support.apple.com/en-us/102654). According to Apple, notarization is completed within 5 minutes for most software and within 15 minutes for 98% of uploaded software. That’s fast enough to include it in most automated builds. However, note that the first submission can take up to day. 
-
-_Notarization requires a signature with a valid release certificate issued by Apple. You must use release certificates, or it won’t work._
-
-### Hardened Runtime
-A hardened runtime is a pre-requisite for notarization. Follow the [official article](https://developer.apple.com/documentation/xcode/configuring-the-hardened-runtime) by Apple to add a hardened runtime capability to your app. You need to list all exceptions to the restrictions explicitly. 
-
-> The Hardened Runtime is a collection of system-enforced restrictions that disable a set of functional capabilities, such as loading third-party frameworks, and prohibit access to restricted resources, such as the device’s built-in camera, to prevent certain classes of exploits from compromising the runtime integrity of your macOS app. 
-
-When signing your software with a hardened runtime, you need to add the `–-options=runtime` parameter to the `codesign` call. Make sure to test your app thoroughly after enabling the hardened runtime to ensure that all use-cases still work. 
-
-### The `get-task-allow` entitlement 
-
-When building the software automatically using the `xcodebuild` tool, there is another special setting to consider: Apple automatically injects an entitlement used for debugging at build time which is incompatible with the notarization process. You can disable this behavior by passing the `CODE_SIGN_INJECT_BASE_ENTITLEMENTS=NO` flag to your `xcodebuild` call. See [here](https://developer.apple.com/documentation/security/resolving-common-notarization-issues#Avoid-the-get-task-allow-entitlement) for more technical details.
-
-## Sample
-Let’s get hands on! First you'll need a Free Trial account on Signpath. Sign up here: https://login.signpath.io/ 
-
-Below is a code snippet that highlights how to sign and notarizes an application. For a full working sample, visit the [demo repository](https://github.com/SignPath/demo-macos).
-
-{% raw %}
-~~~bash
-
-###  Install SignPath MacOSCryptoTokenKit
-curl -o SignPathCryptoTokenKit.dmg https://download.signpath.io/cryptoproviders/macos-cryptotokenkit/2.0.0/SignPathCryptoTokenKit.dmg
-codesign -dv --verbose SignPathCryptoTokenKit.dmg               # check signature
-hdiutil attach ./SignPathCryptoTokenKit.dmg -mountroot ./tools  # mount the disk image
-
-### Register the CryptoTokenKit
-open "./tools/SignPathCryptoTokenKit/SignPathCryptoTokenKit.app" --args \
-  --organization-id $SIGNPATH_ORGANIZATION_ID \
-  --project-slug $SIGNPATH_PROJECT_SLUG \
-  --signing-policy-slug $SIGNPATH_SIGNING_POLICY_SLUG
-
-sleep 20 # wait for token to be registered
-
-### Sign the sample.app file
-codesign -f --timestamp --options=runtime \
-  -s $CERTIFICATE_SUBJECT_NAME \
-  --entitlements sample/sample/sample.entitlements \
-  ./build/sample.app
-
-codesign -dv --verbose ./build/sample.app   # check signature
-
-### Create and sign a .dmg file
-hdiutil create -format UDZO -srcfolder ./build/sample.app ./build/sample.dmg
-
-codesign -f --timestamp --options=runtime \
-  -s $CERTIFICATE_SUBJECT_NAME \
-  --entitlements sample/sample/sample.entitlements \
-  ./build/sample.dmg
-
-codesign -dv --verbose ./build/sample.dmg   # check signature
-
-### Notarize the .dmg file
-xcrun notarytool submit ./build/sample.dmg \
-  --apple-id $APPLE_ID \
-  --team-id $APPLE_TEAM_ID \
-  --password $APPLE_NOTARIZATION_APP_SPECIFIC_PASSWORD \
-  --wait \
-  --timeout 15m
-
-xcrun stapler staple ./build/sample.dmg # staple the notarization result
-
-~~~ 
-{% endraw %}
-
-## Conclusion 
-
-You now have everything you need to start building and releasing trusted applications for macOS, directly to your user base. The Apple App Store and enterprise distribution channels provide safe and convenient ways to reach users, but direct distribution is often preferred for Enterprise software. However, it does come with the added responsibility of properly signing and notarizing your applications. By following these requirements and keeping your keys secure, you can safely distribute your application outside of the App Store, while still ensuring a quality end user experience with your trustworthy apps. 
\ No newline at end of file
diff --git a/docs/blog/_posts/2025-01-19-announcing-series-a-investment.md b/docs/blog/_posts/2025-01-19-announcing-series-a-investment.md
deleted file mode 100644
index db26634..0000000
--- a/docs/blog/_posts/2025-01-19-announcing-series-a-investment.md
+++ /dev/null
@@ -1,40 +0,0 @@
----
-layout: post
-title: "SignPath Raises €5M to Strengthen Software Supply Chain Security"
-image: '2025-01-19-bg'
-date: 2025-01-19 06:00:00 +0000
-author: Stefan Wenig
-summary: "TIN Capital, a leading cybersecurity fund, joins us on our mission to deliver code integrity and secure software supply chains."
-description: "TIN Capital, a leading cybersecurity fund, joins us on our mission to deliver code integrity and secure software supply chains."
----
-
-We are quite thrilled to announce that TIN Capital has joined us in our mission to enhance software supply chain security and ensure the integrity of software throughout the entire development process.
-
-This investment represents a significant milestone for SignPath. Since our launch, we’ve gained traction across companies in a wide range of industries on several continents. Now, with the assistance of TIN Capital, we’re ready to embark on our next phase of growth.
-
-
-{% include image.html url="/assets/posts/2025-01-19-tin-graphic.png" %}
-
-The timing couldn’t be better. Organizations are more aware than ever that software breaches can have catastrophic consequences – far beyond the boundaries of any single company. Built on a foundation of advanced code signing, the SignPath code integrity platform secures existing software delivery pipelines from end-to-end and enables organizations to deliver software that’s authenticated, tamper-proof and compliant with industry standards.
-
-[Reinout vander Meulen](https://www.linkedin.com/in/reinoutvandermeulen/), Partner at TIN Capital, explains TIN's investment thesis:
-
-> “We are strong believers in the necessity of robust cybersecurity solutions and the value of European pioneers like SignPath. Both governments and enterprises realize that software breaches have very nasty, far-reaching consequences for users and vendors alike. A single-minded focus on code vulnerabilities is no longer adequate to defend against professional cybercriminals or state actors. We see SignPath’s code signing and pipeline integrity solutions as an essential piece of the puzzle to ensure secure and resilient software supply chains.
-
-TIN Capital’s support will provide the fuel we need to expand the team and scale operations to keep up with demand. Their dedicated cybersecurity expertise and network will enable us to capitalize on the huge potential for growth over the coming two years, while contributing to a more resilient digital future for everyone.
-
-Our CSO, Stephan Brack, commented on the raise, saying:
-
-> We are excited to work with the team at TIN Capital. Leveraging TIN Capital’s expertise and connections across the European cybersecurity ecosystem, on top of our existing network of customer, and strategic partners will open many doors to attract top talent and deliver on the growth we envisage over the coming two years.
-
-{% include image.html url="/assets/posts/2025-01-19-signpath-team.png" description="The SignPath Team" %}
-
-You can read the full release here: [€5M Investment in SignPath to Advance Software Supply Chain Security](https://www.tincapital.vc/tin-capital-invests-in-signpath).
-
-🙏 We’re grateful to all the developers, customers and partners who’ve helped us to reach this milestone.
-
-🎉 Huge thanks to [Reinout vander Meulen](https://www.linkedin.com/in/reinoutvandermeulen/), [Roel Reijnen](https://www.linkedin.com/in/roel-reijnen-99a2a93/), [Bart Houlleberghs](https://www.linkedin.com/in/houlleberghs/) and the entire team at [TIN Capital](https://www.linkedin.com/company/tincapital/)!
-
-Want to learn more about how SignPath can protect your software supply chain? [Get in touch with us](https://about.signpath.io/contact) today.
-
-
diff --git a/docs/blog/index.html b/docs/blog/index.html
deleted file mode 100644
index b30a380..0000000
--- a/docs/blog/index.html
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Blog
-header: Blog
-description: SignPath team blog
-#featured_slugs:
-#    - 'welcome-to-jekyll'
----
-
-{% include header.html %}
-
-<section class="bg-blue font-white top-section">
-  <div>
-    <h1>{{ page.header }}</h1>
-  </div>
-</section>
-<section class="blog-section bg-grey">
-  <div>
-
-    {% if page.featured_slugs %}
-      <h2>Featured Posts</h2>
-      <ul class='card-container'>
-        {% for post in site.posts %}
-          {% if page.featured_slugs contains post.slug %}
-            <li>
-              <a href='{{ post.url }}'>
-                <div class="header">
-                  {{ post.title }}
-                </div>
-              </a>
-              <div>
-                <div class='info'>
-                  <span>
-                    {% include user.svg %}
-                    {{ post.author }}</span>
-                  <span>
-                    {% include user.svg %}
-                    {{ post.date | date: '%B %d, %Y' }}</span>
-                </div>
-                <p>
-                  {% if post.summary %}
-                    {{ post.summary }}
-                  {% else %}
-                    {{ post.excerpt | truncatewords: 15 }}
-                  {% endif %}
-                </p>
-                <a class='btn btn-secondary' href='{{ post.url }}'>Read more</a>
-              </div>
-            </li>
-          {% endif %}
-        {% endfor %}
-      </ul>
-    {% endif %}
-
-    <h2>Recent Posts<a href='/feed.xml'>Feed
-      {% include rss.svg %}
-    </a></h2>
-   
-   
-    <ul class='card-container'>
-      {% for post in site.posts %}
-        <li>
-          <a href='{{ post.url }}'>
-            <div class="header">
-              {{ post.title }}
-            </div>
-          </a>
-          <div>
-            <div class='info'>
-              <span>
-                    {% include user.svg %}
-                    {{ post.author }}</span>
-              <span>
-                    {% include user.svg %}
-                    {{ post.date | date: '%B %d, %Y' }}</span>
-            </div>
-            <p>
-              {% if post.summary %}
-                {{ post.summary }}
-              {% else %}
-                {{ post.excerpt | truncatewords: 15 }}
-              {% endif %}
-            </p>
-		</div>
-		<div align="center">
-            <a class='btn btn-secondary' href='{{ post.url }}'>Read more</a>
-          </div>
-        </li>
-      {% endfor %}
-    </ul>
-
-  </div>
-</section>
-{% include footer.html %}
diff --git a/docs/documentation/build-system-integration.md b/docs/build-system-integration.md
similarity index 94%
rename from docs/documentation/build-system-integration.md
rename to docs/build-system-integration.md
index 484a75d..e201eda 100644
--- a/docs/documentation/build-system-integration.md
+++ b/docs/build-system-integration.md
@@ -3,7 +3,7 @@ header: Build System Integration
 layout: resources
 toc: true
 show_toc: 3
-redirect_from: /documentation/integrations
+redirect_from: /integrations
 description: Documentation for integrating SignPath with Continuous Integration (CI) platforms and pipelines
 ---
 
@@ -22,8 +22,8 @@ You need an API token to access the API, whether directly or through any connect
 
 The following options are available:
 
-* Use a dedicated [CI user](/documentation/users#ci).
-* [Add an API token](/documentation/users#interactive-api-token) to your own user account for personal API access.
+* Use a dedicated [CI user](/users#ci).
+* [Add an API token](/users#interactive-api-token) to your own user account for personal API access.
 
 ## PowerShell
 
@@ -80,7 +80,7 @@ curl -H "Authorization: Bearer $API_TOKEN" \
 
 {% include editions.md feature="artifact_configuration.user_defined_parameters" %}
 
-Values for [user-defined parameters](/documentation/artifact-configuration/syntax#parameters) in the artifact configuration can be provided by adding another multipart/form-data field prefixed with `Parameters.`
+Values for [user-defined parameters](/artifact-configuration/syntax#parameters) in the artifact configuration can be provided by adding another multipart/form-data field prefixed with `Parameters.`
 
 Example: `-F "Parameters[productVersion]=1.2.0"`
 
@@ -166,7 +166,7 @@ curl -H "Authorization: Bearer $API_TOKEN" \
 
 ### Resubmit a signing request
 
-See [Resubmit an existing signing request](/documentation/signing-code#resubmit) for more information.
+See [Resubmit an existing signing request](/signing-code#resubmit) for more information.
 
 | Synopsis                    |      |
 |-----------------------------|------|
diff --git a/docs/documentation/changelog/feeds/all.xml b/docs/changelog/feeds/all.xml
similarity index 100%
rename from docs/documentation/changelog/feeds/all.xml
rename to docs/changelog/feeds/all.xml
diff --git a/docs/documentation/changelog/feeds/application.xml b/docs/changelog/feeds/application.xml
similarity index 100%
rename from docs/documentation/changelog/feeds/application.xml
rename to docs/changelog/feeds/application.xml
diff --git a/docs/documentation/changelog/feeds/crypto_providers.xml b/docs/changelog/feeds/crypto_providers.xml
similarity index 100%
rename from docs/documentation/changelog/feeds/crypto_providers.xml
rename to docs/changelog/feeds/crypto_providers.xml
diff --git a/docs/documentation/changelog/feeds/github_connector.xml b/docs/changelog/feeds/github_connector.xml
similarity index 100%
rename from docs/documentation/changelog/feeds/github_connector.xml
rename to docs/changelog/feeds/github_connector.xml
diff --git a/docs/documentation/changelog/feeds/jenkins_plugin.xml b/docs/changelog/feeds/jenkins_plugin.xml
similarity index 100%
rename from docs/documentation/changelog/feeds/jenkins_plugin.xml
rename to docs/changelog/feeds/jenkins_plugin.xml
diff --git a/docs/documentation/changelog/feeds/macos_cryptotokenkit.md b/docs/changelog/feeds/macos_cryptotokenkit.md
similarity index 100%
rename from docs/documentation/changelog/feeds/macos_cryptotokenkit.md
rename to docs/changelog/feeds/macos_cryptotokenkit.md
diff --git a/docs/documentation/changelog/feeds/powershell_module.xml b/docs/changelog/feeds/powershell_module.xml
similarity index 100%
rename from docs/documentation/changelog/feeds/powershell_module.xml
rename to docs/changelog/feeds/powershell_module.xml
diff --git a/docs/documentation/changelog/feeds/powershell_module_docker.xml b/docs/changelog/feeds/powershell_module_docker.xml
similarity index 100%
rename from docs/documentation/changelog/feeds/powershell_module_docker.xml
rename to docs/changelog/feeds/powershell_module_docker.xml
diff --git a/docs/documentation/changelog/feeds/self_hosted_installations.xml b/docs/changelog/feeds/self_hosted_installations.xml
similarity index 100%
rename from docs/documentation/changelog/feeds/self_hosted_installations.xml
rename to docs/changelog/feeds/self_hosted_installations.xml
diff --git a/docs/documentation/changelog/index.md b/docs/changelog/index.md
similarity index 98%
rename from docs/documentation/changelog/index.md
rename to docs/changelog/index.md
index f9061db..07b06f8 100644
--- a/docs/documentation/changelog/index.md
+++ b/docs/changelog/index.md
@@ -31,7 +31,7 @@ redirect_from:
 			<option value='bug_fixes'>Bug fixes</option>
 		</select>
 	</div>
-	<a id='changelog-feed' href='/documentation/changelog/feeds/all.xml'>
+	<a id='changelog-feed' href='/changelog/feeds/all.xml'>
     Feed {% include rss.svg %}
   </a>
 </div>
diff --git a/docs/code-signing/index.md b/docs/code-signing/index.md
deleted file mode 100644
index 7b2e623..0000000
--- a/docs/code-signing/index.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-header: Code Signing
-layout: resources
-toc: false
-nav_on_small_screen: true
-forward_on_big_screens: '/code-signing/introduction'
----
\ No newline at end of file
diff --git a/docs/code-signing/introduction.md b/docs/code-signing/introduction.md
deleted file mode 100644
index a14dd58..0000000
--- a/docs/code-signing/introduction.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-header: Introduction
-layout: resources
-toc: true
-description: General introduction to code signing
----
-
-## Purpose
-
-Installing and updating software is arguably the most vulnerable activity from a security perspective. While anti-malware software can mitigate some well-known risks, it can never provide full protection. Since even a single successful attack is enough to take over a user account, a computer or even a network, it is imperative that only software from trusted sources is installed on user devices and servers.
-
-Code Signing is used to indicate and verify the publisher of software programs and make sure the software has not been modified after publishing.
-
-Code Signing can provide the following security assertions:
-
-* **Authentication:** who signed the code
-* **Integrity:** the code cannot be changed undetected
-* **Non-repudiation:** the original signer cannot deny having signed the file
-
-(Note that these assertions are made based on certificate authority practices, publisher practices and cryptographic methods. This does not imply a legal guarantee.)
-
-On a higher level, the objective of code signing is to provide evidence that software does not impose security threats to users and systems executing it:
-
-* **Trust:** Organizations and persons must undergo an identification process with a certificate authority, so one could assume *a smaller likelihood of criminal intent*. Using the information about the publisher’s identity, users can make *educated decisions* about whether to install and execute a specific program, and system administrators can define *security policies* that will be enforced, allowing only trusted programs to execute or gain elevated permissions.
-* **Virus prevention:** Cryptographic signatures can guarantee that no alteration, such as a virus infection, has taken place *after* the publisher has signed it.
-* **Update safety:** Through certificates, updates can be verified to be published by the original publisher.
-* **Persistence:** Modern code signing techniques deliver the signature with the software, so it can be verified at any time independently from the delivery mechanism.
-
-## Implementation
-
-Code Signing uses public key cryptography for signing and verification, in a way very similar to e-mail and PDF file signatures. Publishers are identified using certificates they purchase from trusted certificate authorities, much like HTTPS certificates.
-
-Code Signing certificates always identify legal entities such as businesses, educational institutions and government agencies, and sometimes individual persons.
-
-Today, code signatures are considered by most operating systems, web browsers, development platforms, add-in systems, app stores, anti-malware utilities and some enterprise management software. There are specific code signing methods for different file formats, and systems vary in how they check signatures and what effect they have.
-
-For instance:
-
-* Before Windows executes a downloaded file, it looks for a signature and validates it. If the file has a valid signature, Windows SmartScreen will assert the file's reputation based on the certificate.
-* When a program tries to modify a user's system, Windows User Account Control (UAC) will display a warning that informs the user about the software's publisher.
-
-Other platforms have different methods for signing and verification, some of them are also listed in this guide.
diff --git a/docs/code-signing/media-coverage.md b/docs/code-signing/media-coverage.md
deleted file mode 100644
index c016737..0000000
--- a/docs/code-signing/media-coverage.md
+++ /dev/null
@@ -1,174 +0,0 @@
----
-header: Media Coverage of Breaches
-layout: resources
-toc: true
-show_toc: 2
-description: A summary of recent media reports about breaches related to insecure code signing practices
----
-
-## Overview
-
-Recent attack reports, tech and mainstream media as well as research groups show the increasing role of **supply-chain attacks** using **stolen code signing certificates** (or more accurately, their private keys) in targeted attacks.
-
-In short, while high-value targets often have their defenses up, the same is not always the case for software vendors and contractors. So in order to compromise worthwhile targets, attackers will try to infiltrate them by attacking their suppliers first. With a valid signature from a known supplier, it is much easier to infiltrate the network of a hardened target.
-
-Major concepts include:
-
-* **Advanced Persistent Threat (APT) groups**: as [FireEye](https://www.fireeye.com/current-threats/apt-groups.html) summarizes in their list of APT teams, they are often **nation-sponsored** and attack their targets over months or years. In the case of stealing code signing keys, there are even dedicated teams that perform key theft as a support function for other teams (see [Winnti umbrella] below).
-* **Code Signing**: the process of applying a cryptographic signature to software components. Properly signed software can be verified to be signed by a specific publisher (authentication) and unmodified (integrity). Code signatures are verified by many platforms and tools, including operating systems, Web browsers, update mechanisms and anti-malware tools. See [code signing introduction](./introduction) for more information. Since in theory, a well-functioning code signing infrastructure can be used to effectively prevent malware infections, the code signing ecosystem itself is subject to increasingly fierce attacks.
-* **Supply chain attacks**: High-level targets such as government organizations, defense companies or infrastructure providers, are often well-prepared for internet attacks. In order to circumvent their defenses, hackers will attack organizations that provide software to their targets and are less prepared for sophisticated attacks, such as software vendors or contractors. Since malware injection would be detected through code signing, attackers will try to steal the victims private keys and sign infected software versions, or get the victim to do the signing. The signed and infected software will then be distributed to high-level attack targets. Once the infected code is executed within their network, attackers will try to steal data and passwords, and compromise further systems such as back-end servers.
-* **Multi-layered attacks**: a software product is infected not by direct attack of the vendor, but by attacking the producer, packager or distributor of a third party or Open Source component (see [PDF editor incident] below).
-* **Multi stage attacks**: an infected component is distributed to a wide audience to open a backdoor, but the actual malware is only distributed to selected high-value targets. These targets are either pre-defined in the first stage, or selected via **Command and Control (C2) servers**. All incidents described here follow this pattern.
-
-## Winnti umbrella
-
-Starting in 2013 and still active, Winnti umbrella is a collective of Chinese advanced persistent threat (APT) groups that attack software companies and game studios **primarily in order to obtain code signing certificates**. These certificates are then passed on to other APT groups that **attack high-level political and economic targets**.
-
-The original Winnti group was detected by **Kaspersky** and detailed in their 2013 APT report [Winnti. More than just a game](https://securelist.com/winnti-more-than-just-a-game/37029/). In 2018, **401TRG** published a report about the wider Winnti umbrella: [Burning Umbrella: An Intelligence Report on the Winnti Umbrella and Associated State-Sponsored Attackers](https://cyber-peace.org/wp-content/uploads/2018/07/20180503_Burning_Umbrella.pdf).
-
-Media coverage includes [Infosecurity Magazine (2018)](https://www.infosecurity-magazine.com/news/chinese-spy-groups-linked-under/) and [ZDNet (2019)](https://www.zdnet.com/article/chinese-hacking-group-backdoors-products-from-three-asian-gaming-companies/).
-
-Winnti umbrella is linked to several of the described below, including [ShadowPad] and [ShadowHammer].
-
-## Supply chain attacks
-
-### Stuxnet
-
-The most publicized incident dates back about a decade: When **Stuxnet** dealt a sustained setback to **Iran's nuclear program** through sabotage of their centrifuges in 2009/2010, it all started with a piece of malware transmitted to a PC via a USB flash drive. The malware was able to run and eventually infect the network because it was **signed with certificates of JMicron and Realtek**. Stuxnet has been attributed to the U.S. and Israel.
-
-The incident has been widely reported then and since. The [Stuxnet Wikipedia article](https://en.wikipedia.org/wiki/Stuxnet) is a good starting point for media references.
-
-### Bit9 breach
-
-In 2012, hackers **compromised code signing certificates** from security software vendor Bit9 (later renamed to [Carbon Black](https://www.carbonblack.com/)). These certificates were then used to sign malware in order to **attack defense industry customers of Bit9**.
-
-The attack was analyzed in detail by **[SANS institute](https://www.sans.org/)** in their 2015 report [The Scary and Terrible Code Signing Problem You Don't Know You Have](https://www.sans.org/reading-room/whitepapers/critical/scary-terrible-code-signing-problem-you-36382). As a conclusion, this report also includes a list of **recommendations for hardening code signing** infrastructure.
-
-The attack started with a **SQL injection** attack on a public-facing web server by an **Advanced Persistent Threat group**. When an archived virtual machine for code signing was reactivated in 2013, it was taken over and the **private key** for an old code signing certificate was **stolen**.
-
-Bit9 was a pioneer in **whitelisting-based endpoint protection** software. Instead of blacklisting malware signatures, whitelisting allows only certain programs based on code signing and file hashes, which is far more effective. However, the archived virtual machine was not protected by the company's own software, Bit9 Parity, which allowed for this breach.
-
-Some interesting **takeaways** from this incident:
-
-* The attack was sophisticated enough to **exploit an operational oversight**, the reactivation of a virtual machine that was not properly protected, **when it happened**.
-* Even for a **security software company** building a product based on code signatures, their own code signing process was far enough **removed from their core product and process** to allow for such an oversight.
-* Using **cryptographic hardware** for code signing would have prevented the private key theft (but attackers would still have been able to sign malware using the hacked server).
-
-**[Krebs on Security](https://krebsonsecurity.com)** has good coverage of this incident in the 2013 articles [Security Firm Bit9 Hacked, Used to Spread Malware](https://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/) and [Bit9 Breach Began in July 2012](https://krebsonsecurity.com/2013/02/bit9-breach-began-in-july-2012/).
-
-### Kingslayer supply chain attack
-
-From 2015 to 2017, the tool **EvLog** by cyber security vendor **Altair Technologies** was hijacked by hackers and used against high-profile targets.
-
-* The vendor's **code signing certificate key was stolen**
-* A **modified version** of the tool was created with a **backdoor Trojan**
-* **MSI installers and executables** for the modified tool were **signed** with the original vendor certificate
-* The vendor's web servers were hacked to **redirect download links** to attacker-controlled servers
-* These servers contained the modified, signed files
-* The version including the backdoor downloaded **additional payload for pre-determined attack targets** from a Command and Control (C2) server (second stage attack)
-
-The **eventual targets** are unknown, as an eleven month period is missing from the monitoring data of researchers. However, the vendor's **customers** include major **telecommunication** providers, **military** organizations, Fortune 500 companies, **defense** contractors, **IT product manufacturers** and solution providers, western **government** organizations, **banks and financial institutions**, and higher educational institutions.
-
-RSA researchers point out that a supply chain attack of this grade will **circumvent many security measures of even hardened organizations**, since highly **privileged network administrators** are directly compromised. **Antivirus tools fail** to recognize this kind of malware, whether based on virus signatures or behavior analysis. RSA expects this attack to be **a template for many to follow**.
-
-In their conclusions, the researchers recommend that **tool vendors pay special attention** to their infrastructure and **code signing** mechanisms, including use of **Hardware Security Modules** (HSMs) and validated time stamping.
-
-The incident was originally analyzed and reported by **RSA Research** on their [blog](https://www.rsa.com/en-us/blog/2017-02/kingslayer-a-supply-chain-attack). Later, Canadian cyber security firm *Altair Technologies* was identified as the victim. **Krebs on Security** accused the firm of trying to conceal the incident in the 2017 article [How to Bury a Major Breach Notification](https://krebsonsecurity.com/2017/02/how-to-bury-a-major-breach-notification/), also [reported by **SC Magazine**](https://www.scmagazineuk.com/vendor-hiding-supply-chain-cyber-attack-gets-uncovered-krebs/article/1475233). Also in 2017, **Security Week** reported a China connection in their article [Serious Breach Linked to Chinese APTs Comes to Light](https://www.securityweek.com/serious-breach-linked-chinese-apts-comes-light).
-
-### ShadowPad
-
-In 2017, **server management software** by NetSarang was infected with a backdoor. The software was **signed** with a legit NetSarang certificate and subsequently **distributed** to customers.
-
-After installation, the software would keep contacting **Command and Control servers** based on dynamically generated DNS names. The backdoor was fully equipped to **extract data** and to **load and execute further code**.
-
-The attack was discovered by **Kaspersky** after being tipped off by a customer's security team. Kaspersky published the report [ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World](https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world) and a detailed analysis on their [SecureList](https://securelist.com/shadowpad-in-corporate-networks/81432/) site.
-
-According to Kaspersky, this was one of the most significant supply-chain attacks at the time, **potentially targeting "hundreds of customers** in industries like financial services, education, telecoms, manufacturing, energy, and transportation." The attack was detected soon, and NetSarang reacted quickly. While infected systems were only identified in Hong Kong, more infections could not be ruled out.
-
-As a Kaspersky researcher concluded:
-
-*"ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.*"
-
-Media coverage was provided by [The Register](https://www.theregister.co.uk/2017/08/15/netsarang_software_backdoor/) among others.
-
-### CCleaner supply chain attack
-
-Also in 2017, a backdoor was implanted in the popular Windows utility **CCleaner**. When Chinese hacker group Axiom/APT17 managed to compromise the vendor, the modified software was not only signed, but entered the regular distribution process too. This resulted in malware **infection of more than 2 million users.** The first attack stage only extracted non-sensitive data from infected machines. See the [Wikipedia article](https://en.wikipedia.org/wiki/CCleaner#Trojan_in_distributed_program) for more information, including media references.
-
-Reporting by [**Talos**](https://blog.talosintelligence.com/2017/09/avast-distributes-malware.html) and [**Cisco**](https://blogs.cisco.com/security/talos/ccleaner-c2-concern) (2017) identified a **second stage** of targeted infections: "Only about 40 PCs operated by **high-tech and telecommunications companies were further infected**". The target list included HTC, Samsung, Sony, VMware, Intel, Microsoft, Cisco, O2, Vodafone, Linksys, Epson Akamai, and DLink.
-
-In 2018, [**SC Magazine** reported](https://www.scmagazineuk.com/avast-ccleaner-hackers-planned-infect-victims-third-stage-chinese-hacking-tool/article/1473074) that a **third-stage** attack of infected PCs had already been prepared. When this was detected, only a few machines at CCleaner producer Piriform had been infected. The **malware was customized** for Piriform, leading researchers to the conclusion that this was an **elaborate supply chain attack**: by infecting millions of users, the attackers were essentially casting a very wide net in order to compromise only a few select targets.
-
-Whether this was the final stage is unknown, compromising tech firms might have been just the setup for attacks on some of their customers.
-
-### ASUS: ShadowHammer
-
-In 2019, a sophisticated **supply chain attack** on computer manufacturer **ASUS** was detected by **Kaspersky** and described in their APT report [Operation ShadowHammer](https://securelist.com/operation-shadowhammer/89992/).
-
-Once more, software from a legitimate vendor was **modified, signed and distributed** through the vendors official web site. The update was **automatically downloaded and installed** on many systems, since it had a **valid code signature** from ASUS.
-
-The modified version of **ASUS Live Update** included a list of target MAC addresses for the eventual targets of the attack. Any targeted PC would download a **second stage malware** from a Command and Control (C2) server. The actual targets have not yet been disclosed. As with most sophisticated, targeted attacks, **nation-state actors** are assumed to be responsible.
-
-Kaspersky reports a **victim distribution** with a focus on the **EU** (50%), **Russia** (18%) and **North America** (7%).
-
-As an automatic update mechanism was abused to distribute malware, there is always a risk that some users come to the conclusion that it would increase their security to **disable updates**, a notion widely **rejected by experts**.
-
-As the [New York Times](https://www.nytimes.com/2019/03/27/opinion/asus-malware-hack.html) writes:
-
-*"The main responsibility lies with the industry. Asus will no doubt be criticized for allowing its servers to be compromised and for failing to detect that it had been distributing malicious software to its customers. Other vendors should take note and harden their own systems."*
-
-The incident was also reported by [Wired](https://www.wired.com/story/asus-software-update-hack/), [Motherboard](https://motherboard.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers), [SC Magazine](https://www.scmagazine.com/home/security-news/cybercrime/a-threat-actor-hijacked-asuss-software-update-to-install-backdoors-on-thousands-of-computers-and-ultimately-push-malware-to-machines/), [BleepingComputer](https://www.bleepingcomputer.com/news/security/asus-live-update-infected-with-backdoor-in-supply-chain-attack/), [Wall Street Journal](https://www.wsj.com/articles/malware-attack-on-asus-computers-raises-concerns-11553638579) and many others.
-
-## Coverage by Microsoft
-
-### Microsoft Security Intelligence Report 2018
-
-In [volume 24](https://www.microsoft.com/security/blog/2019/02/28/microsoft-security-intelligence-report-volume-24-is-now-available/) of its regular report, Microsoft emphasizes that **breaking chains of trust** through **supply chain attacks** is becoming an increasing problem.
-
-*"The increased number of software supply chain attacks over the past few years has become an important topic in many cybersecurity conversations and is a primary source of concern in many IT departments."*
-
-The reports lists the following incidents for 2017:
-
-* [Petya ransomware outbreak](https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/)
-* [Operation WilySupply](https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/)
-* [ShadowPad](https://www.kaspersky.com/about/press-releases/2017_shadowpad-how-attackers-hide-backdoor-in-software-used-by-hundreds-of-large-companies-around-the-world) (Kaspersky)
-* [CCleaner](https://www.rsaconference.com/events/us18/agenda/sessions/10593-ccleaner-apt-attack-a-technical-look-inside) (RSA Conference)
-
-For 2018, Microsoft mentions the following incidents:
-
-* [Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign](https://www.microsoft.com/security/blog/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/)
-* [Compromised Auto-Update Mechanism Affects South Korean Users](https://blog.trendmicro.com/trendlabs-security-intelligence/compromised-auto-update-mechanism-affects-south-korean-users/) (Trend Micro)
-* [VestaCP compromised in a new supply-chain attack](https://www.welivesecurity.com/2018/10/18/new-linux-chachaddos-malware-distributed-servers-vestacp-installed/) (ESET)
-
-#### PDF editor incident
-
-* [Attack inception: Compromised supply chain within a supply chain poses new risks](https://www.microsoft.com/security/blog/2018/07/26/attack-inception-compromised-supply-chain-within-a-supply-chain-poses-new-risks/): Malware payload introduced in popular PDF editor
-
-This incident is highlighted for its **multi-layered supply chain approach**: A vendor of a PDF editor was tricked into downloading a **compromised third party component** from a slightly modified mirror source, custom-built for this attack. This mirror had a single modified MSI installer that was then distributed with the PDF editor. While the modified component was not signed, it still ended up in the official PDF editor distribution, signed by the vendor. The **vendor didn't check for third-party signatures before signing** their own package.
-
-The incident is further explained at [1:09](https://www.youtube.com/watch?v=uXm2XNSavwo&t=1m9s) in the video mentioned below.
-
-### Supply chain attacks video
-
-Microsoft produced an [educational video](https://www.youtube.com/watch?v=uXm2XNSavwo) about software supply chain attacks in 2018.
-
-Some of the **supply chain media coverage** Microsoft mentions in the video:
-
-* [Software maker fingered in Korean hackocalypse](https://www.theregister.co.uk/2011/08/12/estsoft_korean_megahack/) (The Register, 2011)
-* [Rogue software update cause Malware attack on Japanese Nuclear Power Plant](https://thehackernews.com/2014/01/rogue-software-update-cause-malware_9.html) (The Hacker News, 2014)
-* [Russian Hackers Targeting Oil and Gas Companies
-](https://www.nytimes.com/2014/07/01/technology/energy-sector-faces-attacks-from-hackers-in-russia.html) (New York Times, 2014): "The manner in which the **Russian hackers** are targeting the companies also gives them the opportunity to **seize control of industrial control systems** from afar, in much **the same way** the United States and Israel were able to use the **Stuxnet computer worm** in 2009 to take control of an Iranian nuclear facility’s computer systems and destroy a fifth of the country’s uranium supply, [private cyber security] researchers said."
-* [How installing League of Legends and Path of Exile left some with a RAT](https://arstechnica.com/information-technology/2015/01/how-installing-league-of-legends-and-path-of-exile-left-some-with-a-rat/) (Ars Technica, 2015)
-* [Kingslayer: a supply chain attack](https://www.rsa.com/en-us/blog/2017-02/kingslayer-a-supply-chain-attack) (RSA Security, 2017)
-* [Ask Partner Network compromised second time in two months](https://www.scmagazine.com/home/security-news/cybercrime/ask-partner-network-compromised-second-time-in-two-months/) (SCMagazine, 2017)
-* [Hackers Program Bank ATMs to Spew Cash](https://www.wsj.com/articles/hackers-program-bank-atms-to-spew-cash-1479683814) (Wall Street Journal, 2016)
-* [Microsoft says: Lock down your software supply chain before the malware scum get in](https://www.theregister.co.uk/2017/05/05/malware_attacking_payment_systems/) (The Register, 2017)
-* [Microsoft: Petya ransomware attacks were spread by hacked software updater](https://www.zdnet.com/article/microsoft-petya-ransomware-attacks-were-spread-by-hacked-software-updater/) (ZDNet, 2017)
-* [Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak](https://www.microsoft.com/security/blog/2018/03/13/poisoned-peer-to-peer-app-kicked-off-dofoil-coin-miner-outbreak/) (Microsoft, 2018)
-
-[Winnti umbrella]:#winnti-umbrella
-[Bit9]:#bit9-breach
-[ShadowPad]:#shadowpad
-[ShadowHammer]:#shadowhammer
-[PDF editor incident]:#pdf-editor-incident
-[code signing introduction]: ../introduction
diff --git a/docs/code-signing/private-keys.md b/docs/code-signing/private-keys.md
deleted file mode 100644
index d8f75db..0000000
--- a/docs/code-signing/private-keys.md
+++ /dev/null
@@ -1,104 +0,0 @@
----
-header: Storage of Private Keys
-layout: resources
-toc: true
-show_toc: 2
-description: How do key storage and management practices affect the security of your code signing process?
----
-
-## Overview
-
-How do you keep your keys secure? There are a number of ways to store your private keys, but only hardware security modules (HSMs) guarantee that the private key cannot be extracted:
-
-* [PFX files with private keys](#pfx-files-with-private-keys)
-* [Windows certificate store](#windows-certificate-store)
-* [USB HSM tokens](#usb-hsm-tokens)
-* [Professional HSMs](#professional-hsms)
-
-{:.panel.info}
-> **EV and OV certificates**
->
-> Extended Validation (EV) certificates are only available with HSMs. While Organization Validated (OV) certificates can still be obtained from many Certificate Authorities without hardware protection, this is considered insecure.
-
-## PFX files with private keys
-
-### Risks
-
-* A brute force attack on the PFX password might successfully retrieve your private key.
-  * Depending on the entropy of your password and the password cipher your PFX file uses.
-  * The PFX format does not prescribe a specific cipher.
-  * Also, some files use a weak cipher for the container and a strong cipher for the private key with the same encryption key, so a brute force attack on the weak cipher will also reveal the encryption key for the private key.
-* If your password leaks, your private key is accessible to everyone who has access to the PFX file.
-  * In general, memorizable passwords are unsafe, and high-entropy passwords need to be stored securely.
-  * It is very tempting for development and DevOps teams to store PFX files in accessible locations such as file servers or source code repositories. Also, PFX passwords might be stored in build scripts and batch files.
-  * This basically shifts the burden from private key secrecy to password secrecy.
-* Sometimes PFX files are considered secure because they are only used for certificate installation. However, even a temporary exposure of the PFX file (e.g. via file shares, backup media or e-mail storage) will nullify this assumption.
-* Key theft or abuse cannot be detected.
-
-### Verdict
-
-Does not meet basic security requirements.
-
-## Windows certificate store
-
-### Risks
-
-* Certificates can be installed on machines without allowing key export. However, this relies on DPAPI storage, which relies on password secrecy and supports several restore options. DPAPI should not be trusted to keep secrets from people with access to the computer or disk, whether physical or remote, running or at rest.
-* While DPAPI supports a certain level of event logging, this is intended for troubleshooting, not security.
-* While CryptoAPI (which is used by Microsoft's signing tools) provides logging, it is up to the computer's administrator to ensure that logging is enabled, that logs are stored for a defined period, and that logs cannot be truncated and will not roll over.
-* Even if the private key cannot be obtained as clear text, it can still be used by authorized users and services to create unwanted signatures.
-* Key theft or abuse cannot be detected reliably.
-
-### Verdict
-
-* Some resistance against key theft, but unlikely to withstand professional attacks.
-* Limited control over key usage.
-
-## USB HSM tokens
-
-### Assumptions
-
-* FIPS 140-2 Level 2 or higher.
-* Certificates are either pre-installed on the USB-token by the CA, or the certificates are created via a CSR from a private key that was generated by the device.
-
-### Remaining risks
-
-* While the private key cannot be retrieved from the USB device, the device itself must be kept secure. Since USB devices can easily be removed, this basically rules out permanent installation on build machines unless additional physical security measures are taken.
-* Access to private keys is usually protected with proprietary password protection. Password entry is usually designed for manual usage scenarios such as authentication or signing of documents. USB HSM tokens do not usually provide secure authentication for automated scenarios.
-* Unless the USB device has a proprietary logging mechanism, key abuse cannot be detected.
-
-### Verdict
-
-* Persistent key theft requires physical access and is easily detected
-* Limited control over key usage. Dependency on secret password or PIN in case of physical access or access to the computer.
-
-## Professional HSMs
-
-### Assumptions
-
-* FIPS 140-2 Level 2 or higher.
-* Certificates are created via a CSR from a private key that was generated by the device.
-
-### Remaining risks
-
-* Depending on connectivity, the HSM is always available on the network or on the computer where it is installed, access to the HSM must be constrained to ensure that only authorized users and services can use the private keys of code signing certificates.
-* Additional measures are necessary in order to ensure that only valid signings are performed, especially in scenarios where many users, services or computers have access to the HSM.
-  * Consider that developers, build engineers and test engineers often have extensive permission on build environments for troubleshooting, including remote access. In this case, it is easy to perform unmonitored and unaudited code signings.
-* While secure logging is usually provided by HSMs, the resulting low-level log entries are hard to correlate to code signings, especially in scenarios where multiple software artifacts are signed for a single software release.
-
-### Verdict
-
-* Key theft impossible if security procedures are followed.
-* Limited control over key usage.
-* Auditing is possible but difficult to monitor without process alignment.
-
-HSMs are required for EV certificates for a reason, and strongly recommended for any code signing implementation. However, their security advantages come with a price.
-
-* High TCO for professional HSMs
-  * Considerable hardware cost
-  * Vendor training for HSM operators
-  * Elaborate administrative procedures for secure operation, often requiring physical presence of several operators
-* Dependency on physical device access for non-network devices (USB or PCI)
-  * Only network HSMs can be shared in distributed build systems
-* Dependency on installation of vendor CSPs *(CryptoAPI Cryptographic Service Providers)*
-  * Note that CryptoAPI is a legacy technology, so vendor CSPs are sometimes outdated and poorly supported. However, most code signing mechanisms by Microsoft including Authenticode cannot use the more modern *Cryptography API: Next Generation* (CNG) model.
diff --git a/docs/code-signing/test-certificates.md b/docs/code-signing/test-certificates.md
deleted file mode 100644
index c0a9aa4..0000000
--- a/docs/code-signing/test-certificates.md
+++ /dev/null
@@ -1,76 +0,0 @@
----
-header: Managing Test Certificates
-layout: resources
-toc: true
-show_toc: 3
-description: How to enroll test certificates with an intentionally limited scope.
----
-
-## Overview
-
-Test certificates can be used to sign development builds that are not going to be distributed to your users or customers. You can read how to create test certificates in SignPath in the [user guide](/documentation/managing-certificates) In order to ensure your artifacts behave the same way during installation even though they are not signed by commercial CA you need to trust the certificate on the computers you use for testing. There are some options when managing test certificates:
-
-* You can either create **self-signed** certificate or create them using an **in-house CA**.
-* You can roll out the certificate by installing them **manually** or by using **automated processes**.
-
-## Creating certificates
-
-You have two options to create certificates:
-
-### Self-signed certificates
-
-Self-signed certificates can be created right from within SignPath and don't require an additional setup of tools and infrastructure. The disadvantage is that you cannot revoke the certificate, but have to remove it from each computer if it was misused.
-
-### In-House CA
-
-To use an in-house CA, you can create a certificate signing request (CSR) in SignPath and use your in-house CA (e.g. Microsoft Active Directory Certificate Services or OpenSSL) to issue the test certificate. The certificate can then be imported into SignPath. By using an in-house CA, you have one controlled instance for your public key infrastructure (PKI) and a straight-forward revocation process, in case the certificate has been misused.
-
-## Installing certificates
-
-Certificates can be rolled out to your test computers manually or using an automated process. You should generally add self-signed test certificates to the `Trusted Root Certification Authorities` certificate store of computers you use for testing your software. If you do this, Windows will treat your test certificates as if they were issued by a trusted Root CA.
-
-{:.panel.tip}
-> **Trusted publishers**
->
-> You may also add your test certificates to the `Trusted Publishers` store on internal machines. This is what happens when a user choses to always trust this publisher during installation, and therefore results in the same behavior, so don't do this if you want to replicate the default behavior on user machines.
-> 
-> Adding a certificate to this store will affect User Account Control (UAC) device driver installation prompts as well as whitelisting features such as Software Restriction Policies (SRP), AppLocker and WDAC Code Integrity Policies. 
-> 
-> Only add your certificates to this store for computers in your own organization, don't use your installer to add your certificate to this store.
-
-### Manual installation
-
-On Windows, you can install certificates by following these steps:
-
-1. Open the certificate in Windows Explorer
-    * For certificate file: select *Open*.
-    * For signed files: select *Properties* from the context menu, go to the *Digital Signatures* tab, open a signature (Details) and select *View Certificate*.
-2. In the certificate property window, click *Install Certificate...*
-3. Select *Current User* or *Local Machine* location
-4. Select the *Trusted Root Certification Authorities* store
-
-### Using scripts and batch files
-
-* In PowerShell scripts, use 
-  ~~~ powershell
-  Import-Certificate $certificate_file -CertStoreLocation Cert:\LocalMachine\Root
-  ~~~
-* In batch files, use 
-  ~~~ 
-  CertUtil -addstore Root <certificate-file>
-  ~~~
-
-These commands require administrative permissions.
-
-### Auto-enrollment
-
-Use Group Policy Objects (GPOs) to add certificates to computers.
-
-* In order to trust a certificate, create a GPO for
-  * `Windows Settings`
-  * `Security Settings`
-  * `Public Key Policies/Trusted Root Certification Authorities`
-* In order to explicitly un-trust a certificate, create a GPO for
-  * `Windows Settings`
-  * `Security Settings`
-  * `Public Key Policies/Untrusted Certificates`
diff --git a/docs/code-signing/theory.md b/docs/code-signing/theory.md
deleted file mode 100644
index ed27828..0000000
--- a/docs/code-signing/theory.md
+++ /dev/null
@@ -1,318 +0,0 @@
----
-header: Theory
-layout: resources
-toc: true
-show_toc: 2
-description: An in-depth look into general code signing technologies and procedures
----
-
-## Overview
-
-All common types of code signing are based on public-key cryptography.
-
-* *Software publishers* use a secret private key to sign their code
-* *Clients* verify the signature using the public key
-* *Certificates* connect public keys to identities
-* *Certificate authorities* (CAs) validate publishers’ identities and issue X.509 certificates
-
-Here's a simplified overview of the interaction between all parties:
-
-![Overview](/assets/img/resources/code-signing/overview.png)
-
-* **(1)** A software publisher selects a CA to buy a certificate from. Certificates have to be renewed every one to three years, depending on certificate validity.
-* **(2)** The CA requires the software publisher to identify using public registers, documents and/or direct contact. Methods vary between CAs and depending on certificate type (OV or EV).
-* **(3)** The software publisher holds the private key of the certificate. Using this key, they sign every release of their software.
-* **(4)** The signed software is shipped to users. The distribution method does not matter, since the signature is part of the distribution package.
-* **(5)** The user downloads the software. Depending on the download method and source, different signature verification mechanisms may be triggered.
-* **(6)** The signature will usually be verified by the operating system, Web browser, app store client, or another system such as the Java environment. Verification includes cryptographic verification of the signature and checking certificate validity.
-* **(7)** Depending on the result of this verification, client software will take an appropriate path of action.
-
-Signature verification usually takes place during installation or first execution. However, depending on the system and configuration, it might also be done for every single program execution.
-
-This process can be simple in theory, but as they say, the devil is in the detail. This page tries to provide a concise summary of X.509-based code signing. <!-- add links for windows, risks, process etc later -->
-
-## Public-key cryptography
-
-Code Signing is based on public-key cryptography (also known as asymmetric cryptography). This method allows digital data to be signed in a secure and verifiable way.
-
-The basic concept of public-key cryptography is that keys are always generated in pairs: a public key and a private key. The private key is only known to its owner, while the public key is known to everyone.
-
-While most known for its use in encryption, public-key cryptography is also used for electronic signatures. It works like this:
-
-* The signer, let’s call her Alice, uses her secret private key to sign a file.
-* The receiver, Bob, knows Alice’s public key.
-* When Bob receives a file signed by Alice, he can use Alice's public key to verify that the file was signed by Alice, and that it has not been modified since.
-
-Key distribution seems easy now: The private key *must not* be shared with anybody, and the public key needs no protection at all. However, this creates a new problem: How to ensure that a certain public key actually belongs to a specific entity?
-
-The solution to this is called a public key infrastructure (PKI). PKIs issue certificates that each contain a public key and the owner's identity. The most common type of PKI used today in general (and by all major signing platforms) is based on certificate authorities and the X.509 system of certificates.
-
-## Certificates
-
-Public-key certificates are the corner stones of any public-key infrastructure. A certificate binds the identity of the private key's owner to the public key. It is signed by a Certificate Authority in order to allow verification of this binding.
-
-The most used certificate type is X.509, a certificate standard that is used for HTTPS (SSL/TLS client and server certificates), code signing, and other uses such as email (S/MIME) and PDF signing.
-
-These certificates are technically similar, they differ mostly in key usage attributes and subject information (see next section).
-
-### Certificate contents
-
-The following information is stored in certificates:
-
-* **Subject:** The identity of the private key's owner. The subject is provided in the form of a distinguished name. It has the following attributes:
-  * *Common Name (CN):* The owner's identifier. For HTTPS server certificates, this is the domain name (e.g. www.google.com). For all other certificates, including code signing, this is the organization. Required.
-  * *Organization (O):* The legal name of the owner. Only required for some types, see next section.
-  * *Organizational Unit (OU):* The OU within the owner organization responsible for this key. Optional.
-  * *Country (C), State or Province (S)* and *Locality (L):* The specified organization's registered location. The organization name must be unique within this location, which means that at least the country must be specified for any organization.
-* **Public key:** The public key that matches the owner's private key.
-* **Serial number:** Unique number assigned by the CA. Used for revocation.
-* **Validity period:** The certificate may only be accepted within the period specified by *not before* and *not after*.
-* **Issuer** and **signature:** Name and signature of the issuing CA.
-
-Important extensions and optional fields include:
-
-* **Key usage** and **extended key usage:** Specifies which purposes this certificate may be used for.
-* **Basic constraints:** Indicates whether a certificate can be used to issue certificates.  
-* **Certificate policies:** Points to CA policy documentation and indicates the type of certificate (DV, OV, EV).
-* **Subject alternative name:** Used to list additional domain names for multi-domain HTTPS certificates.
-* **CRL distribution points** and **authority information access:** Used to provide information about revocation services (CRL and/or OCSP).
-
-Note that many of these fields use dot-separated numbers called *Object Identifiers* (OIDs). A reference can be found at [oid-info.com](http://oid-info.com/) or [oidref.com](http://oidref.com/).
-
-### Certificate types
-
-X.509 certificates come in three flavors:
-
-* **Domain Validation (DV):** The subject of the certificate is a DNS domain, such as www.google.com. Only the Common Name (CN) attribute of the subject is used. Used for HTTPS server certificates. For identity verification, proof of technical control over DNS entry or HTTP server is sufficient.
-* **Organization Validation (OV):** The legal identity of the owner is verified using public registers, documents and/or direct contact. At least Organization (O) and Country (C) must be specified as a result.
-* **Extended Validation (EV):** Like OV, but with additional requirements.
-  * Certificate authorities are required to take greater care when issuing Extended Validation certificates. The identity vetting process is more involved, and therefore EV certificates are more expensive.
-  * Software publishers using EV certificates are required to store their private keys on dedicated hardware, so they cannot be stolen by hackers. (For OV code signing certificates, this is only a recommendation.)
-
-The consequences of Extended Validation differ between HTTPS and code signing:
-
-* For HTTPS server certificates, browsers usually reward EV validation by displaying the organization’s legal name in a green box next to the URL field.
-* For code signing certificates, additional trust may be assigned to EV certificates. For instance, Microsoft SmartScreen awards full reputation to new EV certificates.
-
-(The European Union is currently working to establish a certificate system that is subject to stricter verification and carries even more legal weight called *qualified digital certificates*. This system defines a completely new set of rules outside the established CA landscape.)
-
-### Differences between HTTPS and code signing certificates
-
-* HTTPS server certificates can use all types of validation (DV, OV or EV).
-* Code Signing certificates always use at least Organization Validation (OV or EV).
-* DV HTTPS certificates are provided for free by [Let's Encrypt](https://letsencrypt.org/). Since Domain Validation cannot be used for code signing, Let's Encrypt does not provide code signing certificates.
-* The utility of Extended Validation for HTTPS certificates is currently debated due to decreasing browser emphasis. This discussion does not apply to code signing certificates.
-
-### Certificate files
-
-There are several file formats for storing certificates:
-
-* **DER encoded:** binary encoded ASN.1 certificates and keys
-  * .der
-  * .cer, .crt (rarely used)
-* **PEM:** Base64 encoded DER files and/or private keys
-  * .pem
-  * .cer, .crt
-* **PKCS#12:** contain certificates and optionally private keys
-  * .p12
-  * .pfx (named after the legacy PFX format, but usually in PKCS#12 format)  
-* **PKCS#7:** signature files without signed data
-  * .p7b, .p7c
-
-Certificate files can contain a single certificate or an entire certificate chain up to the root certificate. Some formats can also contain private keys protected with a password or pass-phrase.
-
-The prevalence of files containing both certificates *and* private keys leads some people to think certificates contain private keys. This is not the case.
-
-It is recommended to store private keys only on secure hardware, such as HSMs.
-
-* If possible, use your public key to create a Certificate Signing Request (CSR). A CA can then issue a certificate based on this CSR. CAs do not need your private keys.
-* We recommend that you use DER-encoded formats exclusively, since they are guaranteed not to contain private keys.
-
-{:.panel.warning}
-> **Private keys are not safe in PFX files**
->
-> PFX files with private keys are convenient, but are considered insecure. Read about [alternatives](/code-signing/private-keys).
-
-## Certificate Authorities (CAs)
-
-An issuer of certificates is called a Certificate Authority (CA). There are two common types of CAs:
-
-* **Commercial CAs** are dedicated companies that verify identities and issue certificates for a fee. Commercial CAs are usually audited according to WebTrust criteria, and have their root certificates distributed with major operating systems and browsers. Their main business is issuing SSL certificates for HTTPS, but they also issue certificates for code signing, e-mail and document signing.
-* **In-house CAs** are operated by organizations for internal use. These certificates are distributed within the organization’s network to their PCs and servers. In-house CAs use software like *Microsoft Active Directory Certificate Services* or *OpenSSL*.
-
-CAs use their own root certificates to create new certificates. These root certificates are often pre-installed on devices (e.g. via the Microsoft Root Certificate program and Windows updates) or distributed in corporate networks (e.g. via Windows *Group Policy Objects* for in-house CAs).
-
-When a CA issues a certificate, it uses its own root certificate (and the associated private key) to sign the issued certificate. Therefore, every computer that trusts the issuing CA will also trust the issued certificate.
-
-### Self-signed certificates
-
-For testing purposes, certificates are often created ad-hoc, without use of a CA. These certificates are self-signed, i.e. they are signed with their own private key. Self-signed certificates must be trusted explicitly by the user’s system, or they will not be accepted.
-
-## Certificate chains
-
-A typical certificate is issued by an intermediate certificate. The intermediate certificate is in turn issued by the root certificate. The sum of all these certificates is called a certificate chain.
-
-A typical certificate chain looks like this:
-
-![Certificate chain](/assets/img/resources/code-signing/certificate-chains-abstract.png)
-
-Let’s examine this in detail:
-
-* The *CA root certificate* is self-signed.
-  * It is well-known to the client and therefore trusted.
-* The *CA intermediate certificate* is issued by the *CA root certificate*:
-  * Its *issuer* attribute is set to *CA root certificate*.
-  * It is signed using the private key corresponding to the *CA root certificate*.
-* *Some company’s certificate* is issued by the *CA intermediate certificate.*
-  * Its *issuer* attribute is set to *CA intermediate certificate*.
-  * It is signed using the private key corresponding to the *CA intermediate certificate.*
-
-For instance, the actual certificate chain of Mozilla’s Firefox (firefox.exe) looks like this:
-
-![Firefox certificate chain sample](/assets/img/resources/code-signing/certificate-chains-concrete.png)
-
-In order to verify the legitimacy of a signature, a client needs to know the entire certificate chain. Therefore, certificate files usually contain not only the certificate, but also every certificate in its chain of parents.
-
-{:.panel.info}
-> **Intermediate certificates**
->
-> Root certificates cannot be revoked. If there is a security problem with any of them, they must be removed from every computer. Therefore, private keys for root certificates must not be stored in systems connected to networks. Issuing an intermediate certificate is a process that is rarely performed and requires physical access to the system that stores and protects the root certificate’s private key. On the other hand, common certificates are usually issued online. This only requires access to the intermediate certificate’s private key, a far less critical resource.
-
-## Certificate revocation
-
-Sometimes certificates are issued in error. And sometimes rightfully issued certificates are either abused, or their private keys are compromised. If a certificate authority learns of such an incident, they are required to revoke this certificate.
-
-Each revocation has an effective date, which is often back-dated. For instance, if a publisher finds out that a certificate’s private key has been stolen two months ago, it will inform the CA, which in turn will issue a revocation effective two months ago. Signatures that were applied before this date will still be considered valid if the signature is time-stamped (see below).
-
-Certificate revocation is an essential part of the certificate validation process. When a client encounters an unknown certificate, it must contact the certificate authority and check whether this certificate has been revoked. If a certificate has been revoked, the client will not accept signatures from past the revocation date.
-
-{:.panel.info}
-> **Revocation protocols and reliability**
->
-> The certificate contains the URL for this check, and depending on the mechanisms provided, the client can either download a full Certificate Revocation List (CRL) or check validity of an individual certificate through the OCSP protocol.
->
-> Certificate revocation for code signing is considered more reliable than revocation for HTTPS certificates. The main weakness for HTTPS certificate revocation is that an attacker who is able to mount an HTTPS attack is often already in the position to intercept network traffic to revocation servers too. This is generally not true for code distribution attacks.
->
-> However, note that Windows uses a soft revocation check policy. If the revocation server cannot be reached, certificates are accepted by default.
-
-## Time stamping
-
-After signing a software artifact, the signature should be counter-signed by a time stamp authority (TSA). A time stamp provides proof that the signing has taken place at a certain date and time.
-
-Each code signing certificate has a validity period of usually one to three years. Without timestamps, all signatures would be invalid after this period. Time stamps extend each signatures signature validity to that of the time stamp certificate, which is usually at least another 10 years from the time of signing.
-
-Also, signatures would become invalid if a certificate is revoked later, even if the certificate is still considered valid for the time of signing.
-
-Note: While the latter occurs less often, it would indirectly create a security problem: having a large number of legitimately signed binaries without time stamps would strongly discourage revocation of compromised certificates.
-
-Certificate authorities that issue code signing certificates must also offer a free time stamping service. However, they usually apply quotas to individual client IP addresses and do not guarantee service availability, which sometimes leads to problems in automated code signing scenarios.
-
-{:.panel.warning}
-> **Always time-stamp your signatures**
->
-> If your code is signed without a time stamp, all signatures will immediately become invalid if you have to revoke your certificate. This can cause considerable trouble, especially if you need to re-build and re-distribute older releases. Since this might even keep people from revoking compromised certificates, it is also a security risk.
->
-> Note that the same is true for invalid time stamps as well as for weak time stamps that will eventually be rejected by client software, such as SHA-1.
-
-### Time stamp assertions
-
-A correct time stamp signature proves that the primary code signature was applied at a certain date and time.
-
-The following constraints apply:
-
-* As far as the TSA can tell, the code signature might have been applied earlier than the time stamp, but that would not matter for the purposes presented here.
-* The validity of the primary signature is not confirmed by the TSA. In fact, the TSA never receives this information.
-
-{:.panel.info}
-> **Counter signatures and TSA certificates**
-> 
-> A time stamp is a counter-signature, i.e. the primary code signing signature is itself signed by the time stamp authority (TSA). A time stamp signature uses a TSA certificate, which in turn has a certificate chain that terminates at a trusted root certificate.
-
-## Signatures
-
-Code Signing is performed by software publishers. They use their code signing certificates together with the matching private key to sign code they create.
-
-Usually, the publisher is identical to the creator of the software. This can be an app author, an independent software vendor (ISV), a software contractor, or an in-house development team. Signing is usually performed either during the software build process or later, but before delivery, publishing or deployment.
-
-Signing can also be performed by third parties, usually for code from contractors. Examples include game publishers and corporate IT departments that need to put their own signature on software created by others.
-
-Code Signing creates the following information:
-
-* The signature: the file’s hash digest, cryptographically signed with the private key
-* The certificate containing the public key matching the private key (and its entire certificate chain)
-
-When time stamped, the signature will be accompanied by a counter-signature, which in turn also consists of a signature and a certificate.
-
-## Signature formats
-
-### Embedded signatures
-
-Many file formats for programs and installation packages support embedded signatures. The signature then becomes a part of the signed file. This makes handling and verification of signatures  easy and reliable, during and after installation.
-
-Embedded signature formats are used by Microsoft (Authenticode) and Apple as well as Java and Android packages.
-
-### Separate signatures
-
-Signatures can also be stored separately from the signed files for various reasons:
-
-* The format of the signed file does not support embedded signatures
-* More than one file must be signed
-* Signatures should be distributed separately from the signed files
-
-Separate signing methods may or may not support signature verification after installation.
-
-Examples for separate signatures are Windows catalog files (.cat) and detached signature files used on Linux (.sig).
-
-### Package and manifest signatures
-
-Some signing methods use a combination of embedded and separate signatures.
-
-* Microsoft Installer (MSI) uses embedded signatures for the package file, thereby implicitly signing all files within the package. However, this information is lost after installation.
-* Several formats use manifest files that contain hash codes of other files. Since this often includes files that are supposed to change, such as configuration files, signatures are usually not verified after installation.
-
-In order to get all benefits from code signing, especially post-installation verification, executable files within packages and manifests must first be signed individually.
-
-## Signature validation
-
-A client that wants to verify a signature needs to perform several steps, all of them must succeed in order for a signature to be considered valid.
-
-* The hash digest for the signed artifact is calculated
-* All signatures and counter-signatures are validated cryptographically
-* Only trusted cryptographic algorithms may be used
-* The certificate must be valid
-  * It must have the key usage attributes necessary for the intended purpose (for example, code signing)
-  * The validity period must cover the current date, or, if a time stamp is present, the time stamp date
-  * The certificate must not have been revoked; if a time stamp is present, it must not have been revoked before the time stamp date
-  * The certificate must be trusted: it is either trusted by the client or the certificate chain reliably leads to a trusted root certificate
-
-Note that some platforms use additional mechanisms to verify the reliability of a piece of software that may or may not take signature information into account. The most prevalent mechanism is Microsoft SmartScreen, a cloud-based service that assigns reputation to certificates based on global usage monitoring.
-
-## Hash digests
-
-A signature is supposed to be authoritative for entire files, but the actual signing algorithm usually only accepts a small digest for input.
-
-{:.panel.info}
-> **Why do we need hash digests?**
->
-> * Input: The actual signing is supposed to take place within a secure system that owns (and protects) the private key, such as a hardware security module (HSM). Also, time stamp authorities (TSAs) must be called over the internet. Submitting large files to a HSM or TSA would not be a good use of resources.
-> * Output: If the entire file is signed, the signature would be as large as the file itself. So either the file size would double, or the actual signed file would have to be reconstructed from the signature (which is essentially the encrypted input).
-
-The first step in all signing operations is therefore the calculation of a cryptographic hash digest. A hash algorithm generates a single number, typically from a larger binary file. This number is called digest. Any modification to the original file, no matter how small, is supposed to result in a different digest.
-
-However, even for large digests (using many bits), there is a chance that different files may result in the same digest, which is called a hash collision. The chance of an accidental collision for a large digest is so small that it can usually be neglected. That said, a hacker might deliberately forge a file that results in the same digest as a signed one, making it possible to copy a valid signature from an existing file.
-
-Choosing the right cryptographic hash algorithm is supposed to make this impossible with current hardware. Algorithms that are considered to be secure include SHA-2 and SHA-3. SHA-1 and MD5 were once popular, but are now considered forgeable and should no longer be used in any cryptographic context. In fact, they are increasingly rejected during signature verification.
-
-Acceptable hash algorithms:
-
-* **Use:** SHA-2, SHA-3
-* **Do not use:** SHA-1, MD5
-
-The most commonly used variant today is SHA-256, which is short for SHA-2 with a 256 bit digest.
-
-{:.panel.warning}
-> **Always use SHA-2 Time Stamp Authorities**
->
-> Since time stamps are signatures too, they also need a hash algorithm. Many CAs provide SHA-1 and SHA-2, but SHA-1 is still the default in many scenarios.
->
-> Since time stamps are valid for many years, it's all the more important to use SHA-2 TSAs. Consult your CA's documentation for the correct SHA-2 URLs.
\ No newline at end of file
diff --git a/docs/code-signing/windows-platform.md b/docs/code-signing/windows-platform.md
deleted file mode 100644
index 22741f2..0000000
--- a/docs/code-signing/windows-platform.md
+++ /dev/null
@@ -1,189 +0,0 @@
----
-header: Windows Platform
-layout: resources
-toc: true
-show_toc: 2
-description: An in-depth look into the code signing technologies and procedures for Microsoft Windows
----
-
-## Signing methods
-
-The primary code signing mechanism of Windows is Authenticode. It is used to sign executables and libraries as well as installers, packages, device drivers, and PowerShell scripts. Additionally, some programs use code signing to validate add-ins on installation. They use specific package formats, such as ClickOnce (Microsoft Office) or Open Packaging Convention (Microsoft Visual Studio), and therefore require specific tools for code signing. Every program has its own rules for displaying and enforcing code signing.
-
-A new member of the code signing family is NuGet, a platform for distribution of program libraries to software developers. NuGet is currently introducing optional code signing with its own tool set. Code Signing will be verified by the NuGet Gallery ([nuget.org](https://www.nuget.org)) and displayed prominently online as well as in Visual Studio.
-
-## When are signatures verified?
-
-### Verifications for downloaded programs
-
-Windows marks downloaded software as insecure ("Mark-of-the-Web") and evaluates the code signature when it is executed. It requires a signature that is cryptographically valid, based on a certificate issued by a trusted Certificate Authority, and it checks various properties of the certificate and the signature.
-
-* A missing or invalid signature will lead to a security warning, encouraging the user to abort the execution.
-* A valid signature will either prompt the user with the publisher name, or silently execute the program, depending on the certificate’s SmartScreen reputation (see below).
-
-{:.panel.info}
-> **Mark-of-the-Web: downloaded files and code signing**
-> 
-> The Mark-of-the-Web (MotW) is a flag on a file that indicates it has been *downloaded from the internet*. It is applied by browsers and other tools that download files to local disks. This indicates to Windows that the program might not be secure. When the program is started, the signature and certificate validation process is executed. 
->
-> All major browsers for Windows apply the MotW correctly (Internet Explorer, Edge, Chrome, Firefox and Opera). Notably, 7zip does not propagate the MotW when unpacking. 
->
-> You can see (and remove) this indication in Windows Explorer by opening the program file’s Properties dialog just below the file attributes.
-
-#### Microsoft SmartScreen
-
-SmartScreen is a cloud-based system that compares downloaded software against lists of known programs and certificates. It is a vital part of Microsoft's anti-malware strategy.
-
-(The term SmartScreen is also used for a feature in Edge and Internet Explorer that helps avoiding phishing sites and social engineering attacks, a function that is not related to code signing.)
-
-| Validation and reputation | Action |
-|---------------------------|--------|
-| The program is not signed, or the signature is invalid | The user is warned not to start the program |
-| The program has a valid signature, but the certificate has little or no reputation | The name of the software publisher is displayed, and the user is prompted to proceed or abort |
-| The program is signed, and the certificate has reputation | The program is executed or installed
-
-There are two ways to gain **SmartScreen reputation**:
-
-* **Standard (OV) certificates:** The certificate is encountered several times in the wild, and no malign usage was reported. SmartScreen collects this data from Windows users.
-* **Extended Validation (EV) certificates:** these certificates have full reputation when they are issued.
-
-
-{:.panel.info}
-> **EV certificates strongly recommended for Internet downloads**
->
-> If your programs are downloaded and installed by users, SmartScreen reputation is very important. Without full reputation, users will be warned not to trust your software, and the option to execute or install it is hidden behind a "more information" link. 
-> 
-> Renewed standard (OV) certificates do not inherit reputation. Therefore, using OV certificates will result in warnings at least every three years (the maximum validity for code-signing certificates).
-
-{:.panel.product}
-> **SignPath.io: use EV certificates without USB tokens**
->
-> EV code-signing certificates must be stored on secure hardware. Normally this means that you will receive a USB token from the CA. These tokens are difficult to use in team scenarios and automated builds &ndash; you will have to store them safely and attach them to build computers when needed. They usually require installation of device drivers, CSPs, and often password entry for each signature. The need to build on a physical computer also defies the goal of having safe, reproducable build environments. 
-> 
-> **SignPath.io** stores certificates on a secure HSM, so you can purchase and use EV certificates without tokens. 
-> 
-> * Request an attested certificate siging request (CSR) from SignPath.io
-> * Buy an EV certificate from your favorite CA
-> * Download the certificate from the CA, upload it to SignPath.io (does not include private key)
-
-### Verifications for all programs
-
-Even when a program is already installed, or was not downloaded from the Internet, signatures of individual program files may still be verified:
-
-* **User Account Control** (UAC) will prompt the user for permission when a program tries to make changes to the system.
-* **Application whitelisting** policies are deployed by enterprise administrators to prevent execution of unwanted programs.
-
-#### User Account Control (UAC)
-
-Windows uses UAC to prevent unwanted changes to user systems. When active, users cannot modify their systems, or start programs that will modify their systems, without explicit consent. When a user starts such a program, UAC will display a dialog box warning the user of potential system modifications and ask for consent. 
-
-If the program is signed, UAC will display the publisher and offer to display the full certificate. Unsigned programs will warn the user of an "unknown publisher".
-
-#### Application whitelisting and code signing policies
-
-In the ongoing fight against malware and other security risks, enterprises are increasingly using whitelisting mechanisms. These mechanisms only allow the loading and execution of program files signed by a trusted publisher. If the software publisher does not apply signatures to all of its executables and libraries, whitelisting becomes ineffective. There are ways to work around missing signatures, such as hash-based policies, but they are hard to configure and essentially insecure: It is quite hard to ensure the integrity of program files that are received without signatures, both initially and with every update.
-
-Windows 10 offers two flavors of **Code Integrity Policy** mechanisms:
-
-* Windows Defender Application Control (WDAC), formerly known as Device Guard Configurable Code Integrity
-* Hypervisor Code Integrity (HVCI)
-
-While WDAC is integrated in the Windows kernel, HVCI works in its own environment, completely separated from the Windows OS and thereby safe even from dangerous rootkits. HVCI can only be used with compatible hardware. Both mechanisms are supported by Intelligent Security Graph (ISG), a cloud-based reputation system. They can be configured automatically by *managed installers*, such as the System Center Configuration Manager (SCCM).
-
-Older versions of Windows provide different mechanisms for whitelisting: Windows 7 introduced **AppLocker**, and Windows XP featured **Software Restriction Policies** (SRP). Also, many anti-malware vendors provide their own whitelisting tools in their endpoint protection and management suites.
-
-## File types
-
-Most downloaded programs are installation programs or packages. Popular file types include Microsoft Installer (MSI), Cabinet Files (CAB), AppX Packages and Bundles, and App-V packages. Installers are also often distributed in the form of self-extracting programs (e.g. Setup.exe). For device drivers, Windows strictly requires Authenticode signing, either by the publisher or by the Windows Hardware Quality Lab (WHQL). PowerShell scripts and modules may also require code signing, depending on the security policy and the source of the file.
-
-### Signing individual program files (deep signing)
-
-Installation programs and packages install the actual program files on the computer’s disk. Installed program files should be signed too, but the reason for this is less obvious, since Windows will usually not check their signatures. Here are some reasons for signing every single program file:
-
-* It’s just the right thing to do. By signing all executables and libraries, you present yourself as a publisher that has the customer’s security in mind.
-* After installation, users and their tools have no way of checking the integrity of program files unless they are signed. A virus infection could go undetected.
-* Enterprises sometimes repackage software. This allows them to customize the configuration; for Microsoft Application Virtualization (App-V) this is a required step. Repackaging removes program files from the safety of a signed container while transferring them to another, thus putting their integrity temporarily at risk.
-* Administrators can create and deploy policies that allow program execution based on various signature-based criteria. This is called whitelisting, and is considered to be much safer than relying only on anti-malware tools.
-
-### Redistributable files
-
-The most obvious case for signing individual program files can be made for redistributable files, such as libraries and tools that will be distributed with other programs. Since they are included with installation packages of other programs, they are vulnerable in the entire software development process. From software developers downloading these files from unsafe sources or over unsafe connections, to malware-infected developer PCs, there are more risks of modification or infection than can be managed.
-
-Independent software vendors, and also enterprises with in-house development departments, are increasingly aware of the risk associated with third-party libraries and tools. Once more, the only viable way of ensuring integrity is code signing by the original publisher.
-
-## Tools used for code signing
-
-### SignTool.exe (Windows SDK)
-
-The primary tool for code signing is SignTool.exe from the Windows SDK, which can be called via the command line. When using it, you have to provide the following information:
-
-* The file you want to sign
-* The certificate
-* The algorithm for calculating the hash digest
-* The time stamp server (optional)
-
-The digest algorithm defaults to SHA-1. However, you need to use at least SHA-2 for any practical purpose. The most common choice is SHA-256 (SHA-2 algorithm with 256-bit digests). The certificate can be a PFX file or a certificate from a Windows certificate store.
-
-* If a PFX file contains a password protected private key, the password must be specified using an additional parameter. Alternatively, the private key can be provided by a CSP (see below).
-* A certificate can be stored in a certificate store. In this case, you need to provide the certificate name or thumbprint. (A certificate from the Windows certificate store can be chosen automatically, but this is fragile and therefore not recommended.)
-* You can also use a hardware security module through the Windows certificate store.
-  
-### SHA-1 vs SHA-2
-
-SHA-1 is no longer considered secure by the crypto community or Microsoft. Hackers may be able to forge signatures based on this outdated algorithm. Therefore, current versions of Windows will only accept signatures based on SHA-1 digests for files that were signed and time-stamped before 2016. For a signature to be considered valid, the certificate itself as well as any intermediate certificates in the certificate chain must be signed using SHA-2 too. (Note that Windows Explorer will still report SHA-1 signatures as valid in the file properties dialog, but for all purposes they will be rejected by Windows.)
-
-For some time, it was recommended that files should be dual-signed with both SHA-1 and SHA-2 signatures for backwards compatibility, but this seems no longer necessary: SHA-2 has been in Windows starting with Windows 8 and Server 2012. Also, Windows 7 and Server 2008 have been updated in 2015 to support SHA-2.
-
-## Hardware Security Modules (HSMs) {#hsm}
-
-### What is an HSM?
-
-The private key of a certificate must be properly protected. Theft of private keys is the main attack vector for code signing, thereby compromising both users and publishers. Since it’s not possible to effectively protect private keys in files or certificate stores managed by Windows, it is widely recommended that hardware security modules (HSMs) are used for code signing. For Extended Validation certificates, it is even required that keys are managed in HSMs meeting the requirements of FIPS 140-2 level 2.
-
-An HSM is a device that stores secret keys and performs cryptographic operations using these keys. When used properly, the HSM will generate the key itself, and will never expose it to any user or any other device. So when you use a HSM for signing, the HSM will not give the key to the signing software. Rather, the signing software will send the data (the digest) to the HSM and ask for a signature.
-
-{:.panel.warning}
-> **HSM limitations**
->
-> Note that hardware keys can still be physically stolen, especially when stored on inexpensive USB devices. 
->
-> Additionally, even if the key is not stolen, it could be abused by a hacker who gains access to the HSM, or a system that can access the HSM, such as a build server.
-
-### Using HSMs for code signing on Windows
-
-SignTool.exe (or Authenticode in general) cannot use HSMs directly, but it uses the Windows CryptoAPI to access certificates in Windows certificate stores. CryptoAPI uses an extensible architecture for storing certificates: Cryptographic Service Providers (CSPs) 
-
-A CSP can provide these services:
-
-* physical storage of certificates and keys
-* implementation of cryptographic algorithms, like encryption, digests and signatures
-
-HSMs usually bring their own installable CSPs. You can think of the CSP as a device driver for the HSM.
-
-{:.panel.info}
-> **HSM code signing under the hood**
-> 
-> Here is what happens when you call SignTool.exe with a certificate from an HSM:
-> 
-> 1. **SignTool.exe** calls the Windows CryptoAPI (**CAPI**) and passes the **file** and **certificate ID**
-> 2. **CAPI** finds the Subject Interface Package (**SIP**) for the **file** type
-> 3. The **SIP** computes the file's hash **digest** 
-> 4. **CAPI** selects the **HSM**'s Cryptographic Service Provider (**CSP**) based on the certificate
-> 5. **CAPI** calls the **CSP** with the **digest** and the **certificate ID**
-> 6. The **CSP** submits a *create signature* request to the **HSM**
-> 7. The **HSM** creates a **signature**
-> 8. The **SIP** writes the **signature** to the **file**
-
-In this process, the HSM will never expose the private key to any other system.
-
-The current implementation of Authenticode and SignTool.exe can only use CryptoAPI, but not the more recent Cryptographic API: Next Generation (CNG). This may result in less then optimal HSM support, since HSM vendors tend to focus their effort on current technoligies.
-
-### HSM buyer’s advice
-
-* USB token HSMs cannot easily be used in virtualized environments and are limited to a single machine. Also, they usually require interactive authentication via PIN codes or other mechanisms that may prevent automation.
-* Professional network HSMs solve this problem, but they require extensive operational procedures and staff training.
-* As stated above, Authenticode and many other signing mechanisms require CSPs, a technology based on CAPI1 which is otherwise often considered obsolete. HSM support for CSPs therefore varies widely in quality of software, documentation and support.
-* Whether a HSM supports SHA-2 code signing is an important consideration when buying a HSM. You should ask specifically for support of SHA-256 in Microsoft Authenticode (or more technically, CSPs and CAPI v1).
-* HSMs have varying support for creating certificates via certificate signing requests (CSRs) and accessing them from CSPs. You might have to search for working procedures on the internet or contact the vendor's tech support.
-**Warning:** Since this is quite difficult to accomplish, many users resort to importing insecure key files into the HSM, which defies the purpose of the HSM in a critical stage. This is not a secure practice, and does not meet regulations for Extended Validation (EV) certificates!
-* Some complex key management systems have a FIPS-certified HSM at their core as part of a larger physical or virtual system. In this case, the FIPS certification might not encompass the entire system. You should ask specifically if FIPS certification is provided for the entire use case of generating keys and CSRs, as well as creating signatures.
diff --git a/docs/company.md b/docs/company.md
deleted file mode 100644
index 59eb3a1..0000000
--- a/docs/company.md
+++ /dev/null
@@ -1,42 +0,0 @@
----
-title: Company
-header: SignPath GmbH
-layout: default
-description: About SignPath GmbH
----
-
-<div class="columns">
-	<div markdown="1">
-
-## About us
-
-SignPath is dedicated to software and code integrity. We provide leading-edge software and SaaS services that ensure code integrity from development to distribution. SignPath serves customers worldwide, from small development teams to large enterprises.
-
-SignPath was founded in 2017 by [RUBICON IT](https://www.rubicon.eu/en/), a leading European software company, providing software and related services to the public sector and enterprise customers in Central and Western Europe. Since 2023, SignPath is an independent private company.
-
-[Contact us](mailto:sales@signpath.io){: class="btn btn-primary"}
-
-</div> <div markdown="1">
-
-## Vision
-
-At SignPath, we believe that signing code is crucial for secure distribution of software artifacts. Increased frequency of releases make it even more important that the origin of every shipped code is verifiable. Therefore we are developing the world's leading code signing solution to allow organizations of all sizes to reliably and securely sign their code - without compromising on their agility.
-
-[See open positions](/jobs){: class="btn btn-primary"}
-
-</div> </div>
-
-<br> <br>
-
-## Address and legal information
-
-**SignPath GmbH**<br>
-Gonzagagasse 11/23<br>
-1010 Vienna<br>
-Austria
-
-E-Mail: [office@signpath.io](mailto:office@signpath.io)
-
-Commercial register ID: 475506z<br>
-Jurisdiction: Handelsgericht Wien<br>
-VAT ID: ATU72648227
diff --git a/docs/contact-done.html b/docs/contact-done.html
deleted file mode 100644
index 779905c..0000000
--- a/docs/contact-done.html
+++ /dev/null
@@ -1,14 +0,0 @@
----
-title: Thank you - SignPath.io
-header: Your message has been sent
-layout: thankyou
-sitemap: false
----
-
-<h2>Thank you for contacting us - we will get back to you shortly</h2>
-
-<div>
-	<a href='/product' class='btn btn-primary'>Discover more</a>
-	<a href='{{ site.data.hosts.app[site.target_environment] }}/Web/Subscription/StartFreeTrial' class='btn btn-flat'>Free Trial</a>
-</div>
-
diff --git a/docs/contact.md b/docs/contact.md
deleted file mode 100644
index 06e1e0d..0000000
--- a/docs/contact.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: Contact
-header: Contact us
-layout: default
-description: Contact the SignPath team
----
-
-<script type="text/javascript" src="https://s3.amazonaws.com/assets.freshdesk.com/widget/freshwidget.js"></script>
-<style type="text/css" media="screen, projection">
-    @import url(https://s3.amazonaws.com/assets.freshdesk.com/widget/freshwidget.css); 
-</style> 
-<iframe id='feedack-form-iframe' title="Feedback Form" class="freshwidget-embedded-form" id="freshwidget-embedded-form" src="https://signpath.freshdesk.com/widgets/feedback_widget/new?&widgetType=embedded&formTitle=How+can+we+help+you%3F&submitTitle=Send&submitThanks=Thank+you+for+your+message&searchArea=no" scrolling="no" height="780px" width="100%" frameborder="0" >
-</iframe>
diff --git a/docs/documentation/crypto-providers/cryptoki.md b/docs/crypto-providers/cryptoki.md
similarity index 97%
rename from docs/documentation/crypto-providers/cryptoki.md
rename to docs/crypto-providers/cryptoki.md
index f18aad3..ccad4bc 100644
--- a/docs/documentation/crypto-providers/cryptoki.md
+++ b/docs/crypto-providers/cryptoki.md
@@ -46,7 +46,7 @@ This section provides general information about using the SignPath Cryptoki libr
 
 #### Windows
 
-The Cryptoki library is installed to `%ProgramFiles%\SignPath\CryptoProviders\SignPath.Cryptoki.dll` by the [MSI installer](/documentation/crypto-providers/windows#installation).
+The Cryptoki library is installed to `%ProgramFiles%\SignPath\CryptoProviders\SignPath.Cryptoki.dll` by the [MSI installer](/crypto-providers/windows#installation).
 
 Alternatively, you can copy-deploy `Windows\SignPath.Cryptoki.dll` from the Crypto Providers ZIP archive to your target system.
 
@@ -62,7 +62,7 @@ Signing tools with Cryptoki support usually provide _PIN_ and _key ID_ parameter
 
 | Tool parameter | Value (using SignPath provider)         | Description
 |----------------|-----------------------------------------|------------------------------------------
-| _PIN_          | `$OrganizationId:$ApiToken` or `CONFIG` | SignPath _Organization_ and _Submitter_ API token, separated by a colon. Specify `CONFIG` to use the values definded in [the configuration file or environment variables](/documentation/crypto-providers#crypto-provider-config-values)
+| _PIN_          | `$OrganizationId:$ApiToken` or `CONFIG` | SignPath _Organization_ and _Submitter_ API token, separated by a colon. Specify `CONFIG` to use the values definded in [the configuration file or environment variables](/crypto-providers#crypto-provider-config-values)
 | _key ID_       | `$ProjectSlug/$SigningPolicySlug`       | SignPath _Project_ and _Signing Policy_ slugs, separated by a forward slash
 
 Name and synopsis for these parameters depend on the tool. For tools that support Cryptoki only [indirectly](#about-cryptoki), parameters may also be passed indirectly or using a specific syntax for an existing tool parameter (see below).
@@ -93,7 +93,7 @@ For Cryptoki-based signing, tool setup can be complex. Unlike the KSP/CSP provid
   * _and_ specify the SignPath Cryptoki library in the engine's configuration
 * A tool might internally call another tool such as OpenSSL or GPG to create the signature
 
-If your signing tool does not provide guidance for using Cryptoki libraries, you probably need a solid understanding of the specific tool chain to configure it. For better results, please also refer to [signing flow](/documentation/crypto-providers#flow).
+If your signing tool does not provide guidance for using Cryptoki libraries, you probably need a solid understanding of the specific tool chain to configure it. For better results, please also refer to [signing flow](/crypto-providers#flow).
 
 ## OpenSSL {#openssl}
 
@@ -291,7 +291,7 @@ The [OpenSC](https://github.com/OpenSC/OpenSC) [`pkcs11-tool`](https://linux.die
 {:.panel.info}
 > **`pkcs11-tool` before version 0.23**
 >
-> Set `Cryptoki.DoNotFailOnReadWriteSessions` to `true` in the SignPath [Crypto Provider configuration](/documentation/crypto-providers#crypto-provider-config-values).
+> Set `Cryptoki.DoNotFailOnReadWriteSessions` to `true` in the SignPath [Crypto Provider configuration](/crypto-providers#crypto-provider-config-values).
 >
 > _Background: `pkcs11-tool` used to open the Cryptoki session in a read/write mode (see [GitHub issue #2182](https://github.com/OpenSC/OpenSC/issues/2182)) and therefore fails with `PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_WRITE_PROTECTED`. This flag enables compatibility with these earlier versions._
 
@@ -399,7 +399,7 @@ jarsigner -keystore NONE -storetype PKCS11 -providerClass "sun.security.pkcs11.S
 {:.panel.warning}
 > **Warning: Produce correct timestamps**
 >
-> When using jarsigner (or any other signing tool) directly, you are responsible for correct time stamping. See [Timestamps](/documentation/crypto-providers#timestamps)
+> When using jarsigner (or any other signing tool) directly, you are responsible for correct time stamping. See [Timestamps](/crypto-providers#timestamps)
 
 [PKCS #11]: https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
 
@@ -409,4 +409,4 @@ jarsigner -keystore NONE -storetype PKCS11 -providerClass "sun.security.pkcs11.S
 [openssl-cms]: https://www.openssl.org/docs/man1.1.1/man1/cms.html
 [oracle-install]: https://docs.oracle.com/en/java/javase/14/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9
 [osslsigncode]: https://github.com/mtrojnar/osslsigncode
-[Linux samples]: /documentation/crypto-providers#linux-docker-samples
+[Linux samples]: /crypto-providers#linux-docker-samples
diff --git a/docs/documentation/crypto-providers/gpg.md b/docs/crypto-providers/gpg.md
similarity index 82%
rename from docs/documentation/crypto-providers/gpg.md
rename to docs/crypto-providers/gpg.md
index 3ca35f3..b1ebfc2 100644
--- a/docs/documentation/crypto-providers/gpg.md
+++ b/docs/crypto-providers/gpg.md
@@ -14,21 +14,21 @@ description: Creating GPG signatures with SignPath
 
 GnuPG does not directly support the PKCS #11/Cryptoki interface. The [gnupg-pkcs11-scd](https://github.com/alonbl/gnupg-pkcs11-scd/) project adds this capability as a daemon for the GnuPG ["Smartcard"](https://wiki.gnupg.org/SmartCard) interface.
 
-![Figure: GPG signing flow](/assets/img/resources/documentation/crypto-providers/gpg-signing-flow.svg)
+![Figure: GPG signing flow](/assets/img/resources/crypto-providers/gpg-signing-flow.svg)
 
 ## Setup {#prepare-signing}
 
 ### SignPath configuration
 
-1. Create a [GPG key](/documentation/managing-certificates)
-2. Create a [hash signing project and signing policy](/documentation/crypto-providers/#signpath-project-configuration) in SignPath
+1. Create a [GPG key](/managing-certificates)
+2. Create a [hash signing project and signing policy](/crypto-providers/#signpath-project-configuration) in SignPath
 
 ### Configure GPG for signing {#configure-gnupg}
 
 Initialize GPG hash signing using the helper functions of `Samples/Scenarios/SignPathCryptoProviderHelpers.sh` of the [Linux samples]:
 
 1. Call the `InitializeSignPathCryptoProviderGpgSigning` function to configure GPG and fetch the private key references
-  * Configures the [SignPath Crypto Provider](/documentation/crypto-providers#crypto-provider-configuration)
+  * Configures the [SignPath Crypto Provider](/crypto-providers#crypto-provider-configuration)
   * Configures `gnupg-pkcs11-scd` via `gnupg-pkcs11-scd.conf`
   * Configures GnuPG (`gpg-agent`) to use `gnupg-pkcs11-scd`
 2. Import a specific key into the GPG key chain via the `ImportSignPathGpgPublicKey` function (returns the GPG key ID for subsequent use in signing commands)
@@ -38,7 +38,7 @@ Initialize GPG hash signing using the helper functions of `Samples/Scenarios/Sig
 >
 > We strongly recommend to use dedicated CI users for GPG signing, each **assigned to exactly one signing policy as submitter**. Otherwise the SignPath project and signing policy may not be determined unambiguously and GPG signing commands may fail with "signing failed: No secret key" errors.
 >
-> Background: When performing a GPG signing operation (e.g. `gpg --sign -u my-gpg-key@example.com`), a GPG _public key_ is selected. Internally (via `gnupg-pkcs11`), the corresponding SignPath project and signing policy are selected via the GPG key's _public key hash_ (a "keygrip" in [GnuPG lingo](https://www.gnupg.org/documentation/manuals/gnupg/Glossary.html)). This means that when two or more signing policies are referencing _the same GPG key_, the signing policy cannot not be determined unambiguously and `gnupg-pkcs11` would just filter out these signing policies, resulting in "missing key" errors.
+> Background: When performing a GPG signing operation (e.g. `gpg --sign -u my-gpg-key@example.com`), a GPG _public key_ is selected. Internally (via `gnupg-pkcs11`), the corresponding SignPath project and signing policy are selected via the GPG key's _public key hash_ (a "keygrip" in [GnuPG lingo](https://www.gnupg.org/manuals/gnupg/Glossary.html)). This means that when two or more signing policies are referencing _the same GPG key_, the signing policy cannot not be determined unambiguously and `gnupg-pkcs11` would just filter out these signing policies, resulting in "missing key" errors.
 
 ## Signing code with GPG
 
@@ -63,6 +63,6 @@ For the [Linux samples], the following log file locations are configured:
 * `gnupg-pkcs11-scd` logs: `Samples/Scenarios/Work/Logs/gnupg-pkcs11-scd.log`
 * GPG logs: `Samples/Scenarios/Work/Logs/gpg-agent.log`
 
-[Linux samples]: /documentation/crypto-providers#linux-docker-samples
+[Linux samples]: /crypto-providers#linux-docker-samples
 [`dpkg-sig`]: https://manpages.debian.org/bullseye/dpkg-sig/dpkg-sig.1.en.html
 [Maven GPG plugin]: https://maven.apache.org/plugins/maven-gpg-plugin/
\ No newline at end of file
diff --git a/docs/documentation/crypto-providers/index.md b/docs/crypto-providers/index.md
similarity index 89%
rename from docs/documentation/crypto-providers/index.md
rename to docs/crypto-providers/index.md
index 293297b..d2e51aa 100644
--- a/docs/documentation/crypto-providers/index.md
+++ b/docs/crypto-providers/index.md
@@ -10,7 +10,7 @@ description: SignPath Crypto Providers (Cryptoki, KSP, CSP, CryptoTokenKit)
 
 ## Overview
 
-The SignPath Crypto Providers allow signing tools such as [SignTool.exe](/documentation/crypto-providers/windows#signtool), [OpenSSL](/documentation/crypto-providers/cryptoki#openssl) or [jarsigner](/documentation/crypto-providers/cryptoki#jarsigner) to sign files locally using keys or certificates stored and managed by SignPath. 
+The SignPath Crypto Providers allow signing tools such as [SignTool.exe](/crypto-providers/windows#signtool), [OpenSSL](/crypto-providers/cryptoki#openssl) or [jarsigner](/crypto-providers/cryptoki#jarsigner) to sign files locally using keys or certificates stored and managed by SignPath. 
 
 Crypto Providers are generally used to provide a device-independent API for using secure key storage devices such as USB key tokens or Hardware Security Modules (HSMs). You may think of them as device drivers for crypto hardware. Most software tools used for code signing support one Crypto Provider technology, such as Microsoft KSP/CSP or PKCS #11 Cryptoki.
 
@@ -19,7 +19,7 @@ The SignPath Crypto Providers do not access the crypto hardware directly. Instea
 {:.panel.info}
 > **Version info**
 >
-> This documentation contains information about the latest version of the CryptoProviders. See the [CryptoProvider changelog](/documentation/changelog?component=crypto_providers) or the [macOS CryptoTokenKit changelog](/documentation/changelog?component=macos_cryptotokenkit) for updates.
+> This documentation contains information about the latest version of the CryptoProviders. See the [CryptoProvider changelog](/changelog?component=crypto_providers) or the [macOS CryptoTokenKit changelog](/changelog?component=macos_cryptotokenkit) for updates.
 
 ### Crypto Providers
 
@@ -35,13 +35,13 @@ The following Crypto Providers are available for SignPath:
 [PKCS #11]: https://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-os.html
 [CNG]: https://docs.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval
 [CAPI]: https://docs.microsoft.com/en-us/windows/win32/seccrypto/cryptographic-service-providers
-[CTK extension]: https://developer.apple.com/documentation/cryptotokenkit/
+[CTK extension]: https://developer.apple.com/cryptotokenkit/
 
 ### Signing flow {#flow}
 
 This diagram describes how the various components work together to create a signature.
 
-![Figure: Signing flow overview](/assets/img/resources/documentation/crypto-providers/signing-flow.svg)
+![Figure: Signing flow overview](/assets/img/resources/crypto-providers/signing-flow.svg)
 
 With small platform-specific variations, the general flow of a signing operations is as follows:
 
@@ -72,11 +72,11 @@ As always, the private key does not leave the boundaries of the HSM.
 
 Depending on the signing tool you're using, the corresponding Crypto Provider needs to be installed (on all build nodes). See the respective pages:
 
-* [SignPath KSP and CSP](/documentation/crypto-providers/windows) for _SignTool.exe_ and most native Windows tools
-* [SignPath Cryptoki](/documentation/crypto-providers/cryptoki) for _OpenSSL_, _jarsigner_, and many other Open Source tools
-* [GPG-based tools](/documentation/crypto-providers/gpg), such as _gpg_, _rpm_, or _dkpg-sig_ use the [SignPath Cryptoki Crypto Provider](/documentation/crypto-providers/cryptoki) but require additional configuration steps
-* [SignPath CryptoTokenKit](/documentation/crypto-providers/macos) for macOS _codesign_
-* Instead of using a CryptoProvider, it is also possible to [sign hashes directly using the REST API](/documentation/crypto-providers/rest-api)
+* [SignPath KSP and CSP](/crypto-providers/windows) for _SignTool.exe_ and most native Windows tools
+* [SignPath Cryptoki](/crypto-providers/cryptoki) for _OpenSSL_, _jarsigner_, and many other Open Source tools
+* [GPG-based tools](/crypto-providers/gpg), such as _gpg_, _rpm_, or _dkpg-sig_ use the [SignPath Cryptoki Crypto Provider](/crypto-providers/cryptoki) but require additional configuration steps
+* [SignPath CryptoTokenKit](/crypto-providers/macos) for macOS _codesign_
+* Instead of using a CryptoProvider, it is also possible to [sign hashes directly using the REST API](/crypto-providers/rest-api)
 
 ## Configuration {#crypto-provider-configuration}
 
@@ -90,7 +90,7 @@ Configuration options:
 * Specify the path to a JSON configuration file via the `SIGNPATH_CONFIG_FILE` environment variable
 * Combine both approaches (individual environment variables take precedence over the corresponding JSON file values)
 
-In case you used the [MSI installer](/documentation/crypto-providers/windows#installation), a `SIGNPATH_CONFIG_FILE` system env variable is created and set to `%ProgramFiles%\SignPath\CryptoProviders\CryptoProvidersConfig.json` which points to a skeleton JSON file you can use to provide your own (default) values.
+In case you used the [MSI installer](/crypto-providers/windows#installation), a `SIGNPATH_CONFIG_FILE` system env variable is created and set to `%ProgramFiles%\SignPath\CryptoProviders\CryptoProvidersConfig.json` which points to a skeleton JSON file you can use to provide your own (default) values.
 
 | JSON setting                            | Environment variable                                   | Default Value    | Description
 |-----------------------------------      |--------------------------------------------------------|------------------|--------------------------
@@ -102,7 +102,7 @@ In case you used the [MSI installer](/documentation/crypto-providers/windows#ins
 | `ApiUrl`                                | `SIGNPATH_API_URL`                        | `https://app.signpath.io/Api` | SignPath API endpoint to use. Needs to be set if for self-hosted SignPath installations   
 | `HttpProxy`                             | `http_proxy`                                           | (optional)       | Address of an [HTTP (web) proxy](#http-proxy-config) (not available on macOS)
 | `Cryptoki.DoNotFailOnReadWriteSessions` | `SIGNPATH_CRYPTOKI_DO_NOT_FAIL_ON_READ_WRITE_SESSIONS` | `false`          | Enables compatibility with Cryptoki/PKCS #11 clients that open sessions with read/write option 
-| `IncludeDummyX509CertificateForGpgKeys` | `SIGNPATH_INCLUDE_DUMMY_X509CERTIFICATE_FOR_GPG_KEYS`  | `false`          | Enables compatibility with clients that require X.509 objects (required for [GPG hash signing](/documentation/crypto-providers/gpg) due to `gnupg-pkcs11-scd` X.509-based key discovery)
+| `IncludeDummyX509CertificateForGpgKeys` | `SIGNPATH_INCLUDE_DUMMY_X509CERTIFICATE_FOR_GPG_KEYS`  | `false`          | Enables compatibility with clients that require X.509 objects (required for [GPG hash signing](/crypto-providers/gpg) due to `gnupg-pkcs11-scd` X.509-based key discovery)
 {: .break-code}
 
 **Logging settings:**
diff --git a/docs/documentation/crypto-providers/macos.md b/docs/crypto-providers/macos.md
similarity index 93%
rename from docs/documentation/crypto-providers/macos.md
rename to docs/crypto-providers/macos.md
index b0aded2..68330ee 100644
--- a/docs/documentation/crypto-providers/macos.md
+++ b/docs/crypto-providers/macos.md
@@ -38,7 +38,7 @@ The `SignPathCryptoTokenKit.app` application loads all available certificates fo
 {:.panel.info}
 > **Keys are not specified directly**
 >
-> When using a file-based [configuration](/documentation/crypto-providers#crypto-provider-configuration), the macOS CryptoTokenKit Crypto Provider requires the config file to be
+> When using a file-based [configuration](/crypto-providers#crypto-provider-configuration), the macOS CryptoTokenKit Crypto Provider requires the config file to be
 > * named `config.json` and placed in the same directory as the `SignPathCryptoTokenKit.app` application or
 > * its path to be specified via the `--config` parameter
 
@@ -89,9 +89,9 @@ killall ctkd
 {:.panel.warning}
 > **Warning: Produce correct timestamps**
 > 
-> When using codesign (or any other signing tool) directly, you are responsible for correct time stamping. See [Timestamps](/documentation/crypto-providers#timestamps)
+> When using codesign (or any other signing tool) directly, you are responsible for correct time stamping. See [Timestamps](/crypto-providers#timestamps)
 
-[codesign]: https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
+[codesign]: https://developer.apple.com/library/archive/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html
 
 ## codesign {#codesign}
 
diff --git a/docs/documentation/crypto-providers/rest-api.md b/docs/crypto-providers/rest-api.md
similarity index 90%
rename from docs/documentation/crypto-providers/rest-api.md
rename to docs/crypto-providers/rest-api.md
index 9a33955..96610b0 100644
--- a/docs/documentation/crypto-providers/rest-api.md
+++ b/docs/crypto-providers/rest-api.md
@@ -9,11 +9,11 @@ datasource: tables/crypto-providers
 
 ## Overview
 
-As an alternative to using a Crypto Provider client, signing requests to a ["Hash signing data"](/documentation/crypto-providers#signpath-project-configuration) project can also be performed directly via SignPath's REST API.
+As an alternative to using a Crypto Provider client, signing requests to a ["Hash signing data"](/crypto-providers#signpath-project-configuration) project can also be performed directly via SignPath's REST API.
 
 ## Signing Request
 
-See [HTTP REST API](/documentation/build-system-integration#rest-api) for basic instructions to submit a signing request.
+See [HTTP REST API](/build-system-integration#rest-api) for basic instructions to submit a signing request.
 
 ### Fast signing
 
@@ -22,7 +22,7 @@ For hash data we recommend using a _fast signing request_. These requests are pe
 * Provide the additional field `IsFastSigningRequest` with the value `true`
 * The API returns the JSON-formatted result (see [response description](#signing-request-response))
 
-(By default, the API returns a signing request ID that can be used to [get the result](/documentation/build-system-integration#get-signing-request-data).)
+(By default, the API returns a signing request ID that can be used to [get the result](/build-system-integration#get-signing-request-data).)
 
 ### Artifact format for signing hash digests {#hash-signing-payload-json}
 
diff --git a/docs/documentation/crypto-providers/windows.md b/docs/crypto-providers/windows.md
similarity index 94%
rename from docs/documentation/crypto-providers/windows.md
rename to docs/crypto-providers/windows.md
index 98cbf18..94f5a66 100644
--- a/docs/documentation/crypto-providers/windows.md
+++ b/docs/crypto-providers/windows.md
@@ -15,7 +15,7 @@ Signing tools secifically designed for Windows typicall use CNG KSP or CAPI CSP
 To install the Windows CNG KSP and CAPI CSP providers,
 
 1. Run the MSI installer file from the `Windows` subdirectory of the Crypto Providers ZIP archive. (See below for unattended options.)
-2. Continue with the [general Crypto Provider configuration](/documentation/crypto-providers#crypto-provider-configuration).
+2. Continue with the [general Crypto Provider configuration](/crypto-providers#crypto-provider-configuration).
 
 {:.panel.info}
 > **Verification**
@@ -85,7 +85,7 @@ msiexec /x SignPathCryptoProviders-$Version.msi /qn /L* uninstall.log | Out-Host
 
 ## Using KSP/CSP parameters of signing tools
 
-Additionally to the general [Crypto Provider configuration](/documentation/crypto-providers#crypto-provider-configuration), specify the following values using the parameters provided by your signing tool:
+Additionally to the general [Crypto Provider configuration](/crypto-providers#crypto-provider-configuration), specify the following values using the parameters provided by your signing tool:
 
 | Parameter             | Value                                | Description
 |-----------------------|--------------------------------------|---------------------------------------
@@ -143,6 +143,6 @@ signtool.exe sign /csp SignPathKSP /kc "$ProjectSlug/$SigningPolicySlug" /fd SHA
 {:.panel.warning}
 > **Warning: Produce correct timestamps**
 >
-> When using SignTool.exe (or any other signing tool) directly, you are responsible for correct time stamping. See [Timestamps](/documentation/crypto-providers#timestamps)
+> When using SignTool.exe (or any other signing tool) directly, you are responsible for correct time stamping. See [Timestamps](/crypto-providers#timestamps)
 
 [SignTool.exe]: https://docs.microsoft.com/en-us/dotnet/framework/tools/signtool-exe
\ No newline at end of file
diff --git a/docs/documentation/directory-synchronization.md b/docs/directory-synchronization.md
similarity index 86%
rename from docs/documentation/directory-synchronization.md
rename to docs/directory-synchronization.md
index 23181fe..7fe5a64 100644
--- a/docs/documentation/directory-synchronization.md
+++ b/docs/directory-synchronization.md
@@ -16,13 +16,13 @@ Directory synchronization is supported via the SCIM protocol. This page describe
 
 In the _Azure Portal,_ go to _Microsoft Entra ID_ / _Enterprise Applications_ and create a new application. Select "Create your own application" on the top.
 
-![Microsoft Entra ID - creating a new custom application](/assets/img/resources/documentation/scim/scr_01-create-app.png){:.margin-left}
+![Microsoft Entra ID - creating a new custom application](/assets/img/resources/scim/scr_01-create-app.png){:.margin-left}
 
 #### 2. Define SignPath application roles in the application registration
 
 Go back to the Microsoft Entra ID main page, select _App registrations_, change the list to _All Applications_ and find the application registration you just created. 
 
-![Microsoft Entra ID - finding the App registration](/assets/img/resources/documentation/scim/scr_02a-select-app-registration.png){:.margin-left}
+![Microsoft Entra ID - finding the App registration](/assets/img/resources/scim/scr_02a-select-app-registration.png){:.margin-left}
 
 Under _App roles_, create an entry for each role in SignPath using "Users/Groups" as allowed member types:
 
@@ -35,9 +35,9 @@ Under _App roles_, create an entry for each role in SignPath using "Users/Groups
 | SignPath Global Reader             | `GlobalReader`
 | SignPath Regular User              | `RegularUser`
 
-_Note: For more information about the permissions assigned to each role, see the [user documentation](/documentation/users#roles)._
+_Note: For more information about the permissions assigned to each role, see the [user documentation](/users#roles)._
 
-![Microsoft Entra ID - create app roles](/assets/img/resources/documentation/scim/scr_02b-create-app-roles.png){:.margin-left}
+![Microsoft Entra ID - create app roles](/assets/img/resources/scim/scr_02b-create-app-roles.png){:.margin-left}
 
 #### 3. Create a synchronization user on SignPath
 
@@ -53,7 +53,7 @@ Under _Provisioning_, click _Get started_, then enter the following settings:
 * Enter `https://scim.connectors.`<wbr>`signpath.io/scim/<your-organization-id>/dry-run` as a _Tenant URL_. 
 * Use the SignPath CI User _API token_ from step 3 as the _Secret Token_.
 
-![Microsoft Entra ID - select provisioning](/assets/img/resources/documentation/scim/scr_04a-select-provisioning.png){:.margin-left}
+![Microsoft Entra ID - select provisioning](/assets/img/resources/scim/scr_04a-select-provisioning.png){:.margin-left}
 
 {:.panel.tip}
 > **Dry-Run mode**
@@ -66,26 +66,26 @@ Click "Test connection" to confirm that the configuration is correct. When succe
 
 Close the dialog, select _Provisioning_, open the _Mapping_ group and click _Azure Active Directory Users_.
 
-![Microsoft Entra ID - select mapping](/assets/img/resources/documentation/scim/scr_05a-mapping-part1.png){:.margin-left}
+![Microsoft Entra ID - select mapping](/assets/img/resources/scim/scr_05a-mapping-part1.png){:.margin-left}
 
 On the next page, check _Show advanced options_ and click on _Review your schema here_.
 
-![Microsoft Entra ID - select mapping](/assets/img/resources/documentation/scim/scr_05b-mapping-part2.png){:.margin-left}
+![Microsoft Entra ID - select mapping](/assets/img/resources/scim/scr_05b-mapping-part2.png){:.margin-left}
 
 Then, replace the existing JSON with the one from [this link](/assets/MicrosoftEntraIDScimConfiguration.json) and save the schema. After closing the dialog, you **need to refresh the Azure page**, then the _Attribute Mappings_ will be pre-filled for you. Click on the row that maps to "externalId" in the _customappsso Attribute_ column.
 
-![Microsoft Entra ID - replace mapping](/assets/img/resources/documentation/scim/scr_05c-mapping-part3.png){:.margin-left}
+![Microsoft Entra ID - replace mapping](/assets/img/resources/scim/scr_05c-mapping-part3.png){:.margin-left}
 
 Change the _Mapping type_ to "Expression" and enter the following expression: `Append("<your-sso-identifier>:", [objectId])`.
 
-![Microsoft Entra ID - mapping expression](/assets/img/resources/documentation/scim/scr_05d-mapping-part4.png){:.margin-left}
+![Microsoft Entra ID - mapping expression](/assets/img/resources/scim/scr_05d-mapping-part4.png){:.margin-left}
 
 {:.panel.tip}
 > **Mapping expression**
 >
 > To find out the value for `<your-sso-identifier>:`, open an exising user on SignPath. In the _Identity_ field, everything before the first `:` is your SSO identifier.
 > 
-> ![SignPath - look up SSO identifier](/assets/img/resources/documentation/scim/scr_05e-sso-identifier-on-signpath.png)
+> ![SignPath - look up SSO identifier](/assets/img/resources/scim/scr_05e-sso-identifier-on-signpath.png)
 > 
 > In order for SignPath to be able to map your Microsoft Entra ID users correctly, the second part of the _SignPath Identity_ (after the `:`) should map to the respective field of the Microsoft Entra ID user. If you are mapping your Microsoft Entra ID users directly, you can use `[objectId]`. If you are forwarding your `sid` from your Active Directory, use `[onPremisesSecurityIdentifier]`.
 >
@@ -97,21 +97,21 @@ After saving the mapping, you can now test your configuration.
 
 Go back to the _Entra ID_ main page, select _Enterprise applications_ and select the enterprise application you created. Select _Users and groups_ and click "Add users and groups".
 
-![Microsoft Entra ID - add users and groups](/assets/img/resources/documentation/scim/scr_06a-add-users-and-groups.png){:.margin-left}
+![Microsoft Entra ID - add users and groups](/assets/img/resources/scim/scr_06a-add-users-and-groups.png){:.margin-left}
 
 Select a test user that already exists in the SignPath organization and assign them a role. Then select _Provisioning_ on the left pane and _Provision on demand_ on the next screen. Select the user you just added and click "Provision".
 
-![Microsoft Entra ID - test provisioning](/assets/img/resources/documentation/scim/scr_06b-test-provisioning.png){:.margin-left}
+![Microsoft Entra ID - test provisioning](/assets/img/resources/scim/scr_06b-test-provisioning.png){:.margin-left}
 
 When the provisioning succeeded, click on "View details" in section _3. Match user between source and target system_. The synchronization should have found an existing user on SignPath that matches. If it attempts to create a new user, there is an error in the configuration.
 
-![Microsoft Entra ID - validate provisioning](/assets/img/resources/documentation/scim/scr_06c-validate-provisioning.png){:.margin-left}
+![Microsoft Entra ID - validate provisioning](/assets/img/resources/scim/scr_06c-validate-provisioning.png){:.margin-left}
 
 #### 7. Remove the `/dry-run` postfix, assign users and groups and start provisioning
 
 After you successfully tested the configuration, you can remove the `/dry-run` postfix of the _Tenant URL_ that was entered in step 4. Afterwards, you can start the provisioning on the _Overview_ page of the provisioning settings The assigned Entra ID users and groups will then be synchronized to your SignPath organization.
 
-![Microsoft Entra ID - validate provisioning](/assets/img/resources/documentation/scim/scr_07a-start-provisioning.png){:.margin-left}
+![Microsoft Entra ID - validate provisioning](/assets/img/resources/scim/scr_07a-start-provisioning.png){:.margin-left}
 
 You can now assign all users and groups that you want to synchronize.
 
diff --git a/docs/documentation/getting-started.md b/docs/documentation/getting-started.md
deleted file mode 100644
index 328cb11..0000000
--- a/docs/documentation/getting-started.md
+++ /dev/null
@@ -1,19 +0,0 @@
----
-header: Getting Started
-layout: resources
-toc: true
-description: A quick introduction into setting up SignPath
----
-
-This guide provides a quick introduction into setting up SignPath and using it to sign your code. 
-
-To get started with SignPath, you need to follow these steps:
-
-1. [Create or import certificates](/documentation/managing-certificates)
-2. [Invite your team](/documentation/users) to join your organization
-3. [Configure your project and define your process](/documentation/projects)
-4. [Sign your code artifacts](/documentation/signing-code)
-
-Advanced topics:
-* [Create or edit an artifact configuration](/documentation/artifact-configuration)
-* [Integrate SignPath into your automated build processes](/documentation/build-system-integration)
diff --git a/docs/documentation/index.md b/docs/documentation/index.md
deleted file mode 100644
index ffb40a6..0000000
--- a/docs/documentation/index.md
+++ /dev/null
@@ -1,7 +0,0 @@
----
-header: Documentation
-layout: resources
-toc: false
-nav_on_small_screen: true
-forward_on_big_screens: '/documentation/getting-started'
----
\ No newline at end of file
diff --git a/docs/documentation/faq.md b/docs/faq.md
similarity index 92%
rename from docs/documentation/faq.md
rename to docs/faq.md
index 8e5b518..536d247 100644
--- a/docs/documentation/faq.md
+++ b/docs/faq.md
@@ -17,6 +17,6 @@ To receive a detailed error message, make sure the CI user has a valid notificat
 
 Check for these common mistakes:
 
-* Did you set the API token correctly, as described [here](https://about.signpath.io/documentation/build-system-integration#appveyor)?
+* Did you set the API token correctly, as described [here](https://about.signpath.io/build-system-integration#appveyor)?
 * Did you include the "Bearer prefix" and omit all quotes when encrypting the value on AppVeyor?
 * Did you add the CI user as a submitter to the signing policy?
diff --git a/docs/index.html b/docs/index.html
deleted file mode 100644
index 47ec9cf..0000000
--- a/docs/index.html
+++ /dev/null
@@ -1,249 +0,0 @@
----
-title: SignPath.io
-description: 'SignPath product home page: secure code signing'
----
-
-{% include header.html %}
-
-<section class='bg-image font-white home-start'>
-	<div>
-		<h1>Code Signing<br>Simple and Secure</h1>
-		<p>
-			Automated, repeatable and secure code signing processes<br>
-			in the cloud and on-premises
-		</p>
-		<div>
-			<a href='{{ site.data.hosts.app[site.target_environment] }}/Web/Subscription/StartFreeTrial' class='btn btn-primary trial'>Start free trial</a>
-			<a href='/product' class='btn btn-flat'>Discover more</a>
-		</div>
-	</div>
-</section>
-
-<section class='bg-dark-grey font-white banner'>
-	<div>
-		<h4 class='center'>Industry leaders trust SignPath</h4>
-		<div class='carousel'>
-			<ul>
-				<li title='CyberTrap'> <img src="/assets/img/references/cybertrap-final-long.svg" style="height: 30px"/> </li> <!-- will be shown last -->
-				<li title='Airbus'> <img src="/assets/img/references/airbus.svg" style="height: 20x"/> </li> 
-				<li title='Dräger'> <img src="/assets/img/references/draeger.svg"/> </li>
-				<li title='Hitachi Energy'> <img src="/assets/img/references/hitachi-energy.svg"/> </li>
-				<li title='Etas'> <img src='/assets/img/references/etas.svg' style="height: 30px" /> </li>
-				<li title='Liebherr'> <img src="/assets/img/references/liebherr.svg" style="height: 30px" /> </li>
-				<li title='Solarwinds'> <img src="/assets/img/references/solarwinds.svg"/> </li>
-				<li title='N-able'> <img src="/assets/img/references/n-able.svg"/> </li>
-				<li title='Embark Studios'> <img src="/assets/img/references/embark-studios.png"/> </li>
-				<li title='CWS'> <img src="/assets/img/references/cws.svg" style="height: 35px"/> </li>
-				<li title='jamf'> <img src="/assets/img/references/jamf.svg"/> </li>
-				<li title='MCE Systems'> <img src="/assets/img/references/mce.svg" style="height: 30px"/> </li>
-				<li title='Festo'> <img src="/assets/img/references/festo.svg" style="height: 30px"/> </li>
-				<li title='Bohemia Interactive'> <img src="/assets/img/references/bohemia-interactive.svg"/> </li>
-				<li title='alcatraz ai'> <img src="/assets/img/references/alcatraz.svg" style="height: 30px"/> </li>
-			</ul>
-			<a class='left' href='#'>
-				{%- include angle-left-solid.svg %}
-			</a>
-			<a class='right' href='#'>
-				{%- include angle-right-solid.svg %}
-			</a>
-    	</div>
-  	</div>
-</section>
-
-<section class='bg-grey'>
-	<div>
-		<h2>Most IT organizations don't have a secure code signing process</h2>
-		<p>
-			In times of growing cyber security breaches, platform vendors and customers require all deployed applications to be digitally signed. Code signing is the only way to guarantee that software has not been modified by a third party. The corporate solutions of SignPath enable DevOps teams to seamlessly integrate code-signing into their development lifecycle and empowers InfoSec teams to define secure policies and gain transparency over private key usage.
-		</p>
-	</div>
-</section>
-
-<section>
-	<div>
-		<h2>Staying secure and agile</h2>
-		<p>
-			Frequent software releases and updates, the popularity of microservices as well as a stricter enforcement of internal security measures have increased the complexity for code signing. SignPath is made for developers from one of the leading European software development companies for government institutions. We automate security best practices to keep your development process agile.
-		</p>
-		<div class='columns'>
-			<div class='column-stretched'>
-				<div>
-					{% include laptop.svg %}
-					<h3>DevOps teams</h3>
-					<p>
-						SignPath provides secure code signing processes that directly integrate into existing continuous deployment (CD) pipelines. No hassle with installing cryptographic service providers (CSPs) or connecting USB tokens, just simple command line or API calls.
-					</p>
-				</div>
-				<a class='btn btn-secondary' href='/product/devops'>Read more</a>
-			</div>
-			<div class='column-stretched'>
-				<div>
-					{% include shield.svg %}
-					<h3>InfoSec teams</h3>
-					<p>
-						Do you know where all the private keys are stored in your organization that are used to sign executables and scripts? With SignPath, you can stay on top of managing your certificates, define strict policies, monitor private key usage and delegate responsibilities for signing releases.
-					</p>
-				</div>
-				<a class='btn btn-secondary' href='/product/infosec'>Read more</a>
-			</div>
-			<div class='column-stretched'>
-				<div>
-					{% include code.svg %}
-					<h3>Open Source projects</h3>
-					<p>
-						Open Source software has become the backbone of the entire IT industry, with commercial software building on the foundation of thousands of open source libraries. SignPath values the community and provides special offers to open source projects to enable a secure build chain all the way to the end user.
-					</p>
-				</div>
-				<a class='btn btn-secondary' href='/product/open-source'>Read more</a>
-			</div>
-		</div>
-	</div>
-</section>
-
-<section class='font-white bg-blue'>
-	<div>
-		<h2>Code Signing is more than a certificate</h2>
-		<div class='columns'>
-			<div>
-				{% include key.svg %}
-				<h3>Secure private keys</h3>
-				<p>
-					When your private keys are compromised, your reputation is at risk. Software vendors are an increasingly attractive target for hackers and cyber criminals as they can be used as an entrance point to gain access to the IT infrastructure of the consumer's organizations, often unnoticed.
-				</p>
-			</div>
-			<div>
-				{% include check_circle.svg %}
-				<h3>Transparent processes</h3>
-				<p>
-					Securing your private key on a USB token or on a Hardware Security Module (HSM) is not enough. You need to restrict and monitor private key usage and ensure that only legitimate code is being signed.
-				</p>
-			</div>
-		</div>
-		<p class='center'>
-			<a class='btn btn-flat' href='/code-signing/private-keys'>How secure are your private keys?</a>
-		</p>
-	</div>
-</section>
-
-<section>
-  <div>
-		<h2>Increase your security with ease</h2>
-		<div class='columns'>
-			<div>
-				{% include arrow_right.svg %}
-				<h3>Establish a process</h3>
-				<p>
-					Don’t assume that code signing processes are followed by your team. Monitor and automate the execution. Adapt workflows for different software products and development teams.
-				</p>
-			</div>
-			<div>
-				{% include sign.svg %}
-				<h3>Align InfoSec and development teams</h3>
-				<p>
-					Development teams need to own the code signing process in order to stay agile. InfoSec teams need to enforce their security policies. With SignPath both teams get the necessary freedom and guarantee for an effective and secure code signing process.
-				</p>
-			</div>
-		</div>
-		<div class='columns'>
-			<div>
-				{% include case.svg %}
-				<h3>Meet customer expectations</h3>
-				<p>
-					Your customers demand high security in their IT infrastructure. Meet their expectations by providing them with signed software and a process that excels at every security audit.
-				</p>
-			</div>
-			<div>
-				{% include dollar.svg %}
-				<h3>Save costs</h3>
-				<p>
-					Get started in minutes with our code signing solution. No need for complicated setups and installation of CSPs, timestamping servers or integration of Hardware Security Modules (HSMs).
-				</p>
-			</div>
-		</div>
-	</div>
-</section>
-
-<section class='bg-blue font-white'>
-	<div>
-		<h2>SignPath makes code signing simple</h2>
-		<p>
-			SignPath comes with everything you need to securely sign your code. You don't need to bother about where to store your private keys, how to integrate them into your build pipeline, how to configure different signing methods or where to find a suitable timestamping server.
-		</p>
-		<div class='columns'>
-			<div class='column-stretched'>
-				<div>
-					<h3>Secure your processes&hellip;</h3>
-					<ul class='home-feature-list'>
-						<li>
-							{% include user_group.svg %}
-							Roles and permissions</li>
-						<li>
-							{% include check_box.svg %}
-							Approvals</li>
-						<li><i class='icon-nested'></i>
-							Deep signing of nested files</li>
-						<li>
-							{% include virus.svg %}
-							Virus scanning</li>
-						<li><i class='icon-origin-verification'></i>
-							Origin verification</li>
-						<li>
-							{% include lock.svg %}
-							Policy enforcement</li>
-						<li><i class='icon-cicd'></i>
-							CI integration</li>
-						<li>
-							{% include eye.svg %}
-							Audit logs</li>
-					</ul>
-				</div>
-				<p><a href='/product' class='btn btn-flat'>Discover more</a></p>
-			</div>
-			<div class='column-stretched'>
-				<div>
-					<h3 id='signing-methods'>&hellip;and sign all your software</h3>
-					<ul class='home-method-list'>
-						<li>
-							{% include windows.svg %}
-							Authenticode: apps, installers, libraries, drivers</li>
-						<li><i class='icon-powershell'></i>
-							PowerShell, VBScript and JScript shell scripts</li>
-						<li><i class='icon-clickonce'></i>
-							ClickOnce applications</li>
-						<li><i class='icon-office'></i>
-							Office macros and add-ins</li>
-						<li><i class='icon-nuget'></i>
-							NuGet packages</li>
-						<li><i class='icon-visual-studio'></i>
-							Visual Studio extensions</li>
-						<li><i class='icon-java'></i>
-							Java archives</li>
-						<li><i class='icon-android'></i>
-							Android apps</li>
-						<li><i class='icon-apple'></i>
-							Apple macOS and iOS apps</li>
-						<li>
-							{% include docker.svg %}
-							Containers: Cosign, Docker Content Trust
-						</li>
-						<li>
-							{% include linux.svg %}
-							GPG, RPM, Debian packages
-						</li>
-						<li><i class='icon-cyclonedx'></i>
-							Software Bill of Material (BOM/SBOM)
-						</li>
-						<li>
-							{% include file-code.svg %}
-							XML files
-						</li>
-					</ul>
-					<p>All signatures include a timestamp and use cryptographically secure algorithms.</p>
-				</div>
-				<p><a href='{{ site.data.hosts.app[site.target_environment] }}/Web/Subscription/StartFreeTrial' class='btn btn-primary trial'>Start free trial</a></p>
-			</div>
-		</div>
-	</div>
-</section>
-
-{% include footer.html %}
diff --git a/docs/index.md b/docs/index.md
new file mode 100644
index 0000000..12c6a01
--- /dev/null
+++ b/docs/index.md
@@ -0,0 +1,18 @@
+---
+header: Documentation
+layout: resources
+toc: false
+---
+
+This page contains the documentation for [SignPath](https://about.signpath.io).
+
+To get started with SignPath, you need to follow these steps:
+
+1. [Create or import certificates](/managing-certificates)
+2. [Invite your team](/users) to join your organization
+3. [Configure your project and define your process](/projects)
+4. [Sign your code artifacts](/signing-code)
+
+Advanced topics:
+* [Create or edit an artifact configuration](/artifact-configuration)
+* [Integrate SignPath into your automated build processes](/build-system-integration)
\ No newline at end of file
diff --git a/docs/documentation/managing-certificates.md b/docs/managing-certificates.md
similarity index 90%
rename from docs/documentation/managing-certificates.md
rename to docs/managing-certificates.md
index fed2ba8..59e885d 100644
--- a/docs/documentation/managing-certificates.md
+++ b/docs/managing-certificates.md
@@ -12,7 +12,7 @@ SignPath helps you control access to your code signing certificates. You have to
 
 ## Test and Release certificates
 
-* Use **test certificates** during the development process. You can test your release process and sign every build. Test certificates are not created by a commercial CA and are therefore not trusted by operating systems or browsers. Artifacts that were mistakenly or even maliciously signed by a test certificate cannot affect your users and customers. You can read more about how to roll out and manage test certificates in your infrastructure in the [knowledge base](/code-signing/test-certificates).
+* Use **test certificates** during the development process. You can test your release process and sign every build. Test certificates are not created by a commercial CA and are therefore not trusted by operating systems or browsers. Artifacts that were mistakenly or even maliciously signed by a test certificate cannot affect your users and customers. <!-- TODO: You can read more about how to roll out and manage test certificates in your infrastructure in the [knowledge base](/code-signing/test-certificates). -->
 * Use dedicated **release certificates** for each published version of your software. SignPath allows you to enforce stricter policies for release certificates.
 
 ## Certificate types {#certificate-types}
@@ -50,7 +50,8 @@ X.509 certificates issued by a certificate authority (CA) can be uploaded to Sig
 ### Certificate chains
 
 **Publisher certificates** (also know as the leaf certificates) identify the publisher and contain the public key of the key pair that is actually used for signing.
-**[Certificate chains](/code-signing/theory#certificate-chains)** also contain the issuers of the publisher certificate (often an intermediary certificate, which is in turn issued by a root certificate). They can be complete (from publisher to root) or incomplete.
+<!-- [Certificate chains](/code-signing/theory#certificate-chains) --> 
+**Certificate chains** also contain the issuers of the publisher certificate (often an intermediary certificate, which is in turn issued by a root certificate). They can be complete (from publisher to root) or incomplete.
 
 ### File formats and encoding
 X.509 certificates can be uploaded in several formats. Some of these formats can only contain the publisher certificate. Other formats can also contain complete or partial certificate chains. SignPath supports the following formats:
diff --git a/docs/newsletter-subscribed.html b/docs/newsletter-subscribed.html
deleted file mode 100644
index 3eaf4ca..0000000
--- a/docs/newsletter-subscribed.html
+++ /dev/null
@@ -1,14 +0,0 @@
----
-title: Thank you - SignPath.io
-header: Thank you!
-layout: thankyou
-sitemap: false
----
-
-<h2>Thank you for subscribing to our newsletter!</h2>
-
-<div>
-	<a href='/product' class='btn btn-primary'>Discover more</a>
-	<a href='{{ site.data.hosts.app[site.target_environment] }}/Web/Subscription/StartFreeTrial' class='btn btn-flat'>Free Trial</a>
-</div>
-
diff --git a/docs/newsletter.md b/docs/newsletter.md
deleted file mode 100644
index 4f0896c..0000000
--- a/docs/newsletter.md
+++ /dev/null
@@ -1,12 +0,0 @@
----
-title: Newsletter
-header: Newsletter
-layout: default
-description: Subscribe to the SignPath newsletter
----
-
-## Get news about new product features, services and special offers
-
-Frequency: We send a newsletter for most releases. We usually release a new version every other week.
-
-<!-- used to send a link for subscribing to the newsletter -->
diff --git a/docs/documentation/origin-verification.md b/docs/origin-verification.md
similarity index 94%
rename from docs/documentation/origin-verification.md
rename to docs/origin-verification.md
index 2d6bcfd..0d9bdd6 100644
--- a/docs/documentation/origin-verification.md
+++ b/docs/origin-verification.md
@@ -49,4 +49,4 @@ In order to use origin verification, a [Trusted Build System](trusted-build-syst
 >
 > Make sure that your source code review policy includes CI configuration, build scripts, and makefiles. External content should not be accepted in reviews.
 
-See the [signing policy](/documentation/projects#signing-policy-origin-verification) documentation for some ideas on how to secure your build pipelines using origin verification.
+See the [signing policy](/projects#signing-policy-origin-verification) documentation for some ideas on how to secure your build pipelines using origin verification.
diff --git a/docs/documentation/powershell/Get-CertificateByMicrosoftTemplateId.md b/docs/powershell/Get-CertificateByMicrosoftTemplateId.md
similarity index 100%
rename from docs/documentation/powershell/Get-CertificateByMicrosoftTemplateId.md
rename to docs/powershell/Get-CertificateByMicrosoftTemplateId.md
diff --git a/docs/documentation/powershell/Get-SignedArtifact.md b/docs/powershell/Get-SignedArtifact.md
similarity index 100%
rename from docs/documentation/powershell/Get-SignedArtifact.md
rename to docs/powershell/Get-SignedArtifact.md
diff --git a/docs/documentation/powershell/Submit-SigningRequest.md b/docs/powershell/Submit-SigningRequest.md
similarity index 98%
rename from docs/documentation/powershell/Submit-SigningRequest.md
rename to docs/powershell/Submit-SigningRequest.md
index 383155f..d7d7a9e 100644
--- a/docs/documentation/powershell/Submit-SigningRequest.md
+++ b/docs/powershell/Submit-SigningRequest.md
@@ -91,7 +91,7 @@ The `Submit-SigningRequest` cmdlet creates a new _signing request_. The signing
 
 When using the `-InputArtifactPath` or `-ArtifactRetrievalLink` parameter, the specified file will be used for processing. 
 
-When using the `-Resubmit` parameter, the specified signing request will be processed again using the specified _signing policy_. This is especially useful for conditional signing of release candidates. See [Resubmit an existing signing request](/documentation/signing-code#resubmit) for more information.
+When using the `-Resubmit` parameter, the specified signing request will be processed again using the specified _signing policy_. This is especially useful for conditional signing of release candidates. See [Resubmit an existing signing request](/signing-code#resubmit) for more information.
 
 ### Downloading the signed artifact 
 
@@ -141,7 +141,7 @@ Processing a signing request may take several minutes, or even longer if manual
 
 {% include editions.md feature="pipeline_integrity.origin_verification" value="optional" %}
 
-This parameter should only be used from a [Trusted Build System](/documentation/trusted-build-systems).
+This parameter should only be used from a [Trusted Build System](/trusted-build-systems).
 
 | Parameter                                     | Description
 |-----------------------------------------------|--------------------------------------------------------------------------------------
@@ -186,7 +186,7 @@ Note: Use either slugs _or_ IDs, don't mix.
 | `-ClientCertificate`                      | `X509Certificate2`| Client certificate used for a secure Web API request. Not supported by SignPath.io directly, use for proxies. | | {{ site.data.editions | where: "pipeline_integrity.trusted_build_systems", "Optional" | map: "name" | join: ", " }}
 | `-ApiUrl`                                 | `String`          | URL to the SignPath REST API                                  | `https://app.signpath.io/api/`
 | `-Description`                            | `String`          | Optional description of the signing request
-| `-Parameters`                             | `Hashtable`       | Values for [parameters defined in the artifact configuration](https://about.signpath.io/documentation/artifact-configuration/syntax#parameters)
+| `-Parameters`                             | `Hashtable`       | Values for [parameters defined in the artifact configuration](https://about.signpath.io/artifact-configuration/syntax#parameters)
 | `-ServiceUnavailableTimeoutInSeconds`     | `Int32`           | Total time in seconds that the cmdlet will wait for a single service call to succeed (across several retries) | 600 seconds
 | `-UploadAndDownloadRequestTimeoutInSeconds` | `Int32`         | HTTP timeout used for upload and download HTTP requests       | 300 seconds
 | `-CancellationTimeoutInSeconds`           | `Int32`           | Timeout in seconds before the signing request gets cancelled (from submission; specify `0` for no timeout)    | if `-WaitForCompletion` is specified: `-WaitForCompletionTimeoutInSeconds` value; otherwise: none
diff --git a/docs/documentation/powershell/index.md b/docs/powershell/index.md
similarity index 100%
rename from docs/documentation/powershell/index.md
rename to docs/powershell/index.md
diff --git a/docs/privacy-policy.md b/docs/privacy-policy.md
deleted file mode 100644
index dd619b1..0000000
--- a/docs/privacy-policy.md
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title: Privacy Policy
-header: Privacy Policy
-layout: default
-description: SignPath privacy policy
----
-
-We consider your privacy and the security of your personal data of great importance. This Privacy Policy applies to the data we process when you use SignPath as well as to the data of our website visitors and informs you about the personal data we collect and how we process it.
-
-# Who is responsible for the processing of your personal data?
-
-When you visit our website, your data is processed by:
-
-SignPath GmbH <br>
-Gonzagagasse 11/23 <br>
-1010 Vienna <br>
-AUSTRIA <br>
-office@signpath.io <br>
-Commercial register ID: 475506z
-
-# Data protection officer
-
-You can reach our data protection officer at privacy@signpath.io.
-
-# Data we process when you use SignPath
-
-## Registration Data
-
-If you create a SignPath account, you are required to provide us with some basic information:
-
-* Your name
-* Your business email address
-* Your job title (only for administrators)
-
-This data is only processed because it is necessary for the performance of the contract between you and us. After the termination of your account, your registration data will be stored for a retention period of 6 months. 
-
-## Usage Data
-
-When you use SignPath, we collect some basic information that most services collect based on our legitimate interests. This includes information about how you use SignPath, such as your IP address, session information and the date and time of each request.
-
-## Sub-processors and third country notice
-
-We share your data with a limited number of third party service providers who process it on our behalf to provide or improve our service, and who have agreed to privacy restrictions by signing data protection agreements. In case of data transfers outside of the European Economic Area, we make sure to implement appropriate safeguards with our sub-processors, including Standard Contractual Clauses.
-
-| Sub-processor                        | Description of data processing                  | Location      | Security measures documentation |
-|--------------------------------------|-------------------------------------------------|---------------|---------------------------------|
-| RUBICON IT GmbH                      | Application management, administration, support | Europe        | [RUBICON Managed Services](https://www.rubicon.eu/en/services/managed-services/)
-| Microsoft Ireland Operations Limited | Hosting Platform Microsoft Azure                | Europe        | [Azure security documentation](https://docs.microsoft.com/azure/security)
-| Twilio Inc.                          | Email delivery service SendGrid                 | United States | [Twilio Security Overview](https://www.twilio.com/legal/security-overview)
-| Okta Inc.                            | Account management                              | Europe        | [Okta Security & Privacy Documentation](https://www.okta.com/sites/default/files/OKTA%20Security%20and%20Privacy%20Documentation%20May%202019.pdf)
-
-# Data we process when you visit our Website
-
-## Contact form
-
-If you use the contact form on our website to ask more about our products, we process the data you submit in the contact form in order to process your inquiry. If your inquiry also concerns our partner products, your data may be forwarded to these partners. The processing is based on Art 6 para 1 lit b and f GDPR, because it serves to initiate a contract with us and is in our legitimate interest. Your data will be stored for as long as necessary to process your request.
-
-## Newsletter
-
-You have the possibility to subscribe to our newsletter on our website. We will process the personal data you provide in order to send you our newsletter. The processing of this data is only possible with your consent. You are free to revoke your consent and unsubscribe from our newsletter at any time. To do so, just click on the unsubscribe-Link that is included in every newsletter mail you receive from us.
-
-## Cookies
-
-Our website uses so-called “cookies”. Cookies are small text files which are stored on a visitor’s computer or device. There are two main types of cookies: Essential cookies, which are necessary to make a website operational and non-essential cookies, which collect e.g. browsing and usage statistics. While essential cookies are stored automatically on your computer or device based on our legitimate interests, non-essential cookies require your consent.
-
-Some of the cookies used on our website originate from service providers outside the EU (primarily the US). It is therefore possible that some of your data (e.g. IP address, usage behavior, technical data) may be transmitted to the US. We only work with companies that are part of the Data Privacy Framework between the EU and the USA or use standard contractual clauses for the transfer of personal data to third countries according to Art 46 para 2 lit c GDPR. The participating companies of the Data Privacy Framework fall under the adequacy decision for secure data traffic of the EU.
-
-You are free to revoke your given consent for the use of non-essential cookies and/or cookies from third countries at any time here:
-
-<a class="cursor-pointer revoke-cookie-consent"> Revoke consent </a>
-
-### Google Analytics
-
-In order to evaluate and improve our website, we use website analysis software Google Analytics provided by Google Ireland Limited. Google Analytics enables us to create statistical reports on visitor activity and to improve our content and website performance. For this purpose, your IP address is transmitted to Google and usually stored for 26 months. The use of Google Analytics requires a non-essential cookie, which is only set with your express consent. For more information, please refer to the privacy policies of [Google] and [Google Analytics].
-
-We use Google Signals as an extension of Google Analytics. Signals is an alternative function to identify users on our website. Google Signals requires a Google account login and the activation of personalised advertising on your device.
-
-### Google Ads
-
-In order to make our website more attractive, we use Google Ads, a service provided by Google Ireland Limited. Google Ads enables us to make advertisements for our website in the Google search engine or on external websites and to evaluate how effective our advertising measures are. If you access our website via a Google ad, Google Ads will store a non-essential cookie on your PC or device. Google Ireland Limited is the responsible data controller when using Google Ads. We ourselves do not collect and process any personal data when using Google Ads. We only receive statistical evaluations from Google. For more information, please refer to the privacy policies of [Google] and [Google Ads].
-
-### dealfront
-
-dealfront is a web analytics service and evaluation tool operated by Liidio Oy / dealfront (Mikonkatu 17 C, 00100 Helsinki). For this purpose, dealfront collects the IP address of visitors. dealfront uses a cookie called "\_lfa" and has an expiry date of two years from when it was first set. The cookie can only be set for this website domain and requires your consent. For more information, please refer to the [privacy policy of dealfront].
-
-### HubSpot
-
-HubSpot is a marketing and sales service. HubSpot collects the IP address, browser type, operating system, access time, referring internet website adresses, internet service providers (ISP) and pages viewed on our website. For more information, please refer to the [privacy policy of HubSpot].
-
-# Your rights
-
-When we process your personal data, you have the following rights under applicable European and Austrian data protection laws:
-
-* Information
-* Correction 
-* Deletion 
-* Restriction
-* Data portability
-* Object
-
-If you believe that the processing of your data constitutes a violation of data protection laws, you are free to contact the _Austrian Data Protection Authority_ at Barichgasse 40-42, 1030 Vienna, phone +43 1 52152-0, email dsb@dsb.gv.at.
-
-[Google]: https://policies.google.com/privacy?hl=en
-[Google Ads]: https://policies.google.com/technologies/ads?hl=en
-[Google Analytics]: https://support.google.com/analytics/answer/6004245
-[privacy policy of dealfront]: https://www.dealfront.com/privacy-notice/
-[privacy policy of HubSpot]: https://legal.hubspot.com/privacy-policy
diff --git a/docs/product/devops.html b/docs/product/devops.html
deleted file mode 100644
index d805b58..0000000
--- a/docs/product/devops.html
+++ /dev/null
@@ -1,132 +0,0 @@
----
-title:  SignPath for DevOps
-description: Using SignPath in a DevOps pipeline
----
-
-{% include header.html %}
-
-<section class="bg-image font-white top-section" style='background-image:url(/assets/img/devops.jpg);'>
-  <div>
-    <h1>{{ page.title }}</h1>
-  </div>
-</section>
-
-<section class="bg-grey devops-section">
-  <div>
-    <div class='columns'>
-      {% include devops.svg %}
-      <div>
-        <h2>Code Signing in the pipeline</h2>
-        <p>
-        With SignPath.io, code signing can be integrated into your existing continous deployment pipeline with just a few steps. You don't need to worry about connecting usb tokens to build servers, handling passwords prompts or securing your private keys. Signing just becomes one more step in your process, even for nested artifacts. Thanks to a clear separation of concerns, DevOps engineers can focus on the build and deployment process and leave the security concerns to their InfoSec colleagues.</p>
-      </div>
-    </div>
-    <p class='center'><a class='btn btn-primary trial' href='{{ site.data.hosts.app[site.target_environment] }}/Web/Subscription/StartFreeTrial'>Start free trial</a></p>
-  </div>
-</section>
-
-<section class='devops-section'>
-  <div>
-    <h2>Build process integration</h2>
-    <p>
-      SignPath.io is built with DevOps in mind. Adding a code signing step to your build process requires just a few lines of code by including our PowerShell script, calling the API directly or using one of our build system integrations. The artifact is then extracted, and all specified files are signed recursively. SignPath can be integrated in a synchronous and an asynchronous call, providing flexibility for different use cases. In the synchronous case, the build job waits for the uploaded artifact to be signed and continues with the following steps right away. In the asynchronous case, the signing request has to be approved and a second pipeline is then started for e.g. deploying the signed artifact. Deeper integration including origin verification is supported with AppVeyor, all other CI systems such as Jenkins, Travis, TeamCity or CircleCI can be integrated by using a generic REST call via PowerShell or cURL.
-    </p>
-    <p><a class='btn btn-primary' href='/documentation/build-system-integration'>View documentation</a></p>
-    <div class='tabs'>
-      <ul class='header'>
-        <li class='active'><a data-tabkey='powershell' href="#"><i class="icon-powershell"></i> <span>PowerShell</span></a></li>
-        <li><a data-tabkey='curl' href="#"><i class="icon-curl"></i> <span>cURL</span></a></li>
-        <li><a data-tabkey='jenkins' href="#"><i class="icon-jenkins"></i> <span>Jenkins</span></a></li>
-        <li><a data-tabkey='github-actions' href="#">{% include github.svg %} <span>GitHub Actions</span></a></li>
-        <li><a data-tabkey='appveyor' href="#"><i class="icon-appveyor"></i> <span>AppVeyor</span></a></li>
-        <li><a data-tabkey='azuredevops' href="#"><i class="icon-azure-devops"></i> <span>Azure DevOps</span></a></li>
-      </ul>
-      {% raw %}
-      <div class='panel'>
-        <code data-tabcontent='powershell' class='active'>
-          <span><span class='command'>Submit-SigningRequest</span> `</span>
-          <span>    <span class='parameter'>-OrganizationId</span> <span class='variable'>$SIGNPATH_ORGANIZATION_ID</span> `</span>
-          <span>    <span class='parameter'>-ApiToken</span> <span class='variable'>$SIGNPATH_API_TOKEN</span> `</span>
-          <span>    <span class='parameter'>-ProjectSlug</span> my_software `</span>
-          <span>    <span class='parameter'>-SigningPolicySlug</span> release-signing `</span>
-          <span>    <span class='parameter'>-InputArtifactPath</span> build/my-release.msi `</span>
-          <span>    <span class='parameter'>-OutputArtifactPath</span> build-signed/my-release.msi `</span>
-          <span>    <span class='parameter'>-WaitForCompletion</span></span>
-        </code>
-        <code data-tabcontent='curl'>
-          <span><span class="variable">result</span>=$(<span class='command'>curl</span> <span class='string'>"https://app.signpath.io/api/v1/</span><span class='variable'>${SIGNPATH_ORGANIZATION_ID}</span><span class='string'>/SigningRequests"</span> \</span>
-          <span>  <span class='parameter'>-H</span> <span class='string'>"Authorization: Bearer </span><span class='variable'>${SIGNPATH_API_TOKEN}</span><span class='string'>"</span> \</span>
-          <span>  <span class='parameter'>-F</span> <span class='string'>"ProjectSlug=</span>my_software<span class='string'>"</span> \</span>
-          <span>  <span class='parameter'>-F</span> <span class='string'>"SigningPolicySlug=</span>release-signing<span class='string'>"</span> \</span>
-          <span>  <span class='parameter'>-F</span> <span class='string'>"Artifact=</span>@./build/my-release.msi<span class='string'>"</span> \</span>
-          <span>  <span class='parameter'>--retry</span> 20 <span class='parameter'>--retry-delay</span> 30 <span class='parameter'>--silent --verbose</span>)</span>
-          <span><span class='variable'>url</span>=$( echo <span class='string'>"<span class='variable'>$result</span>"</span> | grep -i <span class='string'>'^&lt; Location: '</span> | grep -io <span class='string'>'https://.*'</span> | tr -d <span class='string'>'\r'</span> )</span>
-          <span><span class='command'>curl</span> <span class='string'>"<span class='variable'>$url</span>/SignedArtifact"</span> <span class='parameter'>--output</span> <span class='string'>"build-signed/my-release.msi"</span> <span class='parameter'>--silent </span> \</span>
-          <span>  <span class='parameter'>-H</span> <span class='string'>"Authorization: Bearer </span><span class='variable'>${SIGNPATH_API_TOKEN}</span><span class='string'>"</span> </span>
-        </code>
-        <code data-tabcontent='jenkins'>
-          <span><span class='command'>submitSigningRequest</span>( </span>
-          <span>  <span class='parameter'>organizationId:</span> <span class='string'>"</span><span class='variable'>${params.SIGNPATH_ORGANIZATION_ID}</span><span class='string'>"</span>, </span>
-          <span>  <span class='parameter'>ciUserTokenCredentialId:</span> <span class='string'>"</span><span class='variable'>${params.SIGNPATH_CI_USER_CREDENTIAL_ID}</span><span class='string'>"</span>, </span>
-          <span>  <span class='parameter'>projectSlug:</span> <span class='string'>"my_software"</span>, </span>
-          <span>  <span class='parameter'>signingPolicySlug:</span> <span class='string'>"release-signing"</span>, </span>
-          <span>  <span class='parameter'>inputArtifactPath:</span> <span class='string'>"build/my-release.msi"</span>, </span>
-          <span>  <span class='parameter'>outputArtifactPath:</span> <span class='string'>"build-signed/my-release.msi"</span>, </span>
-          <span>  <span class='parameter'>waitForCompletion:</span> true </span>
-          <span>) </span>
-        </code>
-        <code data-tabcontent='github-actions'>
-          <span>- uses: <span class='command'>signpath/github-action-submit-signing-request@v0.4</span> </span>
-          <span>  with:</span>
-          <span>    <span class='parameter'>api-token</span>: <span class='string'>'</span><span class='variable'>${{ secrets.SIGNPATH_API_TOKEN }}</span><span class='string'>'</span></span>
-          <span>    <span class='parameter'>organization-id</span>: <span class='string'>'</span><span class='variable'>${{ vars.SIGNPATH_ORGANIZATION_ID }}</span><span class='string'>'</span></span>
-          <span>    <span class='parameter'>project-slug</span>: <span class='string'>'my_software'</span></span>
-          <span>    <span class='parameter'>signing-policy-slug</span>: <span class='string'>'release-signing'</span></span>
-          <span>    <span class='parameter'>github-artifact-id</span>: <span class='string'>'</span><span class='variable'>${{ steps.upload-unsigned-artifact.outputs.artifact-id }}</span><span class='string'>'</span></span>
-          <span>    <span class='parameter'>output-artifact-directory</span>: <span class='string'>'./build-signed'</span></span>
-          <span>    <span class='parameter'>wait-for-completion</span>: <span class='string'>'true'</span></span>
-        </code>
-        <code data-tabcontent='appveyor'>
-          <span><span class='command'>deploy:</span></span>
-          <span>  - <span class='parameter'>provider</span>: Webhook</span>
-          <span>  <span class='parameter'>url</span>: <span class='string'>https://app.signpath.io/API/v1/</span><span class='variable'>$(SIGNPATH_ORGANIZATION_ID)</span><span class='string'>/Integrations/AppVeyor?</span><span class='parameter'>ProjectSlug=</span>my_software<span class='string'>&</span><span class='parameter'>SigningPolicySlug=</span>release-siging</span>
-          <span>  <span class='parameter'>authorization</span>:</span>
-          <span>    <span class='parameter'>secure</span>: <span class='string'>VGhpcyBpcyBub3QgdGhlIHNlY3JldCB0b2tlbiB5b3UgYXJlIGxvb2tpbmcgZm9yLi4uIC0gU2lnblBhdGguaW8=</span></span>
-        </code>
-        <code data-tabcontent='azuredevops'>
-          <span>- task: <span class='command'>SignPathSubmitSigningRequest@2</span> </span>
-          <span>  <span class='parameter'>inputs</span>:</span>
-          <span>    <span class='parameter'>organizationId</span>: <span class='string'>'</span><span class='variable'>$(SIGNPATH_ORGANIZATION_ID)</span><span class='string'>'</span></span>
-          <span>    <span class='parameter'>ciUserToken</span>: <span class='string'>'</span><span class='variable'>$(SIGNPATH_API_TOKEN)</span><span class='string'>'</span></span>
-          <span>    <span class='parameter'>projectSlug</span>: <span class='string'>'my_software'</span></span>
-          <span>    <span class='parameter'>signingPolicySlug</span>: <span class='string'>'release-siging'</span></span>
-          <span>    <span class='parameter'>inputArtifactPath</span>: <span class='string'>'./build/my-release.msi'</span></span>
-          <span>    <span class='parameter'>outputArtifactPath</span>: <span class='string'>'./build-signed/my-release.msi'</span></span>
-          <span>    <span class='parameter'>waitForCompletion</span>: <span class='string'>'sync'</span></span>
-        </code>
-      </div>
-       {% endraw %}
-    </div>
-
-  </div>
-</section>
-
-<section class='font-white bg-blue'>
-  <div>
-    <div class='columns'>
-      <div>
-        <i class="icon icon-origin-verification header"></i>
-        <h2>Origin verification for enhanced security</h2>
-        <p>For selected CI systems, SignPath can provide even more transparency by verifying that each signed artifact stems from a specific code repository, branch and source code commit. By integrating the origin information in the signature, each signed artifact can be traced back to the source code that it was build from.</p>
-      </div>
-      <div>
-        {% include user_big.svg %}
-        <h2>Manual approval steps</h2>
-        <p>
-          Security critical tasks such as code signing often include manual approval steps in order to increase the security and avoid malicious code to be deployed into a production system. SignPath.io allows you to configure multiple security restrictions, including manual approvals. All details necessary to validate the artifact, such as its origin, SHA256 hash and contents are readily available in the web application.</p>
-      </div>
-    </div>
-  </div>
-</section>
-
-{% include footer.html %}
diff --git a/docs/product/editions-explained.md b/docs/product/editions-explained.md
deleted file mode 100644
index 9d7c40c..0000000
--- a/docs/product/editions-explained.md
+++ /dev/null
@@ -1,312 +0,0 @@
----
-title: Editions
-header: Editions and Pricing explained
-layout: resources
-toc: true
-show_toc: 2
-description: 'Detailed description of SignPath editions: features and quotas'
-hide_nav: true
----
-
-This page explains how the quotas and features of all [SignPath Editions](/product/editions).
-
-## Quotas
-
-### Code signing certificates
-
-#### What is the advantage of Extended Validation (EV) code signing certificates?
-
-EV certificates are considered more trustworthy because they
-
-* they require stricter identity checks by the certificate authority (CA)
-* are only issued on secure hardware (USB token or HSM)
-
-**For non-EV certificates, Windows will warn users about new and newly re-issued certificates.**
-
-This does not happen with EV certificates, since they start with full reputation for Microsoft SmartScreen. You will also need EV certificates to sign Windows drivers.
-
-#### What are test certificates used for?
-
-You may create any number of self-signed test certificates and assign them to signing policies. These are used for test-signing your projects.
-
-Test-signing is used to avoid the security implications of release-signing with EV certificates, which 
-
-* to test your signing configuration (especially artifact configurations) without the  (which would be )
-
-### Projects
-
-*Code Signing Starter* and *Code Signing Basic* are priced based on the number of projects you can create in SignPath. Choose the number of projects you need when you buy your subscription, or upgrade later. If you need more than *max. projects*, you need to upgrade to another the subscription type.
-
-We recommend to use one SignPath *project* for each actual software project. 
-
-If your project produces several artifacts, you have these options to handle them with a single *SignPath* project:
-
-* Use deep signing: Sign an installer *and* the files it contains
-* Package your artifacts into a ZIP archive: Sign all artifacts that result from a single build job in one step
-* Use multiple artifact configurations within one project (not available for *Code Signing Starter*)
-
-### Users
-
-*Code Signing Starter* and *Code Signing Basic* are priced based on the number of active user accounts. Choose the number of users you need when you buy your subscription, or upgrade later. If you need more than *max. users*, you need to upgrade to another subscription type.
-
-User accounts are required for all interactions with the SignPath user interface, including
-
-* manual upload and approval of signing requests
-* administration of your SignPath organization and projects
-* checking the status of signing requests
-* creating reports
-* receiving notifications
-
-This quota does not limit the number of CI user accounts or build agents you can use.
-
-### Signing requests
-
-*Code Signing Starter* and *Code Signing Basic* have an upper limit for the number of signing requests.
-
-Included signing requests per year and project:
-
-| Signing policy  | Certificate                                   | Starter | Basic |
-|-----------------|-----------------------------------------------|--------:|------:|
-| release-signing | Extended Validation (EV) release certificate  |      20 |    50 |
-| test-signing    | Self-signed test certificate                  |     100 |   250 |
-
-**Example:** a *Code Signing Basic* subscription with 3 *projects* allows you to complete 
-
-* 150 release-signing requests per year (50 &times; 3) 
-* 750 test-signing requests per year (250 &times; 3)
-
-The signing requests quota can be used freely between projects. You may upgrade the available projects of your subscription to get more signing requests per year.
-
-#### How many signing requests will I need?
-
-We recommend that you create one signing request per release of your software. This makes it easier to integrate with CI systems, use security-enhancing artifact configurations, and track your signining requests.
-
-* Consider packing your artifacts into a single ZIP archive for signing
-  * if your software consist of multiple artifacts (e.g. several EXE and DLL files)
-  * if you produce several variants of your software for each release (e.g. runtime environments, processor architectures, customer variants)
-* Consider using [deep signing](#deep-signing) if you produce packages in supported formats such as MSI installers
-
-#### Individual signatures {#individual-signatures}
-
-Each signed file inside a signing request counts towards the individual signatures quota. 
-
-* **Example:** an MSI file containing 1 EXE and 2 DLL files would result in 4 individual signatures. 
-
-You may sign **up to 100 files per *available* signing request** (i.e. the sum of release- and test-signing requests). 
-
-* **Example:** 900 signing requests are available in the previous example (150 + 750). That would result in 900 &times; 100 = 90,000 individual signatures per year.
-
-You can adjust the [artifact configuration](/documentation/artifact-configuration) to specify which files should be signed.
-
-### CI pipelines
-
-*Code Signing Starter*: one CI pipeline at a time. 
-
-*Code Signing Basic*: one CI pipeline per available project at a time.
-
-Additional signing requests submitted from CI pipelines may be rejected and have to be repeated later.
-
-## Signing methods and file types {#file-based-signing}
-
-SignPath directly supports signing various file formats. See [the artifact configuration reference](/documentation/artifact-configuration/reference#file-elements) for details about available signing methods and file types.
-
-### Microsoft Office macros {#office-macros}
-
-{% include editions.md feature="file_based_signing.office_macros" %}
-
-Sign Office macros to protect against macro malware.
-
-With a policy-based code signing process, you can sign your company's Office macros for internal and/or external use. As an immediate benefit, you can disable execution of unsigned macros, thus preventing macro viruses and other macro-based malware deterministically.
-
-See [Office macros](/product/office-macros) for more information.
-
-### XML Signing {#xml-signing}
-
-{% include editions.md feature="file_based_signing.xml" %}
-
-SignPath supports signing XML files using [XMLDSIG](https://www.w3.org/TR/xmldsig-core1/). 
-
-See [artifact configuration](/documentation/artifact-configuration/reference#xml-sign) for details.
-
-### Container image signing {#container-signing}
-
-{% include editions.md feature="file_based_signing.docker" %}
-
-SignPath supports signing Docker container images and tags using cosign and Docker Content Trust (DCT). See [Signing Container Images](/documentation/signing-containers) for details.
-
-### Bills of Material {#sbom-signing}
-
-{% include editions.md feature="file_based_signing.sbom" %}
-
-Sign Bills of Material (BOM) in the [Cyclone DX](https://owasp.org/www-project-cyclonedx/) XML format. This includes
-
-* Software Bill of Materials (SBOM)
-* Software-as-a-Service Bill of Materials (SaaSBOM)
-* Hardware Bill of Materials (HBOM)
-* and others
-
-See this [artifact configuration sample](/documentation/artifact-configuration/examples#sbom-restriction) for details.
-
-## Crypto providers and hash signing {#hash-based-signing}
-
-{% include editions.md feature="hash_based_signing.rest_api" %} 
-
-Use SignPath cryptographic providers with any code signing tool that supports either of these interfaces:
-
-| SignPath Provider                    | Technology/Interface               | Supported Platforms  | Signing Tools
-|--------------------------------------|------------------------------------|----------------------|------------------------------------------------
-| Key Storage Provider (KSP)           | Cryptography Next Generation (CNG) | Windows              | `SignTool.exe`, `Mage.exe`, `nuget sign`, ...
-| Cryptographic Storage Provider (CSP) | Cryptographic API (CAPI)           | Windows              | Same as KSP, legacy tools
-| Cryptoki library                     | PKCS #11                           | Windows, Linux       | `jarsigner`, OpenSSL, GPG, RPM, DEB, Maven ...
-| CryptoTokenKit                       | Code signigng for Apple macOS, iOS, watchOS, tvOS | macOS | Xcode, `xcodebuild`, `codesign`
-
-Note that with hash-based signing, artifacts are not transferred to and signed by the SignPath application, but locally on the user machine or build agent. The signing operation is always executed synchronously, typically through one of the cryptographic providers listed above.
-
-{:.panel.info}
-> **Advanced usage scenarios**
->
-> Certain features are not available for hash-based signing with these cryptographic providers. However, they may be used in certain scenarios when directly using SignPath REST APIs. Contact [SignPath Support](/support) for more information.
->
-> * [Signing multiple files in a single signing request](/documentation/artifact-configuration/#signing-multiple-files)
-> * [User-defined parameters](#user-defined-parameters)
-> * [Manual approval](#manual-approval)
-> * [Origin verification](#origin-verification)
-> * [Build and source code policies](#extended-policies)
-
-## Artifact configuration
-
-Artifact configurations define what artifacts to sign and how. They can either simply define the file type, or they can be detailed specifications of complex artifacts that contain other (nested) artifacts. See [setting up projects](/documentation/projects#artifact-configurations) for details.
-
-### Deep signing
-
-Sign installers, packages etc. *and* their content in a single step. See [signing nested artifacts](/documentation/projects#signing-nested-artifacts-deep-signing)
-
-### Multiple versions
-
-{% include editions.md feature="artifact_configuration.multiple_configurations_per_project" %}
-
-Create [multiple artifact configurations](/documentation/projects#keeping-versions-of-artifact-configurations) for
-
-* projects that create different artifact at different times, but you want to use the same signing policies
-* artifact configurations that change significantly over time (versioning)
-
-### Metadata constraints
-
-{% include editions.md feature="artifact_configuration.metadata_constraints" %}
-
-You can restrict some [file attributes](/documentation/artifact-configuration/reference#metadata-restrictions) in the artifact configuration. 
-
-This is useful if you want to 
-
-* enforce metadata policies (signed binaries must use consistent publisher metadata)
-* avoid unintentional signing of third-party components
-* defend against unauthorized signing (while this can be circumvented by aware parties, the attempt is reported and can be investigated)
-
-### User-defined parameters
-
-{% include editions.md feature="artifact_configuration.user_defined_parameters" %}
-
-You can define [parameters](/documentation/artifact-configuration/syntax#parameters) for each signing request. 
-
-Use this to
-* create more restrictive artifact configurations
-* track arbitrary values across signing requests
-* include build-time values 
-
-## Policy enforcement
-
-### Manual approval
-
-{% include editions.md feature="policy_enforcement.manual_approval" %}
-
-Specify that one or more approvals are required before a signing request is processed. 
-
-This is typically used for release-signing. Note that [origin verification](#origin-verification) allows to create secure signing policies without manual approval. 
-
-#### Quorum approval
-
-{% include editions.md feature="policy_enforcement.quorum_approval" %}
-
-You may also specify that a certain number approvals is required (a.k.a. _k-out-of-n_ approval).
-
-See [approval process](/documentation/projects#approval-process) for more information about manual approval.
-
-### Signing policies per project
-
-For *Code Signing Starter* and *Code Signing Basic*, you get two signing policies per project:
-
-* a test-signing policy for testing the signing configuration and signing test builds
-* a release-signing policy for signing builds that will be delivered to end users
-
-*Advanced Code Signing* and *Code Signing Gateway* allow to define any number of singing policies per project. You can use this to create policies with different levels of manual and automatic verification. 
-
-Example:
-
-* *test* signing without verification, using a test certificate
-* *pre-release* signing with [origin verification](#origin-verification), using a certificate that is recognized by QA devices
-* *release* signing with origin verification and a constraint on *release branches* only
-* *exception release* signing with origin verification, no branch constraints, but manual approval instead
-* *emergency signing* without origin verification, but manual approval with 3 required approvals
-
-See [code signing certificates](#code-signing-certificates).
-
-### Resubmit
-
-{% include editions.md feature="policy_enforcement.resubmit" %}
-
-Resubmit signing requests for signing using different policies and/or certificates.
-
-This can be used to sign _release candidates_ with test certificates at first, and re-sign them with release certificates once they have been tested and approved for release. 
-
-See [signing code](/documentation/signing-code#resubmit).
-
-### Certificate policies
-
-{% include editions.md feature="policy_enforcement.policies_for_certs" %}
-
-Specify that certain validation criteria must be enabled for specific certificates. This enforces these policies for all projects end their respective signing policies.
-
-See [managing certificates](/documentation/managing-certificates).
-
-## Pipeline Integrity
-
-### Origin verification
-
-{% include editions.md feature="pipeline_integrity.origin_verification" value="optional" %}
-
-When a CI build is submitted to SignPath, certain metadata will be retrieved and verified by SignPath. This includes
-
-* source code repository
-* repository branch
-* source code commit
-* build information
-
-Verification ensures that a person or system with knowledge of the API token cannot simply submit an unauthorized signing request. 
-
-**Origin verification enables the most advanced level of code signing security.** Even without origin verification, SignPath prevents many attack vectors using a combination of authentication and permissions, artifact configurations and constraints, malware scanning, notifications, and auditing. However, as soon as somebody gets access to the CI user token, security cannot be guaranteed. 
-
-Origin verification traces a software build back to the original source code, making it virtually impossible to sign unauthorized code.
-
-For full security, make sure
-
-* that the source code repository is the *single source of truth* for software builds, including build scripts and CI configurations
-* that all upstream components are signed by their publishers, and signatures are verified
-* that your repository and CI infrastructure is secure
-
-See [origin verfication](/documentation/origin-verification) for more information.
-
-#### Origin-based policies
-
-Specify the *source code repository* for a SignPath project, and (optionally) the *branch* name(s) for a signing policy. This ensures that only software from legitimate builds of these repositories can be signed using this policy.
-
-#### Manual origin verification
-
-When using manual approval on top of origin verification, approvers will have reliable information to base their decisions on. Also, they can be sure that builds will not even be presented for approval if they don't meet the policy requirements.
-
-#### Build validation
-
-For some CI systems, SignPath offers connectors that can validate software builds for security. This ensures that development teams do not use or enable inherently insecure mechanisms in their release build configurations. Insecure practices include caching on build nodes, interactive access to build nodes, ad-hoc build configuration changes and more.
-
-#### SCM and CI policy control
-
-For some CI systems, SignPath allows defining detailed policies for Source Code Management (SCM) and CI/CD policies. You can set requirements for branch protection, build agents and other properties per signing policy.
\ No newline at end of file
diff --git a/docs/product/editions.html b/docs/product/editions.html
deleted file mode 100644
index 91f94b7..0000000
--- a/docs/product/editions.html
+++ /dev/null
@@ -1,107 +0,0 @@
----
-title:
-description: Comparison chart of SignPath editions
-datasource: featuregroups,editions
----
-
-{%- include header.html -%}
-{%- assign reduced_price_factor = 1.00 -%}
-{%- assign groups = site.data.featuregroups -%}
-
-<section class='bg-blue font-white pricing-start top-section bg-image'>
-	<div>
-		<h1>From small teams to enterprises</h1>
-		<h3>Let's secure your code signing processes</h3>
-	</div>
-</section>
-
-<section class='bg-grey editions'>
-	<div>
-		<div class='column-layout'>
-			<div class='features col'>
-				<ul>
-					{%- for group in groups -%}
-						<li class='head f'>
-							{%- if group.href != null -%}
-								<a href='{{- group.href-}}'>{{- group.title -}}</a></span>
-							{%- else -%}
-								{{- group.title -}}
-							{%- endif -%}
-						</li>
-
-						{%- for feature in group.features -%}
-							<li class= {%- if feature.class == null -%} 'f' {%- else -%} '{{- feature.class -}}' {%- endif -%} >
-								{%- if feature.href != null -%}
-									<a href='{{- feature.href-}}'>{{- feature.title -}}</a></span>
-								{%- else -%}
-									{{- feature.title -}}
-								{%- endif -%}
-								{% if feature.hint != null %}
-									<span aria-label='{{- feature.hint -}}' class='hint--top-right hint--medium'>
-										{% include info.svg %}
-									</span>
-								{%- endif -%}
-								{%- if feature.sub != null -%}
-									<span class='sub f'>{{- feature.sub -}}</span>
-								{%- endif -%}
-							</li>
-						{%- endfor -%}
-					{%- endfor -%}
-				</ul>
-			</div>
-			{%- for edition in site.data.editions -%}
-				<div class='content col'>
-					<h3>{{- edition.title -}}</h3>
-					<ul>
-						{%- for group in groups -%}
-							{%- for feature in group.features -%}
-								<li {% if group == groups[0] and feature == group.features[0] %} class='first-after-header first-after-main-header'
-								    {%- elsif feature == group.features[0] -%} class='first-after-header'
-									{%- endif -%}>
-									{%- assign value = edition[group.name][feature.name] -%}
-									{%- if value == true -%}
-									{% include check.svg %}
-									{%- comment -%} {%- elsif value == null -%}<span style="color:red; font-weight: bold;">?</span> {%- endcomment -%}
-									{%- elsif value == false or value == null -%}<span>&nbsp;</span>
-									{%- else -%}{{- value -}}{%- endif -%}
-
-									{%- assign feature_hint_name = feature.name | append: '-hint' -%}
-									{%- assign feature_hint = edition[group.name][feature_hint_name] -%}
-									{%- if feature_hint == 'quota-hint' -%} {%- assign feature_hint = 'Click "buy now" and add projects to adjust quota.' -%} {%- endif -%}
-									{% if feature_hint != null %}
-										<span aria-label='{{- feature_hint -}}' class='hint--top-left hint--medium'>
-											{% include info.svg %}
-										</span>
-									{%- endif -%}
-								</li>
-							{%- endfor -%}
-						{%- endfor -%}
-					</ul>
-					{%- case edition.link_type -%}
-						{%- when 'pricing_page' -%}
-							<a class='btn pricing' href='/product/pricing'>Buy now</a>
-							<a class='btn trial' href='{{- site.data.hosts.app[site.target_environment] -}}/Web/Subscription/StartFreeTrial'>Start free trial
-							</a>
-						{%- when 'sales_email' -%}
-							<a class='btn' href='mailto:sales@signpath.io?Subject={{- edition.name | urlencode -}}%20subscription'>Contact sales</a>
-							<a class='btn' href='mailto:sales@signpath.io?Subject=Request%20trial%20for%20{{- edition.name | urlencode -}}%20subscription'>Request free trial 
-							</a>
-						{%- when 'support_email' -%}
-							<a class='btn' href='mailto:support@signpath.io?Subject={{- edition.name | urlencode -}}%20subscription'>Contact support</a>
-					{%- endcase -%}
-				</div>
-			{%- endfor -%}
-		</div>
-		<div class='info'>
-	    	<p>
-				<strong>
-					{% include info.svg %}
-					Free trials:
-				</strong>
-				download and install your own <strong>test certificate</strong>. See <a href='/code-signing/test-certificates'>managing test certificates</a> for instructions.
-	      	</p>
-	    </div>
-	</div>
-</section>
-
-{%- include footer.html -%}
diff --git a/docs/product/features.html b/docs/product/features.html
deleted file mode 100644
index 226e05f..0000000
--- a/docs/product/features.html
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: Features
-description: SignPath product features described
----
-
-{% include header.html %}
-
-<section class='bg-blue font-white top-section product-start bg-image'>
-  <div>
-		<h1>The preferred code signing solution</h1>
-		<h3>
-			Empowers development teams<br>
-			and fulfills InfoSec standards<br>
-		</h3>
-	</div>
-</section>
-
-<section class='bg-grey'>
-	<div>
-		<div class='columns'>
-			<div>
-				<h3>Code Signing in the cloud</h3>
-				<p>
-					SignPath provides your organization with a simple and secure code signing process. Development teams can define workflows that integrate well with their existing software development lifecycle. Responsibilities, tasks, alerts and inventories of your private keys and certificates are well documented and transparent for the InfoSec teams.
-				</p>
-			</div>
-			<div>
-				<h3>Security matters</h3>
-				<p>
-					Code Signing is a cornerstone of anti-malware protection. Operating systems, app stores, add-ins, systems and management software rely on the validity of signatures and certificates. That’s why code signing keys and processes are under constant attack. SignPath turns code signing into a controlled and repeatable process that aligns the needs of both development teams and InfoSec experts. SignPath fulfills the recommendations of the <a href='https://casecurity.org/wp-content/uploads/2016/12/CASC-Code-Signing.pdf' target='_blank'>CA Security Council</a>. 
-				</p>
-			</div>
-		</div>
-	</div>
-</section>
-
-<section class='feature'>
-	<div class='img'><div><img src='/assets/img/product/features/certificate-management.png' title='Certificate management' /></div></div>
-	<div class='description'>
-		<h2>Certificate management</h2>
-		<h3>Don't hassle with USB tokens or HSM setups</h3>
-		<p>
-			In SignPath all your organization's code signing certificates are centrally managed. The InfoSec teams have full control over what code is signed and which certificate was used. They can view the entire history in case of an incident and define clear policies to restrict how each certificate may be used. SignPath allows you to import your own certificates or create a certificate signing request (CSR) for your certificate authority (CA). You are also notified on time before your certificate expires.
-		</p>
-	</div>
-</section>
-
-<section class='feature right'>
-	<div class='img'><div><img src='/assets/img/product/features/policy-enforcement.png' title='Policy enforcement' /></div></div>
-	<div class='description'>
-		<h2>Policy enforcement</h2>
-		<h3>Take control over your code signing process</h3>
-		<p>
-			SignPath enables development teams to stay agile by allowing them to automate the code signing process as long as they stay within the boundaries of their organization's policies. Administrators can define which kind of software may be signed, who is allowed to submit a signing request and how many approvers must authorize it before it is signed. Additionally, SignPath offers origin verification, which ensures that a software artifact was built from a specific commit in your source code repository.
-		</p>
-	</div>
-</section>
-
-<section class='feature'>
-	<div class='img'><div><img src='/assets/img/product/features/deep-signing.png' title='Deep signing' /></div></div>
-	<div class='description'>
-		<h2>Deep signing of nested files</h2>
-		<h3>Sign executables and libraries within your installers and packages</h3>
-		<p>
-			Signing the installer or library package alone means that the software installed on your customer's systems is not digitally secured any more once the shipped installer has been unpacked and disposed. In order to continously ensure the authenticity and integrity of your software components, SignPath signs all files within the installation package and then automatically repackages the installer and signs the entire package.
-		</p>
-	</div>
-</section>
-
-
-<section class='feature right'>
-	<div class='img'><div><img src='/assets/img/product/features/build-integration.png' title='Build integration' /></div></div>
-	<div class='description'>
-		<h2>Build integration</h2>
-		<h3>Automate your code signing process</h3>
-		<p>
-			Software development processes are increasingly automated to cope with the demand for more agility and frequent releases. SignPath allows code signing to be part of the build pipeline by providing a modern API, third party integrations and tools for seamless CI integration.
-		</p>
-	</div>
-</section>
-
-<section class='feature'>
-	<div class='img'><div><img src='/assets/img/product/features/malware-scanning.png' title='Malware scanning' /></div></div>
-	<div class='description'>
-		<h2>Malware scanning of artifacts</h2>
-		<h3 class='subtitle'>Know that there's another layer of security</h3>
-		<p>
-			All artifacts you upload to SignPath are checked for malware. Even if your build server is infected, SignPath adds an additional barrier to prevent shipping viruses to your users and customers.
-		</p>
-	</div>
-</section>
-
-<section class='feature right'>
-	<div class='img'><div class='no-shadow'><img src='/assets/img/product/features/secure-private-keys.png' title='Secure private keys' /></div></div>
-	<div class='description'>
-		<h2>Secure storage of private keys</h2>
-		<h3 class='subtitle'>Rest assured that your private keys can never be compromised</h3>
-		<p>
-			SignPath provides a FIPS-certified Hardware Security Module (HSM) to generate and store the private keys for your certificates. The HSM is located in a physically secured data center. Every signing operation takes place on the HSM ensuring that the private key is never exposed. The key infrastructure of SignPath fulfills all requirements for Extended Validation (EV) certificates without having to deal with USB tokens or spending money on dedicated hardware.
-		</p>
-	</div>
-</section>
-
-<section class='feature'>
-	<div class='img'><div class='no-shadow'><img src='/assets/img/product/features/origin-verification.jpg' title='Secure private keys' /></div></div>
-	<div class='description'>
-		<h2>Origin verification</h2>
-		<h3 class='subtitle'>Trace every binary back to its source code</h3>
-		<p>
-			SignPath integrates with build servers and allows you to securely track the origin of your binary artifacts. The signed software releases can be linked to a specific commit in your source code repository, allowing you to reliably and securely pin down which code was shipped and who made changes to it.
-		</p>
-	</div>
-</section>
-
-{% include footer.html %}
\ No newline at end of file
diff --git a/docs/product/index.md b/docs/product/index.md
deleted file mode 100644
index 735e874..0000000
--- a/docs/product/index.md
+++ /dev/null
@@ -1,3 +0,0 @@
----
-redirect_to: "/product/features"
----
\ No newline at end of file
diff --git a/docs/product/infosec.html b/docs/product/infosec.html
deleted file mode 100644
index bb9bfb0..0000000
--- a/docs/product/infosec.html
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title:  SignPath for InfoSec
-description: Using SignPath to secure your internal supply chain
----
-
-{% include header.html %}
-
-<section class="bg-image font-white top-section" style='background-image:url(/assets/img/infosec.jpg);'>
-  <div>
-    <h1>{{ page.title }}</h1>
-  </div>
-</section>
-
-<section class="bg-grey infosec-section">
-  <div>
-    <h2>SignPath makes Code Signing secure</h2>
-    <p>How secure are your private keys? Who has access to them and how is their usage regulated? Stolen or misused code signing certificates are a severe threat to ISPs and their customers. The only way to prevent breaches and reduce the risks of successful attacks is to protect your private keys and to estabalish a secure, transparent process.</p>
-    <p><a class='btn btn-primary' href='/product/casc'>CA Security Council best practices</a></p>
-  </div>
-</section>
-
-<section class='feature infosec-section'>
-  <div class='img'><div class='no-shadow'>{% include chain.svg %}</div></div>
-  <div class='description'>
-    <h2>Chain attacks</h2>
-    <h3>Don't be the weakest link</h3>
-    <p>
-      A stolen code signing certificate does not only put your organization at risk, but also all your customers. ISPs are increasingly becoming a target with the sole purpose of attacking one or several of their customers. IT organizations are reacting and demand their suppliers not only to sign their code, but to establish secure code signing processes.
-    </p>
-    <p class='center'><a class='btn btn-secondary' href='/code-signing/media-coverage'>Read about media coverage</a></p>
-  </div>
-</section>
-
-<section class='feature right infosec-section'>
-  <div class='img'><div class='no-shadow'>{% include devops.svg %}</div></div>
-  <div class='description'>
-    <h2>Agility and Security</h2>
-    <h3>Allow your developers to move fast</h3>
-    <p>
-      Define clear policies on how code signing certificates may be used - give your development teams the freedom to implement them for their processes. SignPath provides a clear separation of duties, where security teams stay on top of private key access and policy enforcement and development teams can focus on delivering software.
-    </p>
-    <p><a class='btn btn-secondary' href='/product/devops'>See our DevOps integration</a></p>
-  </div>
-</section>
-
-<section class='feature infosec-section'>
-  <div class='img'><div class='no-shadow'>{% include incident-management.svg %}</div></div>
-  <div class='description'>
-    <h2>Incident management</h2>
-    <h3>Be prepared and take informed decisions</h3>
-    <p>
-      SignPath allows you to lock down the code signing process and define multiple gates to ensure only malware-free, approved software from trusted build systems is signed. Every usage of your private key is logged, making it possible to trace any misuse.
-    </p>
-    <p><a class='btn btn-secondary' href='/code-signing/theory#certificate-revocation'>Read about certificate revocation</a></p>
-  </div>
-</section>
-
-<section class='feature right'>
-  <div class='img'><div class='no-shadow'><img src='/assets/img/product/features/secure-private-keys.png' title='Secure private keys' /></div></div>
-  <div class='description'>
-    <h2>Secure storage of private keys</h2>
-    <h3 class='subtitle'>Rest assured that your private keys can never be compromised</h3>
-    <p>
-      SignPath provides a FIPS-certified Hardware Security Module (HSM) to generate and store the private keys for your certificates. The HSM is located in a physically secured data center. Every signing operation takes place on the HSM ensuring that the private key is never exposed. The key infrastructure of SignPath fulfills all requirements for Extended Validation (EV) certificates without having to deal with USB tokens or spending money on dedicated hardware.
-    </p>
-    <p>
-      For customers who prefer direct control over their key material, SignPath offers <a href='/product/thales-dpod'>dedicated Thales DPoD Cloud HSM instances</a>. Use this option for local key backups, importing and exporting options, and to guarantee key availability independently from your SignPath subscription. (Export and backup options require cloning domains or key wrapping.)
-    </p>
-    <p><a class='btn btn-secondary' href='/code-signing/private-keys'>Read about storage options for private keys</a></p>
-  </div>
-</section>
-
-
-
-{% include footer.html %}
\ No newline at end of file
diff --git a/docs/product/office-macros.md b/docs/product/office-macros.md
deleted file mode 100644
index fd96935..0000000
--- a/docs/product/office-macros.md
+++ /dev/null
@@ -1,77 +0,0 @@
----
-header: Microsoft Office Macro Signing
-layout: resources
-toc: true
-description: Protecting from malicious Office macros through policy restrictions and signing
-hide_nav: true
----
-
-## The Threat of Office Macros
-
-While many organizations depend on **Microsoft Office macros for business-critical processes**, they pose a **high risk for IT security**. Macros are programs within Office documents that **execute with the same permissions as the user** opening the document. Not to speak of macros that use other exploits to elevate their privileges even beyond that. That makes Office macros a preferred way for hackers to get into organizations, with attacks ranging from **ransomware** to **spear phishing**.
-
-Unlike normal programs, Office documents are often opened by users without thinking twice. Enabling macro execution is then just a click away, which is especially easy to achieve via **social engineering** by including instructions in an email or even the document itself. 
-
-Also unlike normal programs, administrators find it **almost impossible to provide policy settings** that define which macros may be executed. Policy frameworks such as **application control/whitelisting don't work for macros**. And malware scanners will always miss some malevolent macros.
-
-## Implement Macro Signing to Create Secure End User Policies
-
-**Digitally signing your organization's macros will unlock the policy capabilities of Microsoft Office:**
-
-* Use group policies to allow execution only for macros signed with trusted certificates
-* Assign trusted certificates to users and groups
-
-![Supported applications: Excel, PowerPoint, Project, Publisher, Visio, Word](/assets/img/product/office-macros/office-supported-apps.png){:width=800}
-
-**Using SignPath, you can keep your signing keys safe and easily create well-defined signing processes for each of these certificates.**
-
-## Inadequacy of Existing Approaches
-
-This table shows how readily available policies provide **inadequate security** and/or **impact the business** to an unacceptable degree:
-
-| Method                                                       | Security level  | Implementation  | Business impact | Remarks
-|--------------------------------------------------------------|-----------------|-----------------|-----------------|----------------------------------------
-| Enable macro execution                                       | 🔴             | 🟢              | 🟢             | This should never be enabled
-| Let users decide whether to execute macros                   | 🟠             | 🟢              | 🟢             | You cannot rely on users _always_ making the right decision
-| Disable macro execution except for digitally signed macros   | 🟡             | 🟠              | 🟢             | Digital signing in Office is a manual activity and requires private key access for macro authors from their development PCs
-| Disable macro execution except for users who require them    | 🟡             | 🔴              | 🟠             | Each of these users still poses a risk, and they often add up
-| Disable macro execution except for certain storage locations | 🟡             | 🟡              | 🟡             | This will mitigate direct internet/email attacks, but still any user can drop a malicious document in a trusted location
-| Disable macro execution for everyone                         | 🟢             | 🟢              | 🔴             | Very safe but often unrealistic 
-| **Using SignPath:** <br> Disable macro execution except for digitally signed macros   | 🟢 | 🟢 | 🟢             | Provide a secure process that aligns signing authorization and approval policies with macro execution policies.
-
-## End-to-End Security for Office Macros
-
-Macros signing is easy to set up using the policy framework provided by SignPath:
-
-* VBA developers create and edit macros in office documents and document templates 
-* Macros are signed manually or automatically using SignPath
-* Administrators set up signing permissions and approval rules
-
-For approved macros, this process has no impact on business units using Office documents:
-
-* Users can create new documents and view, edit and save data in existing documents without affecting signed macros
-* Documents can be stored in any location and shared via email
-
-![Macro signing process](/assets/img/product/office-macros/macro-signing-process.png){:width=800}
-
-## Certificate scopes: global vs. departmental execution permissions
-
-Once you have set up a signing policy for your organization, you can disable execution of unsigned macros via Microsoft Office group policies.
-
-### Fine-tune signing and execution permissions
-
-Some organizations need more fine-grained control over macro execution. In this case you can assign **specific macro signing certificates** to departments.
-
-| Department       | Trusted certificates
-|------------------|---------------------------------------------------------
-| Finance          | Global, Finance
-| Legal            | Legal
-| Engineering      | Global, Engineering, some subcontractors
-| Restricted users | none
-| Everyone else    | Global
-
-Adjust your signing policies accordingly, e.g. provide signing permissions for the _Finance_ certificate only to macro authors supposed to create Office macros for the finance departement.
-
-### Business partners and customers 
-
-For documents that are used outside of your organization, you can use your EV code signing certificate. External users, such as business partners or customers, will be informed that macros have been signed by your organizations. They can then decide to trust these macros on a per-user basis or through their own policy framework.
\ No newline at end of file
diff --git a/docs/product/open-source.html b/docs/product/open-source.html
deleted file mode 100644
index cdc0824..0000000
--- a/docs/product/open-source.html
+++ /dev/null
@@ -1,75 +0,0 @@
----
-title: SignPath for Open Source projects
-description: Using SignPath to sign free and open source projects - for free
----
-
-{% include header.html %}
-
-<section class="bg-image font-white top-section" style='background-image:url(/assets/img/opensource.jpg);'>
-  <div>
-    <h1>{{ page.title }}</h1>
-  </div>
-</section>
-
-<section class='bg-grey'>
-  <div>
-    <div class='columns'>
-      <div>
-        <h2>Open Source is ubiquituous</h2>
-        <p>
-          Open source software has become one of the pillars upon which modern software development builds. Without the thousands of high-quality open source libraries and tools, developed and maintained by contributors from all around the world, many of today's popular services and applications would be unthinkable. Due to the enormous success, open source projects enjoy the advantages of free resources for hosting, building and deploying their content.
-        </p>
-      </div>
-      <div>
-        <h2>Challenges of code signing</h2>
-        <p>
-           When it comes to code signing, community-driven projects still face a number of burdens: As they constitute no legal entity, certificate authorities (CAs) refuse to grant a code signing certificate to open source projects (only to individual contributors) and their services are also not yet provided for free. This is where the SignPath Foundation comes into play. Under the umbrella of the SignPath Foundation, open source projects can apply for a free code signing certificate. In order to use the free certificate, the build process has to be fully automated and integrated with SignPath.io, to ensure that the resulting binary results directly from the source code checked into the repository.    
-        </p>
-      </div>
-    </div>
-    <p class='center'><a class='btn btn-primary' href='mailto:{{ site.email_oss }}'>Contact us</a>
-  </div>
-</section>
-
-<section class='bg-blue font-white oss-section'>
-  <div>
-    <h2>Transparency matters</h2>
-    <div>
-      <i class="icon-origin-verification"></i>
-      <p>
-        One of the many advantages of open source software is the transparency it provides in respect to which code is executed on your system. However, for compiled programs, this only holds true if the build process is also transparent and reproducible. SignPath tightly integrates with online build systems to ensure that the library or program that is code signed was built only from code checked into the repository.
-      </p>
-    </div>
-  </div>
-</section>
-
-<section>
-  <div>
-    <h2>You're in good company</h2>
-    <div class='accordion'>
-      <a href='https://github.com/gitextensions/gitextensions' target='_blank'>
-        <div>
-          <img src='/assets/img/opensource/gitextensions.svg' title='GitExtensions' />
-          <h3>Git Extensions</h3>
-          <p>Git Extensions is a graphical user interface for Git that allows you to control Git without using the commandline</p>
-        </div>
-      </a>
-      <a href='https://github.com/vim/vim-win32-installer' target='_blank'>
-        <div>
-          <img src='/assets/img/opensource/vim.gif' title='Vim' />
-          <h3>Vim for Windows</h3>
-          <p>Vim is a highly configurable text editor for efficiently creating and changing any kind of text.</p>
-        </div>
-      </a>
-      <a href='https://github.com/KirillOsenkov/MSBuildStructuredLog' target='_blank'>
-        <div>
-          <img src='/assets/img/opensource/msbuildstructuredlog.png' title='MSBuildStructuredLog' />
-          <h3>MSBuildStructured Log</h3>
-          <p>A logger for MSBuild that records a structured representation of executed targets, tasks, property and item values.</p>
-        </div>
-      </a>
-    </div>
-  </div>
-</section>
-
-{% include footer.html %}
diff --git a/docs/product/pkic-best-practices.md b/docs/product/pkic-best-practices.md
deleted file mode 100644
index 8cb0756..0000000
--- a/docs/product/pkic-best-practices.md
+++ /dev/null
@@ -1,131 +0,0 @@
----
-header: PKI Consortium Best Practices for Code Signing
-layout: resources
-toc: true
-description: Mapping SignPath features to the code signing recommendations of the PKI Consortium
-hide_nav: true
----
-
-The [PKI Consortium](https://pkic.org/) (PKIC, formerly known as CA Security Council) is a consortium of several [PKI](https://en.wikipedia.org/wiki/Public_key_infrastructure)-related organizations. One of its goals is to advance code signing practices in the industry. The PKI Consortium has released a [white paper](https://pkic.org/uploads/2016/12/CASC-Code-Signing.pdf) that contains several best practices for code signing.
-
-This is good and valuable advice, and SignPath.io supports these recommendations. However, it can be quite difficult and expensive to set up and repeatedly execute a code signing process that meets these criteria. If you use SignPath, it will take care of these recommendations for you. (SignPath organization administrators will be able to opt out of some security practices.)
-
-This page outlines how SignPath ensures that these recommendations are fulfilled.
-
-## Overview
-
-| PKIC recommendation                                                   | SignPath compliance |
-|-----------------------------------------------------------------------|---------------------|
-| 1. Minimize access to private keys                                    | **[Automatic][1]**  |
-| 2. Protect private keys with cryptographic hardware products          | **[Automatic][2]**  |
-| 3. Time-stamp code                                                    | **[Automatic][3]**  |
-| 4. Understand the difference between test-signing and release-signing | **[Automatic][4]**  |
-| 5. Authenticate code to be signed                                     | **[Automatic][5]**  |
-| 6. Virus scan code before signing                                     | **[Automatic][6]**  |
-| 7. Do not over-use any one key                                        | **[Optional][7]**   |
-
-## Detailed recommendations
-
-[1]: #1-minimize-access-to-private-keys
-
-### 1. Minimize access to private keys
-
-**Automatically fulfilled when using SignPath.**
-
-> SignPath stores keys on hardware security modules (HSMs) and strictly limits access to those based on authentication, rules, permissions and approvals.
-
-| PKIC recommendation details                                         | Compliance    | Remarks |
-|---------------------------------------------------------------------|---------------|---------|
-| Allow minimal connections to computers with keys                    | **Automatic** | No computers (including SignPath.io servers) can read HSM-based keys. Authorized build agents are authenticated before submitting signing requests.
-| Minimize the number of users who have key access                    | **Automatic** | No users (including SignPath.io administrators) can read HSM-based keys. Authorized users are authenticated before submitting signing requests.
-| Use physical security controls to reduce access to keys             | **Automatic** | Access to HSMs is restricted to dedicated SignPath.io servers that execute fully authorized signing requests.
-
-[2]: #2-protect-private-keys-with-cryptographic-hardware-products
-
-### 2. Protect private keys with cryptographic hardware products
-
-**Automatically fulfilled when using SignPath.**
-
-> Keys for release signing are stored on a hardware security module (HSM) by default.
-
-| PKIC recommendation details                                                                              | Compliance    | Remarks |
-|----------------------------------------------------------------------------------------------------------|---------------|---------|
-| Cryptographic hardware does not allow export of the private key to software where it could be attacked   | **Automatic** | SignPath always creates HSM-based keys as *non-exportable*.
-| Use a FIPS 140 Level 2-certified product (or better)                                                     | **Automatic** | SignPath.io uses SafeNet Luna Network HSMs [validated][luna fips] for FIPS 140-1 and FIPS 140-2 Level 3, and certified for Common Criteria (ISO/IEC15408).
-| Use an EV code signing certificate which requires the private key to be generated and stored in hardware | **Automatic** | SignPath will create a certificate signing request (CSR) from your HSM key. Use this CSR to purchase a certificate from any Certificate Authority. While this is required only for EV certificates, SignPath ensures the same security for normal (OV) certificates.
-
-[3]: #3-time-stamp-code
-
-### 3. Time-stamp code
-
-**Automatically fulfilled when using SignPath.**
-
-> All signatures will be counter-signed with SHA256 time stamps by a reliable time stamping server.
-
-| PKIC recommendation details                                                                | Compliance    | Remarks |
-|--------------------------------------------------------------------------------------------|---------------|---------|
-| Time-stamping allows code to be verified after the certificate has expired or been revoked | **n/a**       | *(informational)*
-
-[4]: #4-understand-the-difference-between-test-signing-and-release-signing
-
-### 4. Understand the difference between test-signing and release-signing
-
-**Automatically fulfilled when using SignPath.**
-
-> This is what SignPath [signing policies](/documentation/projects#signing-policies) are all about. While projects contain all information required for signing a specific artifact, only signing configurations will allow your projects to be signed using any given certificate.
->
-> SignPath advises you to create at least one signing policy for test-signing and one for release-signing.
-
-| PKIC recommendation details                                                                             | Compliance    | Remarks |
-|---------------------------------------------------------------------------------------------------------|---------------|---------|
-| Test-signing private keys and certificates requires less security access controls than production code signing private keys and certificates | **Automatic** | Signing policies for test-signing and release-signing have different permissions and approval requirements.
-| Test-signing certificates can be self-signed or come from an internal test CA                           | **Guidance**  | Create a self-signed certificate from the setup wizard, or create a CSR for an in-house CA.
-| Establish a separate test code signing infrastructure to test-sign pre-release builds of software       | **Guidance**  | SignPath.io allows you to use dedicated credentials and build agents for each signing policy. We recommend to share the essential build configuration in order to avoid confusion and configuration errors.
-
-[5]: #5-authenticate-code-to-be-signed
-
-### 5. Authenticate code to be signed
-
-**Automatically fulfilled when using SignPath.**
-
-> Signing requires a signing policy and authenticated signing requests. Release-signing additionally requires authenticated approvals.
-
-| PKIC recommendation details                                                                                     | Compliance    | Remarks |
-|-----------------------------------------------------------------------------------------------------------------|---------------|---------|
-| Any code that is submitted for signing should be strongly authenticated before it is signed and released        | **Automatic** | Signing request must be submitted from authenticated users or build agents.
-| Implement a code signing submission and approval process to prevent the signing of unapproved or malicious code | **Automatic** | Define submission and approval permissions per signing configuration.
-| Log all code signing activities for auditing and/or incident-response purposes                                  | **Automatic** | All activities including submission and approval (or denial) are logged and easily accessible from the user interface. Also, submitted and signed code is retained for later use including auditing, incident response, forensics, and re-signing. (Retention period depends on subscription type.)
-
-[6]: #6-virus-scan-code-before-signing
-
-### 6. Virus scan code before signing
-
-**Automatically fulfilled when using SignPath.**
-
-> Every signing request will be scanned for malware first.
-
-| PKIC recommendation details                                               | Compliance    | Remarks |
-|---------------------------------------------------------------------------|---------------|---------|
-| Code Signing does not confirm the safety or quality of the code; it confirms the publisher and whether or not the code has been changed | **n/a** | *(informational)*
-| Implement virus-scanning to help improve the quality of the released code | **Automatic** | *See above*
-
-[7]: #7-do-not-over-use-any-one-key-distribute-risk-with-multiple-certificates
-
-### 7. Do not over-use any one key (distribute risk with multiple certificates)
-
-**Using multiple release certificates is optional with SignPath.**
-
-> SignPath allows you to configure any number of certificates at any given time. (Available HSM key storage capacity depends on your subscription type.)
-
-{:.panel.tip}
-> **Do a cost/benefit analysis**
->
-> Buying multiple EV certificates can be costly. On the other hand, non-EV certificates will always start with zero [SmartScreen](https://en.wikipedia.org/wiki/Microsoft_SmartScreen) reputation.
-> 
-> We recommend that you consider buying separate certificates for major product lines, teams or customers. However, you can have a perfectly secure code signing process with a single release certificate.
-
-| PKIC recommendation details | Remarks |
-|-----------------------------|---------|
-| If code is found with a security flaw, then publishers may want to prompt a User Account Control dialog box to appear when the code is installed in the future; this can be done by revoking the code signing certificate so a revoked prompt will occur | SignPath puts you in a good position in case you have to revoke a certificate: All signatures have a valid time stamp, so only signatures from *after* the revocation date will be invalid.
-| If the code with the security flaw was issued before more good code was issued, then revoking the certificate will impact the good code as well | SignPath lets you re-sign individual releases that were involuntarily affected by revocations.
-| Changing keys and certificates often will help to avoid this conflict | This is true, but it will only reduce the problem in some situations. If you discover a security flaw shortly after the incident, chances are that you will still be using the same key and certificate.
diff --git a/docs/product/pricing.html b/docs/product/pricing.html
deleted file mode 100644
index 37f7295..0000000
--- a/docs/product/pricing.html
+++ /dev/null
@@ -1,209 +0,0 @@
----
-title:
-description: SignPath product pricing described
-datasource: pricing
----
-
-{% include header.html %}
-
-<section class='bg-blue font-white pricing-start top-section bg-image'>
-	<div>
-		<h1>Security does not have to be expensive</h1>
-		<h3>Subscription models for different needs</h3>
-	</div>
-</section>
-
-<section class='bg-grey pricing'>
-	<div>
-		<div class='header'>
-			<div class='calculator'>
-				<div class='main'>
-					<div class='column'>
-						<div class='row'>
-							<span class='label'>Projects</span>
-							<div class='number-select'>
-								{% include minus.svg %}
-								<input id='num-projects-input' max='100' min='1' oninput="this.value = Math.abs(this.value)" type='number'
-									   value='1'/>
-								{% include plus.svg %}
-							</div>
-						</div>
-						<div class='row'>
-							<span class='label'>Users</span>
-							<div class='number-select'>
-								{% include minus.svg %}
-								<input id='num-users-input' max='100' min='1' oninput="this.value = Math.abs(this.value)" type='number'
-									   value='1'/>
-								{% include plus.svg %}
-							</div>
-						</div>
-					</div>
-					<div class='column'>
-						<div class='row'>
-							<span class='label'>Duration</span>
-							<div class='toggle'>
-								<label>
-									<input type='checkbox' id='duration-toggle'>
-									<span></span>
-									<div data-before='1 year' data-after='3 years'></div>
-								</label>
-							</div>
-						</div>
-						<div class='row'>
-							<span class='label'>Currency</span>
-							<div class='toggle'>
-								<label>
-									<input type='checkbox' id='currency-toggle'>
-									<span></span>
-									<div data-before='$ USD' data-after='EUR €'></div>
-								</label>
-							</div>
-						</div>
-					</div>
-				</div>
-				<div class='link'>
-					<a href='/product/editions'>Compare editions</a>
-				</div>
-			</div>
-			<div class='ev-included'>
-				{% include badge.svg %}
-				<span>EV certificate included</span>
-			</div>
-		</div>
-
-		{% assign quotas = site.data.featuregroups | where: 'name', 'quotas' | first %}
-		{% assign projects = quotas.features | where: 'name', 'projects' | first %}
-		{% assign users = quotas.features | where: 'name', 'users' | first %}
-		{% assign signing_requests = quotas.features | where: 'name', 'signing_requests' | first %}
-
-		<div class='column-layout'>
-			<div class='features col'>
-				<ul>
-					<li class='head f'>Quotas</li>
-					<li class='f include-sub'>
-						<a href="editions-explained#projects">Projects</a>
-						<span aria-label='{{ projects.hint }}'
-							  class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-					<li class='f include-sub'>
-						<a href="editions-explained#users">Users</a>
-						<span aria-label='{{ users.hint }}'
-							  class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-					<li class='sub-head f'>
-						<a href="editions-explained#signing-requests">Signing requests</a>
-						<span aria-label='{{ signing_requests.hint }} (See individual signatures quota below.)'
-							  class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-					<li class='sub f include-sub'>release-signing
-						<span aria-label='Signing requests using your EV certificate'
-							  class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-					<li class='sub f include-sub'>test-signing
-						<span aria-label='Signing request using a test certificate that must be installed on target machines (e.g. testing the signing configuration, signing internal builds, release candidates etc.)'
-							  class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-					<li class='sub-head f'>
-						Artifact retention
-						<span aria-label='Articafts will be deleted after the specified retention time'
-							  class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-					<li class='sub f'>release-signing</li>
-					<li class='sub f'>test-signing</li>
-					<li class='f'>
-						Artifact volume
-						<span aria-label='Annual upload quota' class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-					<li class='f'>
-						<a href="editions-explained#individual-signatures">Individual signatures</a>
-						<span aria-label='Fair-use annual quota of individual files signed as part of signing requests (see signing request quota above).'
-							  class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-					<li class='f'>
-						<a href="editions-explained#ci-pipelines">CI pipelines</a>
-						<span aria-label='Limits the number of parallel signing requests'
-							  class='hint--top-right hint--medium'>
-						{% include info.svg %}
-						</span></li>
-				</ul>
-			</div>
-			{% for product in site.data.pricing %}
-				<div class='content col'>
-					<div class='product-header'>
-						<h2>{{ product.name }}</h2>
-						<h3>
-							<span class='price' data-base_price='{{ product.base_price }}'>
-								${{ product.base_price }}
-							</span>
-							<span class='price-sub'>per year</span>
-						</h3>
-					</div>
-					<ul>
-						<!-- TODO what are data-* values for? they should probably be removed or updated from javascript too -->
-						<li class='first-after-header first-after-main-header'>
-							<span class='num-projects' data-num_projects_included='{{ product.num_projects_included }}' data-num_projects_max='{{ product.num_projects_max }}' data-price_per_project='{{ product.price_per_project }}'>{{ product.num_projects_included }}</span>
-							<span class='sub'><span class='currency-amount' data-value='{{ product.price_per_project }}'>${{ product.price_per_project }}</span> per additional project ({{ product.num_projects_max }} max)</span>
-						</li>
-						<li>
-							<span class='num-users' data-num_users_included='{{ product.num_users_included }}' data-num_users_max='{{ product.num_users_max }}' data-price_per_user='{{ product.price_per_user }}'>{{ product.num_users_included }}</span>
-							<span class='sub'><span class='currency-amount' data-value='{{ product.price_per_user }}'>${{ product.price_per_user }}</span> per additional user ({{ product.num_users_max }} max)</span>
-						</li>
-						<li class='first-after-header'>
-							<span class='num-release-signings' data-value='{{ product.num_release_signings_per_project }}'>{{ product.num_release_signings_per_project | times: product.num_projects_included }}</span><span class='sub'>per year</span>
-						</li>
-						<li>
-							<span class='num-test-signings' data-value='{{ product.num_test_signings_per_project }}'>{{ product.num_test_signings_per_project | times: product.num_projects_included }}</span><span class='sub'>per year</span>
-						</li>
-						<li class='first-after-header'>
-							<span>{{ product.release_signing_retention }}</span>
-						</li>
-						<li>
-							<span>{{ product.test_signing_retention }}</span>
-						</li>
-						<li><span class='num-gb-per-project' data-value='{{ product.num_gb_per_project }}'>
-							{{ product.num_gb_per_project | times: product.num_projects_included }} </span> GB</li>
-						<li><span class='num-individual-signatures-per-project' data-value='{{ product.num_release_signings_per_project | plus: product.num_test_signings_per_project | times: product.num_projects_included | times: 100 }}'>
-							{{ product.num_release_signings_per_project | plus: product.num_test_signings_per_project | times: product.num_projects_included | times: 100}}</span></li>
-						<li><span class='num-ci-pipelines' data-value='{{ product.num_ci_pipelines }}' data-ci_pipelines_per_project='{{ product.ci_pipelines_per_project }}'>
-							{{ product.num_ci_pipelines | times: product.num_projects_included }}</span></li>
-					</ul>
-					<a class='btn btn-primary footer buy' href='https://secure.2checkout.com/order/checkout.php?PRODS={{ product.product_id.one_year[site.target_environment] }}&QTY=1&CART=1&CARD=1&CLEAN_CART=1&CURRENCY=USD&DCURRENCY=USD' data-productid_one_year='{{ product.product_id.one_year[site.target_environment] }}' data-productid_three_years='{{ product.product_id.three_years[site.target_environment] }}'>Buy</a>				</div>
-			{% endfor %}
-			<div class='editions-dialog'>
-				<div>
-					<span>Contact us for information about other available editions.</span>
-					<div>
-						<a class='btn btn-primary' href='mailto:sales@signpath.io?Subject=Enterprise%20subscription'>Contact us</a>
-					</div>
-				</div>
-			</div>
-		</div>
-		<div class='info'>
-			<h3>Certificates</h3>
-			<ul>
-				<li> <strong>EV certificates</strong> provided by <a href="https://shop.globalsign.com/en/code-signing">GlobalSign</a>.</li>
-				<li> <strong>GlobalSign code signing certificates can be issued in the name of a legally registered organization only.</strong> </li>
-				<li> Your authority to get an EV certificate on behalf of your organization will be verified by GlobalSign. This might take a few days. </li>
-				<li> You can immediately <strong>install and use your test certificate</strong>. See <a href='/code-signing/test-certificates'>managing test certificates</a> for instructions.</li>
-			</ul>
-			<h3>Billing</h3>
-			<ul>
-				<li> All plans are <strong>billed up-front</strong> for the entire period. </li>
-				<li> <strong>Prices are without taxes.</strong> If local taxes are added when you click buy, switch <em>billing information</em> to <em>company</em> and enter your <em>VAT ID</em></i>. (For some regions, sales tax may still be charged.) </li>
-			</ul>
-			<p>
-				{% include info.svg %}
-				For special inquiries or more information, please <strong><a href='mailto:sales@signpath.io'>contact us</a></strong>.
-			</p>
-	</div>
-</section>
-
-{% include footer.html %}
diff --git a/docs/product/thales-dpod.md b/docs/product/thales-dpod.md
deleted file mode 100644
index 319182b..0000000
--- a/docs/product/thales-dpod.md
+++ /dev/null
@@ -1,65 +0,0 @@
----
-header: SignPath with Thales DPoD Cloud HSM
-layout: resources
-toc: true
-description: Keep your keys on a dedicated Thales Data Protection on Demand (DPoD) Cloud HSM
-hide_nav: true
----
-
-## Hybrid deployment models with DPoD Cloud HSM
-
-At the core of every SignPath deployment, a [Hardware Security Module (HSM)](/code-signing/windows-platform/#hsm) keeps your keys safe.
-
-With [Thales Data Protection on Demand][DPoD] (DPoD), you can get your own dedicated Cloud HSM instances to store and manage your keys.
-
-Between the pure managed SaaS environment and a fully self-hosted environment with a dedicated HSM, SignPath offers two **hybrid deployment options**:
-
-* Use SignPath in the Cloud with your own dedicated DPoD Cloud HSM
-* Deploy SignPath in a self-hosted environment, but use a DPoD Cloud HSM instead of hosting a dedicated HSM
-
-## SignPath and DPoD in the Cloud
-
-By default, your keys are stored in a shared HSM cluster operated by SignPath. This is a convenient option for simple code signing situations, especially if you need few key pairs, and your keys can easily be replaced. For customers who need to have more control over their key material, we offer dedicated Cloud HSM instances as an option.
-
-Advantages of using DPoD Cloud HSM with SignPath Cloud:
-
-* **Control your key material:** implement your own **security policies** for key management, **backup and restore** keys, and **transfer** them between (Cloud) HSM instances
-* **Control your key lifetime:** while keys in the shared SaaS HSM cluster are bound to your SignPath subscription, a DPoD Cloud HSM can be held and used independently
-
-![Hybrid SaaS deployment model](/assets/img/product/thales-dpod/deployment-hybrid-saas.png)
-
-## Self-hosted SignPath with DPoD Cloud HSM
-
-If you are **deploying SignPath in a Private Cloud** environment, it is obvious that you would also use a Cloud-based HSM. Thales DPoD provides just that.
-
-![Private Cloud deployment model](/assets/img/product/thales-dpod/deployment-private-cloud.png)
-
-When **deploying SignPath on-premises**, the obvious option would seem to be using a dedicated HSM such as the Thales Luna Network HSM series. However, a Cloud HSM might be in fact be a better fit:
-
-* DPoD can be readily deployed, without **procurement, installation, configuration and training** blocking the deployment
-* The *total cost of ownership* is considerably lower than with on-premises HSMs
-* There is **less room for errors** that could lead to security breaches or key loss
-* DPoD Cloud HSMs come with **high availability** and **disaster recovery** by default
-
-![Hybrid on-premises deployment model](/assets/img/product/thales-dpod/deployment-hybrid-onprem.png)
-
-It might seem counter-intuitive to use a Cloud HSM when you have already decided to host your own instance SignPath. In fact though, there are some good arguments for this hybrid solution, depending on the reasons you opted for hosting SingPath on-premises in the first place:
-
-* **Network traffic volume:** Traffic between your CI/CD environments and SignPath can be considerable, but data exchange between SignPath and the Cloud HSM is limited to small hash digests and signature blocks.
-* **Confidentiality:** Your policies may not allow sending (compiled) code files to the Cloud. However, SignPath will send only small hash digests to the Cloud HSM, from which no information about the actual file contents can be derived.
-
-## Classic deployment models
-
-For easier comparison, this sections shows the pure SaaS and on-premises deployments.
-
-![Full SaaS deployment model](/assets/img/product/thales-dpod/deployment-full-saas.png)
-
-![Full on-premises deployment model](/assets/img/product/thales-dpod/deployment-full-onprem.png)
-
-## Getting DPoD Cloud HSM for SignPath
-
-DPoD Cloud HSM can be procured with SignPath, or you can bring an existing DPoD instance. In either case we recommend using one or more dedicated Cloud HSM instances for code signing.
-
-Please [contact our sales team](mailto:sales@signpath.io?subject=Using SignPath with DPoD) for more information.
-
-[DPoD]: https://cpl.thalesgroup.com/encryption/data-protection-on-demand
diff --git a/docs/documentation/projects.md b/docs/projects.md
similarity index 93%
rename from docs/documentation/projects.md
rename to docs/projects.md
index 4d14bd2..83adcc7 100644
--- a/docs/documentation/projects.md
+++ b/docs/projects.md
@@ -3,7 +3,7 @@ header: Setting up Projects
 layout: resources
 toc: true
 show_toc: 3
-redirect_from: /documentation/key-concepts#projects
+redirect_from: /key-concepts#projects
 description: How to set up development projects for repeated signing with SignPath
 ---
 
@@ -54,7 +54,7 @@ Both types of policies may alternatively use certificates that are issued by an
 | Property        | Value |
 |-----------------|-------|
 | **Certificate** | Select the certificate that will be used to sign the artifact |
-| **Submitters**  | Select the users that are allowed to submit an artifact (may be regular or [CI users](/documentation/users#ci-users)) |
+| **Submitters**  | Select the users that are allowed to submit an artifact (may be regular or [CI users](/users#ci-users)) |
 
 ### Approval process
 
@@ -77,7 +77,7 @@ When trusted build system verification is enabled, interactive users cannot be d
 
 {% include editions.md feature="pipeline_integrity.origin_verification" value="optional" %}
 
-Select **Verify origin** if you want to accept only signing requests with positive [origin verification](/documentation/origin-verification).
+Select **Verify origin** if you want to accept only signing requests with positive [origin verification](/origin-verification).
 
 [Trusted build system verification](#signing-policy-trusted-build-system) must be enabled for origin verfication.
 
@@ -144,7 +144,7 @@ Create multiple artifact configurations for
 * projects that create different artifacts at different times, but you want to use the same signing policies
 * artifact configurations that change significantly over time (versioning)
 
-Versioning ensures that your SignPath setup will still work for old versions of your artifacts, e.g. if you rebuild or re-sign an old version. Explicit versioning is only required if the structure of the artifact changes. If you just add files to a package, you might as well just [make them optional](/documentation/artifact-configuration/syntax#number-of-matches) (`min-matches="0"`).
+Versioning ensures that your SignPath setup will still work for old versions of your artifacts, e.g. if you rebuild or re-sign an old version. Explicit versioning is only required if the structure of the artifact changes. If you just add files to a package, you might as well just [make them optional](/artifact-configuration/syntax#number-of-matches) (`min-matches="0"`).
 
 If you want to use versioned artifact configurations with CI
 
@@ -157,13 +157,13 @@ You can create an artifact configuration by selecting one of the **predefined te
 
 In the latter case, you need to manually review the resulting artifact configuration and exclude all 3rd party libraries that you don't want to be signed with your certificate.
 
-For details on how to create, generate or edit an artifact configuration, see [artifact configuration](/documentation/artifact-configuration).
+For details on how to create, generate or edit an artifact configuration, see [artifact configuration](/artifact-configuration).
 
 ## Trusted build systems {#trusted-build-systems}
 
 {% include editions.md feature="pipeline_integrity.trusted_build_systems" value="optional" %}
 
-Define which [trusted build systems](/documentation/trusted-build-systems) may be used for this project. From your project configuration, you can link any trusted build system that your SignPath administrator has defined.
+Define which [trusted build systems](/trusted-build-systems) may be used for this project. From your project configuration, you can link any trusted build system that your SignPath administrator has defined.
 
 Using a trusted build systems is required for signing policies that have the [_trusted build system verification_](#signing-policy-trusted-build-system) option enabled.
 
@@ -171,4 +171,4 @@ Trusted build systems are used to make sure that only builds from reliable sourc
 
 ## Webhooks
 
-Configure Webhooks to notify other systems in your build chain about completed signing requests. See [Webhook notifications](/documentation/build-system-integration#webhook-notifications).
+Configure Webhooks to notify other systems in your build chain about completed signing requests. See [Webhook notifications](/build-system-integration#webhook-notifications).
diff --git a/docs/redirects/about-us.md b/docs/redirects/about-us.md
deleted file mode 100644
index dea9680..0000000
--- a/docs/redirects/about-us.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-permalink: /about-us
-redirect_to: /company
----
\ No newline at end of file
diff --git a/docs/redirects/app/ArtifactConfigurationDocumentationLink.md b/docs/redirects/app/ArtifactConfigurationDocumentationLink.md
deleted file mode 100644
index a973256..0000000
--- a/docs/redirects/app/ArtifactConfigurationDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on the EditXml page of artifact configurations for the "View documentation" link
-redirect_to: /documentation/artifact-configuration
----
\ No newline at end of file
diff --git a/docs/redirects/app/ArtifactConfigurationSupportedFileElementsDocumentationLink.md b/docs/redirects/app/ArtifactConfigurationSupportedFileElementsDocumentationLink.md
deleted file mode 100644
index 2f13509..0000000
--- a/docs/redirects/app/ArtifactConfigurationSupportedFileElementsDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used in error messages to point to the supported list of file-elements
-redirect_to: /documentation/artifact-configuration/reference#file-elements
----
\ No newline at end of file
diff --git a/docs/redirects/app/BuildSystemIntegrationDocumentationLink.md b/docs/redirects/app/BuildSystemIntegrationDocumentationLink.md
deleted file mode 100644
index c5d5871..0000000
--- a/docs/redirects/app/BuildSystemIntegrationDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on Signing Policy Detail Page in the CI integration panel for the "View documentation" link 
-redirect_to: /documentation/build-system-integration
----
\ No newline at end of file
diff --git a/docs/redirects/app/ClickOnceSignDocumentationLink.md b/docs/redirects/app/ClickOnceSignDocumentationLink.md
deleted file mode 100644
index 0b2a8ef..0000000
--- a/docs/redirects/app/ClickOnceSignDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used for error messages during artifact configuration xml generation when a clickonce manifest is found on the root level
-redirect_to: /documentation/artifact-configuration/reference#clickonce-sign
----
\ No newline at end of file
diff --git a/docs/redirects/app/DockerSigningDocumentationLink.md b/docs/redirects/app/DockerSigningDocumentationLink.md
deleted file mode 100644
index d6fcf17..0000000
--- a/docs/redirects/app/DockerSigningDocumentationLink.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-# Used on the add Docker repository page in the "here" link and
-# on the Signing Policy Edit page if a Docker Repository has been linked in the "the documentation" link
-redirect_to: /documentation/signing-containers/docker-content-trust#setup-overview
----
\ No newline at end of file
diff --git a/docs/redirects/app/OktaSignUpCallbackWithoutCookieRedirectLink.md b/docs/redirects/app/OktaSignUpCallbackWithoutCookieRedirectLink.md
deleted file mode 100644
index 75417c1..0000000
--- a/docs/redirects/app/OktaSignUpCallbackWithoutCookieRedirectLink.md
+++ /dev/null
@@ -1,3 +0,0 @@
----
-redirect_to: /sign-up-successful
----
diff --git a/docs/redirects/app/ProductSelectionPageLink.md b/docs/redirects/app/ProductSelectionPageLink.md
deleted file mode 100644
index e306b62..0000000
--- a/docs/redirects/app/ProductSelectionPageLink.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-# Used on the subscription detail page
----
-{% include redirect_with_url_params.html target="/product/pricing" %}
-
diff --git a/docs/redirects/app/ProjectsDocumentationLink.md b/docs/redirects/app/ProjectsDocumentationLink.md
deleted file mode 100644
index c68acde..0000000
--- a/docs/redirects/app/ProjectsDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on the create and edit project pages in the "Read more" link
-redirect_to: /documentation/projects
----
\ No newline at end of file
diff --git a/docs/redirects/app/SigningPoliciesDocumentationLink.md b/docs/redirects/app/SigningPoliciesDocumentationLink.md
deleted file mode 100644
index 227883d..0000000
--- a/docs/redirects/app/SigningPoliciesDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on the Add signing policy page in the "Read more" link
-redirect_to: /documentation/projects#signing-policies
----
\ No newline at end of file
diff --git a/docs/redirects/app/Support.md b/docs/redirects/app/Support.md
deleted file mode 100644
index bef6286..0000000
--- a/docs/redirects/app/Support.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on swagger
-redirect_to: /support
----
diff --git a/docs/redirects/app/TermsOfServiceLink.md b/docs/redirects/app/TermsOfServiceLink.md
deleted file mode 100644
index 5b51659..0000000
--- a/docs/redirects/app/TermsOfServiceLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on the accept invitation and start free trial pages
-redirect_to: /terms-of-service
----
\ No newline at end of file
diff --git a/docs/redirects/app/TrustedBuildSystemLinksDocumentationLink.md b/docs/redirects/app/TrustedBuildSystemLinksDocumentationLink.md
deleted file mode 100644
index 245ffae..0000000
--- a/docs/redirects/app/TrustedBuildSystemLinksDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on the Project page in the Trusted Build Sytems panel for the "View documentation" link
-redirect_to: /documentation/trusted-build-systems
----
\ No newline at end of file
diff --git a/docs/redirects/app/TrustedBuildSystemsDocumentationLink.md b/docs/redirects/app/TrustedBuildSystemsDocumentationLink.md
deleted file mode 100644
index a99b899..0000000
--- a/docs/redirects/app/TrustedBuildSystemsDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on the add and edit trusted build system pages in the "Read more" link
-redirect_to: /documentation/trusted-build-systems
----
\ No newline at end of file
diff --git a/docs/redirects/app/WebhooksDocumentationLink.md b/docs/redirects/app/WebhooksDocumentationLink.md
deleted file mode 100644
index 2ce15b2..0000000
--- a/docs/redirects/app/WebhooksDocumentationLink.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on the project details page in the Webhooks panel for the "View documentation" link
-redirect_to: /documentation/build-system-integration#webhook-notifications
----
\ No newline at end of file
diff --git a/docs/redirects/artifact-configuration_v1.md b/docs/redirects/artifact-configuration_v1.md
deleted file mode 100644
index 17d80c4..0000000
--- a/docs/redirects/artifact-configuration_v1.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-permalink: /artifact-configuration/v1
-redirect_to: 'https://app.signpath.io/Web/artifact-configuration/v1.xsd'
----
\ No newline at end of file
diff --git a/docs/redirects/casc.md b/docs/redirects/casc.md
deleted file mode 100644
index 4a69ce1..0000000
--- a/docs/redirects/casc.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-permalink: product/casc
-redirect_to: /product/pkic-best-practices
----
\ No newline at end of file
diff --git a/docs/redirects/connectors/api-token.md b/docs/redirects/connectors/api-token.md
deleted file mode 100644
index bdbd737..0000000
--- a/docs/redirects/connectors/api-token.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-# Used for
-# * the README in the https://github.com/SignPath/github-action-submit-signing-request action
-redirect_to: /documentation/build-system-integration#authentication
----
\ No newline at end of file
diff --git a/docs/redirects/connectors/github-branch-rule-restriction-history.md b/docs/redirects/connectors/github-branch-rule-restriction-history.md
deleted file mode 100644
index 83a0e0c..0000000
--- a/docs/redirects/connectors/github-branch-rule-restriction-history.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used in the error messages of the GitHub connector
-redirect_to: /documentation/trusted-build-systems/github#branch_rulesets
----
\ No newline at end of file
diff --git a/docs/redirects/connectors/trusted-build-system-configuration.md b/docs/redirects/connectors/trusted-build-system-configuration.md
deleted file mode 100644
index b34a35c..0000000
--- a/docs/redirects/connectors/trusted-build-system-configuration.md
+++ /dev/null
@@ -1,5 +0,0 @@
----
-# Used for
-# * the README in the https://github.com/SignPath/github-action-submit-signing-request action
-redirect_to: /documentation/trusted-build-systems#configuration
----
\ No newline at end of file
diff --git a/docs/redirects/cryptoproviders/configuration.md b/docs/redirects/cryptoproviders/configuration.md
deleted file mode 100644
index b9e1afb..0000000
--- a/docs/redirects/cryptoproviders/configuration.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used in a comment in the sample cryptoprovider configuration file
-redirect_to: /documentation/crypto-providers/#crypto-provider-configuration
----
\ No newline at end of file
diff --git a/docs/redirects/cryptoproviders/post-msi-installation.md b/docs/redirects/cryptoproviders/post-msi-installation.md
deleted file mode 100644
index bfe1286..0000000
--- a/docs/redirects/cryptoproviders/post-msi-installation.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# Used on the last page of the MSI installer to view configuration steps
-redirect_to: /documentation/crypto-providers#crypto-provider-configuration
----
\ No newline at end of file
diff --git a/docs/redirects/jobs.md b/docs/redirects/jobs.md
deleted file mode 100644
index 557b35e..0000000
--- a/docs/redirects/jobs.md
+++ /dev/null
@@ -1,4 +0,0 @@
----
-permalink: /jobs
-redirect_to: https://signpath.jobs.personio.com
----
diff --git a/docs/sign-up-successful.html b/docs/sign-up-successful.html
deleted file mode 100644
index 786b47e..0000000
--- a/docs/sign-up-successful.html
+++ /dev/null
@@ -1,17 +0,0 @@
----
-title: Sign up successful
-header: Sign up successful
-layout: thankyou
-description: Sign-up success confirmation
-sitemap: false
----
-
-<h2>You successfully signed up</h2>
-
-<p>If you signed up after receiving an invitation link via email, please click the invitation link again to accept the invitation.</p>
-<p>&nbsp;</p>
-<p>&nbsp;</p>
-<div>
-	<a href='{{ site.data.hosts.app[site.target_environment] }}/Web/Home/Login' class='btn btn-primary'>Login</a>
-	<a href='{{ site.data.hosts.app[site.target_environment] }}/Web/Subscription/StartFreeTrial' class='btn btn-flat trial'>Start free Trial</a>
-</div>
diff --git a/docs/documentation/signing-code.md b/docs/signing-code.md
similarity index 86%
rename from docs/documentation/signing-code.md
rename to docs/signing-code.md
index b82682d..abca4d7 100644
--- a/docs/documentation/signing-code.md
+++ b/docs/signing-code.md
@@ -26,7 +26,7 @@ We recommend that you integrate SignPath in your automatic CI pipeline. This has
 * Automatic propagation of metadata, such as version numbers, source code version and build
 * Origin verification ensures that the signed binary conforms to a specific source code version
 
-SignPath provides multiple ways to be integrated into your pipeline. See the [documentation](/documentation/build-system-integration) for details including information about origin verification.
+SignPath provides multiple ways to be integrated into your pipeline. See the [documentation](/build-system-integration) for details including information about origin verification.
 
 ## Resubmitting an existing signing request {#resubmit}
 
@@ -37,7 +37,7 @@ You can resubmit an existing signing request and specify a different signing pol
 When compared to just submitting the same artifact again, the new resubmit feature has the following advantages:
 
 * The exact same artifact is being signed that was used for testing
-* Any verified [origin information](/documentation/build-system-integration#ci-integrations-with-origin-verification) is still available 
+* Any verified [origin information](/build-system-integration#ci-integrations-with-origin-verification) is still available 
 * The original signing request is referenced
 
 ### Resubmit via user interface
@@ -48,7 +48,7 @@ Required permissions: This button is only visible for users with permission to s
 
 ### Resubmit via API
 
-This feature is available via the [REST API](/documentation/build-system-integration#resubmit-a-signing-request) and [PowerShell module](/documentation/powershell/Submit-SigningRequest#resubmit).
+This feature is available via the [REST API](/build-system-integration#resubmit-a-signing-request) and [PowerShell module](/powershell/Submit-SigningRequest#resubmit).
 
 ### Parameters
 
@@ -67,13 +67,15 @@ This ensures that the integrity of the signing request and artifact are preserve
 
 ### Usage scenario
 
+<!-- TODO: "trusting the test certificates" should link to /code-signing/test-certificates
+
 A typical release scenarios would look like this:
 
 | Step | Actor                              | Condition              | Action
 |-----:|------------------------------------|------------------------|---------------------------------------------------------
 |    1 | CI system                          |                        | A release candidate is built and submitted for test-signing.
 |    2 | SignPath                           | test-signing policy    | The release candidate is signed using the test certificate.
-|    3 | CI system or test tool             |                        | The release candidate is tested. Consider [trusting the test certificate](/code-signing/test-certificates) on test systems.
+|    3 | CI system or test tool             |                        | The release candidate is tested. Consider trusting the test certificate on test systems.
 |    4 | CI system or test tool             | tests passing          | A resubmit request is created for release-signing.
 |    5 | SignPath                           | release-signing policy | Project manager is notified about pending approval.
 |    6 | Project manager                    | arbitrary              | Approves or denies based on test results and verified origin data from step 2.
diff --git a/docs/documentation/signing-containers/cosign.md b/docs/signing-containers/cosign.md
similarity index 94%
rename from docs/documentation/signing-containers/cosign.md
rename to docs/signing-containers/cosign.md
index 90f79fc..e682f84 100644
--- a/docs/documentation/signing-containers/cosign.md
+++ b/docs/signing-containers/cosign.md
@@ -53,7 +53,7 @@ SignPath will offer advanced verification and information features in the near f
 
 ## How to use Cosign with SignPath
 
-When Cosign is used directly, it creates the metadata, signs it, and upload the signature. You can use Cosign with SignPath's [Cryptoki provider](/documentation/crypto-providers/cryptoki).
+When Cosign is used directly, it creates the metadata, signs it, and upload the signature. You can use Cosign with SignPath's [Cryptoki provider](/crypto-providers/cryptoki).
 
 When SignPath is used to sign Cosign metadata files, you need to perform each step separately:
 
@@ -98,7 +98,7 @@ zip payload.json.zip payload.json
 
 ### Step 2: create a signature for the metadata
 
-Upload the `payload.json.zip` file to SignPath for signing. Use the artifact configuration "Detached raw signatures" for a single container image or extend it according to your needs. See [detached raw signatures](/documentation/artifact-configuration/reference#create-raw-signature) for more details. The following step expects the signed artifact to be stored as `payload.json.signed.zip`.
+Upload the `payload.json.zip` file to SignPath for signing. Use the artifact configuration "Detached raw signatures" for a single container image or extend it according to your needs. See [detached raw signatures](/artifact-configuration/reference#create-raw-signature) for more details. The following step expects the signed artifact to be stored as `payload.json.signed.zip`.
 
 ### Step 3: attach the signature to the image
 
diff --git a/docs/documentation/signing-containers/docker-content-trust.md b/docs/signing-containers/docker-content-trust.md
similarity index 99%
rename from docs/documentation/signing-containers/docker-content-trust.md
rename to docs/signing-containers/docker-content-trust.md
index b93517e..1ea7ce1 100644
--- a/docs/documentation/signing-containers/docker-content-trust.md
+++ b/docs/signing-containers/docker-content-trust.md
@@ -268,7 +268,7 @@ Push-SignedDockerSigningData -Repository $FQN -InputArtifactPath $ZIP_FILE `
 > |--------------------------------------------------------------------|-----------------|
 > | `Repository`                                                       | The FQN provided when creating the Docker repository in SignPath
 > | `Tags`                                                             | A comma-separated list of Docker tags that you want to sign (e.g. `v1,1.2.17`)
-> | `ApiToken`                                                         | The API token of the CI user (see [build system integration](/documentation/build-system-integration#authentication))
+> | `ApiToken`                                                         | The API token of the CI user (see [build system integration](/build-system-integration#authentication))
 > | `OrganizationId`                                                   | ID of your SignPath organization
 > | `ProjectSlug`, `SigningPolicySlug` and `ArtifactConfigurationSlug` | The respective project, signing policy and artifact configuration for your signing request
 > | `Description`                                                      | Optional description for your signing request (e.g. version number)
@@ -290,4 +290,4 @@ Push-SignedDockerSigningData -Repository $FQN -InputArtifactPath $ZIP_FILE `
 > 
 > **WaitForCompletion option**
 > 
-> Instead of calling `Get-SignedArtifact` separately, you may call `Submit-SigningRequest` with the  `-WaitForCompletion` parameter. The `Submit-SigningRequest` command is described in  [build system integration](/documentation/build-system-integration#powershell).
\ No newline at end of file
+> Instead of calling `Get-SignedArtifact` separately, you may call `Submit-SigningRequest` with the  `-WaitForCompletion` parameter. The `Submit-SigningRequest` command is described in  [build system integration](/build-system-integration#powershell).
\ No newline at end of file
diff --git a/docs/documentation/signing-containers/index.md b/docs/signing-containers/index.md
similarity index 88%
rename from docs/documentation/signing-containers/index.md
rename to docs/signing-containers/index.md
index dcc3bcc..716bbbb 100644
--- a/docs/documentation/signing-containers/index.md
+++ b/docs/signing-containers/index.md
@@ -4,7 +4,7 @@ layout: resources
 toc: true
 show_toc: 2
 description: Documentation for signing container images with SignPath
-redirect_from: /documentation/docker-signing
+redirect_from: /docker-signing
 datasource: tables/signing-containers
 ---
 
@@ -14,8 +14,8 @@ datasource: tables/signing-containers
 
 SignPath supports these technologies for signing container images:
 
-* **[Sigstore Cosign](/documentation/signing-containers/cosign)**: Sign containers using Cosign by Sigstore (a Linux foundation project)
-* **[Docker Content Trust (DCT)](/documentation/signing-containers/docker-content-trust)**: Sign containers using DCT, directly supported by the Docker CLI and Mirantis 
+* **[Sigstore Cosign](/signing-containers/cosign)**: Sign containers using Cosign by Sigstore (a Linux foundation project)
+* **[Docker Content Trust (DCT)](/signing-containers/docker-content-trust)**: Sign containers using DCT, directly supported by the Docker CLI and Mirantis 
 
 ## Comparing Cosign and DCT
 
diff --git a/docs/status.md b/docs/status.md
index a893563..c7aebc8 100644
--- a/docs/status.md
+++ b/docs/status.md
@@ -63,7 +63,7 @@ layout: status
 		</ul>
 		<p>
 			Note that system updates and SignPath software updates are not listed here unless they may result in more than 5 minutes of downtime.
-			We recommend that you set a retry limit for <i>unavailable service</i> errors of 10 minutes. This is also the default for our <a href="/documentation/build-system-integration#powershell">PowerShell scripts</a>.
+			We recommend that you set a retry limit for <i>unavailable service</i> errors of 10 minutes. This is also the default for our <a href="/build-system-integration#powershell">PowerShell scripts</a>.
 		</p>
 	</div>
 </section>
diff --git a/docs/support.md b/docs/support.md
deleted file mode 100644
index da7db0a..0000000
--- a/docs/support.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Support
-header: Contact our support team
-layout: default
-description: Contact our support team
----
-
-There are two ways to contact our support team:
-
-* **Per Email** at [support@signpath.io](mailto:support@signpath.io):
-  * Use for first interactions or single requests
-* On our **[support portal](https://support.signpath.io)**:
-  * Requires signing up
-  * All open and previous tickets and their status can be tracked
-  * Individual employees can be granted permissions to view all tickets of their company
-
-<div class="columns">
-	<a href='mailto:support@signpath.io' class='btn btn-secondary'>
-		<div>{% include mail.svg %}</div>
-		Email us
-	</a>
-	<a href='https://support.signpath.io' class='btn btn-secondary'>
-		<div>{% include rectangle-list.svg %}</div>
-		Support portal
-	</a>
-</div>
-
-{:.panel.info}
-> **Sharing operational secrets**
->
-> In case you need to share operational secrets with us, please encrypt them using this [GPG public key](/assets/other/signpath_ops_gpg_public_key.asc). If you don't have GPG tooling installed, you can use the [keybase.io](https://keybase.io/encrypt#signpath_ops) service (encryption is performed on the client).
-
diff --git a/docs/team.md b/docs/team.md
deleted file mode 100644
index b45b92e..0000000
--- a/docs/team.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Team
-header: Our Team
-layout: default
-description: About SignPath GmbH
----
-
-<div class='columns'>
-
-<div markdown="1">
-{% include image.html url="/assets/img/team/stefan.jpg" description="**Stefan Wenig** <br/>CEO / Chief Executive Officer" %}
-
-Stefan founded SignPath in 2017 out of RUBICON IT, where he had served as head of R&D since 2001. Stefan developed the vision for SignPath based on the need for secure code signing integrated with a secure software build and release process for security-sensitive customers.
-</div>
-
-<div markdown="1">
-{% include image.html url="/assets/img/team/stephan-b.jpg" description="**Stephan Brack** <br/>CSO / Chief Sales Officer" %}
-
-Stephan has wide-ranging experience in positioning and selling security products with his own company Protected Networks (now a part of SolarWinds). He studied Telecommunications at the Karlsruhe Institute of Technology (KIT) and at the University of Essex. He joined SignPath in 2023, where he has worked as Chief Sales Officer since January 2024.
-</div>
-
-<div markdown="1">
-{% include image.html url="/assets/img/team/paul.jpg" description="**Paul Savoie** <br/>CPO / Chief Product Officer" %}
-
-Paul has a Master’s degree in Computer Science and Business Administration. He has worked as a software engineer and product designer as well as researcher in the IT industry. In 2016 he founded the mobile learning game “Balduin” before joining SignPath in 2018. Paul first worked as a Product Manager and since January 2024 as Chief Product Officer at SignPath.
-</div>
-
-</div>
-
-<div class="columns">
-<div markdown="1">
-{% include image.html url="/assets/img/team/dmitrii.jpg" description="**Dmitrii Lomakin** <br/>Director of Sales & Business Development" %}
-</div>
-
-<div markdown="1">
-{% include image.html url="/assets/img/team/ulrich.jpg" description="**Ulrich Buchgraber** <br/>Head of Support" %}
-</div>
-</div>
\ No newline at end of file
diff --git a/docs/terms-of-service.md b/docs/terms-of-service.md
deleted file mode 100644
index 9faac2b..0000000
--- a/docs/terms-of-service.md
+++ /dev/null
@@ -1,209 +0,0 @@
----
-title: Terms of Service
-header: Terms of Service
-layout: default
-redirect_from: /terms-of-services
-description: SignPath SaaS application legal terms of service
----
-
-Effective date: 2 April 2019
-
-## 1. Definitions
-
-* **Agreement** refers, collectively, to all the terms, conditions, notices contained or referenced in this document (the “Terms of Service” or the "Terms") and all other operating rules, policies (including the SignPath Privacy Policy, available at [https://about.signpath.io/privacy-policy/](https://about.signpath.io/privacy-policy)) and procedures that we may publish from time to time on the Website. 
-* **Service** refers to the applications, software, products, and services provided by SignPath.
-* **Website** refers to the SignPath website located at www.signpath.io, and all services, and products provided by SignPath at or through the Website. It also refers to SignPath-owned subdomains of signpath.io.
-* **SignPath, We, and Us** refer to SignPath GmbH, Gonzagagasse 11/23, 1010 Vienna, Austria, as well as its affiliates, directors, subsidiaries, contractors, licensors, officers, agents, and employees.
-* **The User, You, and Your** refer to the individual person, company, or organization that has visited or is using the Website or Service; that accesses or uses any part of the Account; or that directs the use of the Account in the performance of its functions. An "Account" represents your legal relationship with SignPath. A “User Account” represents an individual User’s authorization to log in to and use the Service and serves as a User’s identity on SignPath. 
-* **Organizations** refers to shared workspaces that may be associated with a single entity or with one or more Users where multiple Users can collaborate across many projects at once. A User Account can be a member of any number of Organizations.
-* **Administrator** refers to the owner of an Organization who has ultimate administrative control over that Organization and the Content within it.
-* **Content** refers to software artifacts, certificates, private keys, audit logs, system configuration settings within an Organization.
-
-## 2. Account Terms
-
-### 2.1 Account Controls
-
-* You retain ultimate administrative control over your Account.
-* The Administrator of an Organization has ultimate administrative control over that Organization and the Content within it. Within the Service, the Administrator can manage User access to the Organization’s Content. An Organization may have multiple Administrators. If you are the Administrator of an Organization, we consider you responsible for the actions that are performed on or through that Organization.
-
-### 2.2 Required Information
-
-* You must provide a valid email address in order to complete the sign up process. Any other information requested, such as your real name, is optional, unless you opt for a paid subscription, in which case additional information will be necessary for billing purposes.
-
-### 2.3 Account Requirements
-
-* We have a few simple rules for User Accounts on our Service:
-	* You must be a human to create an Account. Accounts registered by "bots" or other automated methods are not permitted. 
-	* One person or legal entity may maintain no more than one free Account. 
-	* Your login may only be used by one person — i.e., a single login may not be shared by multiple people. A paid Organization may only provide access to as many User Accounts as your subscription allows.
-
-### 2.4 Account Security
-
-* You are responsible for keeping your Account secure while you use our Service.
-* You are responsible for all activity that occurs under your Account.
-* You are responsible for maintaining the security of your Account and password. SignPath cannot and will not be liable for any loss or damage from your failure to comply with this security obligation.
-
-### 2.5 Responsibility for Your Content
-
-* You are solely responsible for the Content you upload and processed through the Service. Depending on your subscription plan, we may scan your Content for malware and refuse to process and store them. However, we do not take any responsibility for the correctness or the completeness of this scan. You are still solely responsible for any harm resulting from any Content that you upload, process or make available via the Service, regardless of the form of that Content.
-
-### 2.6 Confidentiality
-
-* SignPath considers the Content of the Organization to be confidential to the Users within the Organization. SignPath will protect the Content of the Organization from unauthorized use, access, or disclosure in the same manner that we would use to protect our own confidential information of a similar nature and in no event with less than a reasonable degree of care.
-
-### 2.7 Access
-
-* SignPath employees may only access your Content in the following situations:
-	* With your consent and knowledge, for support reasons. If SignPath accesses the Content of your Organization for support reasons, we will only do so with the Administrator’s consent and knowledge.
-	* When access is required for security reasons, including when access is required to maintain ongoing confidentiality, integrity, availability and resilience of SignPath's systems and Service.
-
-## 3. Acceptable Use
-
-### 3.1 Compliance with laws and regulations
-
-* Your use of the Website and Service must not violate any applicable laws, including copyright or trademark laws, export control laws, or other laws in your jurisdiction. You are responsible for making sure that your use of the Service is in compliance with laws and any applicable regulations.
-
-### 3.2 Content Restrictions
-
-* You agree that you will not under any circumstances upload or process any Content that:
-	* is unlawful or promotes unlawful activities;
-	* is libelous, defamatory, or fraudulent;
-	* is discriminatory or abusive toward any individual or group;
-	* contains or installs any active malware or exploits, or uses our platform for exploit delivery (such as part of a command and control system); or
-	* infringes on any proprietary right of any party, including patent, trademark, trade secret, copyright, right of publicity, or other rights.
-
-### 3.3 Conduct Restrictions
-
-* While using SignPath, you agree that you will not under any circumstances:
-	* harass, abuse, threaten, or incite violence towards any individual or group, including SignPath employees, officers, and agents, or other SignPath Users;
-	* use our servers for any form of excessive automated bulk activity (for example, spamming), or relay any other form of unsolicited advertising or solicitation through our servers, such as get-rich-quick schemes;
-	* attempt to disrupt or tamper with SignPath servers in ways that could harm our Website or Service, to place undue burden on SignPath's servers through automated means, or to access SignPath’s Service in ways that exceed your authorization;
-	* impersonate any person or entity, including any of our employees or representatives, including through false association with SignPath, or by fraudulently misrepresenting your identity or site's purpose; or
-	* violate the privacy of any third party, such as by posting another person's personal information without consent.
-
-### 3.4 Services Usage Limits
-
-* You agree not to reproduce, duplicate, copy, sell, resell or exploit any portion of the Service, use of the Service, or access to the Service without SignPath’s express written permission.
-* You agree to use the Service solely for its intended purpose – i.e. signing software artifacts.
-
-### 3.5 Scraping
-
-* You may not scrape the Website or the Service. Scraping refers to extracting data from our Website via an automated process, such as a bot or webcrawler. It does not refer to the collection of information through our API. Please see Section 4 for our API Terms. 
-
-### 3.6 Excessive Service Use
-
-* If we determine your use of the Service to be significantly excessive in relation to other SignPath customers, we reserve the right to suspend your Account or temporarily throttle your access to the Service.
-
-## 4. API Terms
-
-* Abuse or excessively frequent requests to SignPath via the API may result in the temporary or permanent suspension of your Account's access to the API. We, in our sole discretion, will determine abuse or excessive usage of the API. We will make a reasonable attempt to warn you via email prior to suspension.
-* All use of the SignPath API is subject to these Terms of Service.
-
-## 5. Payment
-
-### 5.1 Pricing
-
-* Our pricing and payment terms are available at [https://about.signpath.io/product/pricing/](https://about.signpath.io/product/pricing). If you agree to a subscription price, that will remain your price for the duration of the payment term; however, prices are subject to change at the end of a payment term.
-
-### 5.2 Billing and Changes
-
-* The Service is billed in advance on basis of your subscription period and is non-refundable. 
-* We will immediately bill you when you upgrade from the free plan to any paying plan.
-* If you upgrade to a higher level of service, we will bill you for the upgraded plan immediately.
-* You may change your subscription plan at any time in your Organization settings menu.
-
-### 5.3 Authorization
-
-* By agreeing to these Terms, you are giving us permission to charge your on-file credit card, PayPal account, or other approved methods of payment for fees that you authorize for SignPath.
-
-### 5.4 Responsibility for Payment
-
-* You are responsible for all fees, including taxes, associated with your use of the Service. By using the Service, you agree to pay SignPath any charge incurred in connection with your use of the Service. You are responsible for providing us with a valid means of payment for paid Accounts. Free Accounts are not required to provide payment information.
-
-## 6. Deletion and Termination
-
-### 6.1 Organization Deletion
-
-* It is your responsibility to properly delete your Organization. You can delete your Organization and all of its Content at any time by going into your Organization Settings in the global navigation bar at the top of the screen. 
-
-### 6.2 Upon Deletion
-
-* We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring legal requirements, we will delete the Content of your Organization within 30 days of deletion or termination (though some information may remain in encrypted backups). This information cannot be recovered once your Organization is deleted.
-
-### 6.3 Termination
-
-* We reserve the right, at our sole discretion, to suspend or terminate your access to the Website, your Account or your Organization in case of your violation of these Terms.
-
-### 6.4 Survival
-
-* All provisions of this Agreement which by their nature should survive termination will survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity, and limitations of liability.
-
-## 7. Intellectual Property
-* SignPath and our licensors, vendors, agents, and/or our content providers retain ownership of all intellectual property rights of any kind related to the Website and Service. We reserve all rights that are not expressly granted to you under this Agreement or by law. 
-* The text of this Agreement is licensed under the [Creative Commons Zero license](https://creativecommons.org/share-your-work/public-domain/cc0/). 
-<!-- The Creative Commons Zero license requires no attribution, however, we would like to thank GitHub for sharing their licenses and policies with everyone. -->
-
-## 8. Communication
-
-### 8.1 Electronic Communication Required
-
-* For contractual purposes, you 
-	* consent to receive communications from us in an electronic form via the email address you have submitted or via the Service; and 
-	* agree that all Terms of Service, agreements, notices, disclosures, and other communications that we provide to you electronically satisfy any legal requirement that those communications would satisfy if they were on paper.
-* This section does not affect your non-waivable rights.
-
-### 8.2 Legal Notice to SignPath Must Be in Writing
-
-* Communications made through email will not constitute legal notice to SignPath or any of its officers, employees, agents or representatives in any situation where notice to SignPath is required by contract or any law or regulation. Legal notice to SignPath must be in writing and sent to SignPath GmbH, Gonzagagasse 11/23, 1010, Vienna, Austria.
-
-## 9. Disclaimer of Warranties
-
-* SignPath provides the Website and the Service “as is” and “as available,” without warranty of any kind. Without limiting this, we expressly disclaim all warranties, whether express, implied or statutory, regarding the Website and the Service including without limitation any warranty of merchantability, fitness for a particular purpose, title, security, accuracy and non-infringement.
-* SignPath does not warrant that the Service will meet your requirements; that the Service will be uninterrupted, timely, secure, or error-free; that the information provided through the Service is accurate, reliable or correct; that any defects or errors will be corrected; that the Service will be available at any particular time or location; or that the Service is free of viruses or other harmful components. 
-
-## 10. Limitation of Liability
-
-* You understand and agree that we will not be liable to you or any third party for any loss of profits, use, goodwill, or data, or for any incidental, indirect, special, consequential or exemplary damages, however arising, that result from
-	* your use or inability to use the Service;
-	* any modification, price change, suspension or discontinuance of the Service;
-	* the Service generally or the software or systems that make the Service available;
-	* unauthorized access to or alterations of your transmissions or data;
-	* statements or conduct of any third party on the Service;
-	* any other user interactions that you input or receive through your use of the Service; or
-	* any other matter relating to the Service.
-* Our liability is limited whether or not we have been informed of the possibility of such damages, and even if a remedy set forth in this Agreement is found to have failed of its essential purpose. We will have no liability for any failure or delay due to matters beyond our reasonable control.
-
-## 11. Release and Indemnification
-
-* If you have a dispute with one or more Users, you agree to release SignPath from any and all claims, demands and damages (actual and consequential) of every kind and nature, known and unknown, arising out of or in any way connected with such disputes.
-* You agree to indemnify us, defend us, and hold us harmless from and against any and all claims, liabilities, and expenses, including attorneys’ fees, arising out of your use of the Website and the Service, including but not limited to your violation of this Agreement, provided that SignPath
-	* promptly gives you written notice of the claim, demand, suit or proceeding;
-	* gives you sole control of the defense and settlement of the claim, demand, suit or proceeding (provided that you may not settle any claim, demand, suit or proceeding unless the settlement unconditionally releases SignPath of all liability); and 
-	* provides to you all reasonable assistance, at your expense.
-
-## 12. Changes to These Terms
-
-* We reserve the right, at our sole discretion, to amend these Terms of Service at any time and will update these Terms of Service in the event of any such amendments. We will notify our Users of material changes to this Agreement, such as price changes, at least 30 days prior to the change taking effect by posting a notice on our Website. For non-material modifications, your continued use of the Website constitutes agreement to our revisions of these Terms of Service. You can view all changes to these Terms in our Site Policy repository.
-* We reserve the right at any time and from time to time to modify or discontinue, temporarily or permanently, the Website (or any part of it) with or without notice.
-
-## 13. Miscellaneous
-
-### 13.1 Governing Law
-
-* This Agreement between you and SignPath and any access to or use of the Website or the Service are governed by the laws of Austria, without regard to conflict of laws provisions. You and SignPath agree to submit to the exclusive jurisdiction and venue of the courts located in Vienna, Austria.
-
-### 13.2 Non-Assignability
-
-* SignPath may assign or delegate these Terms of Service, in whole or in part, to any person or entity at any time with or without your consent. You may not assign or delegate any rights or obligations under the Terms of Service or Privacy Statement without our prior written consent, and any unauthorized assignment and delegation by you is void.
-
-### 13.3 Severability, No Waiver, and Survival
-
-* If any part of this Agreement is held invalid or unenforceable, that portion of the Agreement will be construed to reflect the parties’ original intent. The remaining portions will remain in full force and effect. Any failure on the part of SignPath to enforce any provision of this Agreement will not be considered a waiver of our right to enforce such provision. Our rights under this Agreement will survive any termination of this Agreement.
-
-### 13.4 Amendments
-
-* This Agreement may only be modified by a written amendment signed by an authorized representative of SignPath, or by the posting by SignPath of a revised version in accordance with Section 12. Changes to These Terms. These Terms of Service represent the complete and exclusive statement of the agreement between you and us. This Agreement supersedes any proposal or prior agreement oral or written, and any other communications between you and SignPath relating to the subject matter of these terms including any confidentiality or nondisclosure agreements.
-
-## Changes
-
-* 1 February 2024: company address updated
\ No newline at end of file
diff --git a/docs/documentation/trusted-build-systems/appveyor.md b/docs/trusted-build-systems/appveyor.md
similarity index 96%
rename from docs/documentation/trusted-build-systems/appveyor.md
rename to docs/trusted-build-systems/appveyor.md
index 52fae39..ef7bd45 100644
--- a/docs/documentation/trusted-build-systems/appveyor.md
+++ b/docs/trusted-build-systems/appveyor.md
@@ -38,7 +38,7 @@ These checks are performed to ensure that the binary artifacts result purely fro
 
 ## Setup
 This figure shows the secrets that must be shared between AppVeyor.com and SignPath.io:
-![AppVeyor Setup flow](/assets/img/resources/documentation/build-integration_appveyor.png)
+![AppVeyor Setup flow](/assets/img/resources/build-integration_appveyor.png)
 
 {%- include render-table.html table=site.data.tables.trusted-build-systems.appveyor-setup -%}
 
diff --git a/docs/documentation/trusted-build-systems/azure-devops.md b/docs/trusted-build-systems/azure-devops.md
similarity index 100%
rename from docs/documentation/trusted-build-systems/azure-devops.md
rename to docs/trusted-build-systems/azure-devops.md
diff --git a/docs/documentation/trusted-build-systems/double-authentication-proxy.md b/docs/trusted-build-systems/double-authentication-proxy.md
similarity index 89%
rename from docs/documentation/trusted-build-systems/double-authentication-proxy.md
rename to docs/trusted-build-systems/double-authentication-proxy.md
index 1b9866c..1ee7b38 100644
--- a/docs/documentation/trusted-build-systems/double-authentication-proxy.md
+++ b/docs/trusted-build-systems/double-authentication-proxy.md
@@ -27,11 +27,11 @@ You may configure the system to accept certificates based on
 > * Use Microsoft Certificate Server to assign computer certificates to this group (we recommend using short-lived certificates, i.e. days or weeks, for security critical groups)
 > * Specify the template ID in the Double Authentication Proxy configuration
 > * Register the Double Authentication Proxy as trusted build system (see [configuration](#configuration))
-> * Submit signing requests using mTLS, e.g. using the [PowerShell cmdlet](/documentation/powershell/Submit-SigningRequest). Use the template ID to select the correct certificate client certificate.
+> * Submit signing requests using mTLS, e.g. using the [PowerShell cmdlet](/powershell/Submit-SigningRequest). Use the template ID to select the correct certificate client certificate.
 
 This diagram shows how machine certificates, Double Authentication Proxy and SignPath work together:
 
-![Double Authentication Proxy architecture diagram](/assets/img/resources/documentation/double-authentication-proxy.png){:width="500px"}
+![Double Authentication Proxy architecture diagram](/assets/img/resources/double-authentication-proxy.png){:width="500px"}
 
 Contact [our support team](/support) for installable container images and documentation.
 
diff --git a/docs/documentation/trusted-build-systems/github.md b/docs/trusted-build-systems/github.md
similarity index 96%
rename from docs/documentation/trusted-build-systems/github.md
rename to docs/trusted-build-systems/github.md
index 1ff96c9..75679c1 100644
--- a/docs/documentation/trusted-build-systems/github.md
+++ b/docs/trusted-build-systems/github.md
@@ -8,10 +8,10 @@ description: GitHub
 
 ## Prerequisites
 
-* Use the predefined Trusted Build System _GitHub.com_ (see [configuration](/documentation/trusted-build-systems#configuration))
+* Use the predefined Trusted Build System _GitHub.com_ (see [configuration](/trusted-build-systems#configuration))
   *  add it to the Organization
   *  link it to each SignPath Project for GitHub
-* Specify `<zip-file>` as root element of your [Artifact Configurations](/documentation/artifact-configuration) (GitHub packages all artifacts as ZIP archives)
+* Specify `<zip-file>` as root element of your [Artifact Configurations](/artifact-configuration) (GitHub packages all artifacts as ZIP archives)
 * Required for [source code and build policies](#define-policies-for-source-code-and-builds): Install the [SignPath GitHub App](https://github.com/apps/signpath) and allow access to the code repositories.
 
 {:.panel.info}
@@ -24,7 +24,7 @@ description: GitHub
 The GitHub connector performs the following checks:
 
 * A build was actually performed by a GitHub workflow, not by some other entity in possession of the API token
-* [Origin metadata](/documentation/origin-verification) is provided by GitHub, not the build script, and can therefore not be forged
+* [Origin metadata](/origin-verification) is provided by GitHub, not the build script, and can therefore not be forged
 * The artifact is stored as a GitHub workflow artifact before it is submitted for signing
 * For OSS projects: All jobs of the GitHub worfklow leading up to the signing request were executed on GitHub-hosted agents
 
@@ -81,7 +81,7 @@ steps:
 
 [token-auth]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
 [actions/upload-artifact]: https://github.com/actions/upload-artifact
-[user-defined parameters]: /documentation/artifact-configuration/syntax#parameters
+[user-defined parameters]: /artifact-configuration/syntax#parameters
 
 ### Action output parameters
 
diff --git a/docs/documentation/trusted-build-systems/index.md b/docs/trusted-build-systems/index.md
similarity index 83%
rename from docs/documentation/trusted-build-systems/index.md
rename to docs/trusted-build-systems/index.md
index a196de9..41fff50 100644
--- a/docs/documentation/trusted-build-systems/index.md
+++ b/docs/trusted-build-systems/index.md
@@ -16,7 +16,7 @@ Trusted build systems create a trust relationship between SignPath and certain s
 
 The primary function of trusted build systems is to serve as the foundation of origin verifcation. This feature allows build systems to provide reliable origin metadata with your signing requests, so that SignPath can execute advanced policies based on trusted information. 
 
-See [origin verifcation](/documentation/origin-verification) for details.
+See [origin verifcation](/origin-verification) for details.
 
 ### Direct use {#abstract-direct-use}
 
@@ -28,12 +28,12 @@ See [below](#direct-use) for details.
 
 The following build systems are currently supported by SignPath:
 
-* [GitHub](/documentation/trusted-build-systems/github)
-* [Jenkins](/documentation/trusted-build-systems/jenkins)
-* [Azure DevOps](/documentation/trusted-build-systems/azure-devops)
-* [AppVeyor](/documentation/trusted-build-systems/appveyor)
+* [GitHub](/trusted-build-systems/github)
+* [Jenkins](/trusted-build-systems/jenkins)
+* [Azure DevOps](/trusted-build-systems/azure-devops)
+* [AppVeyor](/trusted-build-systems/appveyor)
 
-Generic support for any build system is available with the [Double Authentication Proxy](/documentation/trusted-build-systems/double-authentication-proxy).
+Generic support for any build system is available with the [Double Authentication Proxy](/trusted-build-systems/double-authentication-proxy).
 
 ## Configuration
 
@@ -64,4 +64,4 @@ Possible policies include:
 * Restrict user access: don't let development teams connect to the build agent, with or without administrative permissions (if you need build nodes with wider permission sets, consider separating the process of compilation and packaging from other steps such as running tests)
 * Require current security policies: avoid misuse of recently restored or otherwise not up-to-date build agents
 
-See the [Double Authentication Proxy](/documentation/trusted-build-systems/double-authentication-proxy) for a simple way to achieve this using machine certificate enrollment. 
+See the [Double Authentication Proxy](/trusted-build-systems/double-authentication-proxy) for a simple way to achieve this using machine certificate enrollment. 
diff --git a/docs/documentation/trusted-build-systems/jenkins.md b/docs/trusted-build-systems/jenkins.md
similarity index 95%
rename from docs/documentation/trusted-build-systems/jenkins.md
rename to docs/trusted-build-systems/jenkins.md
index bb05c0c..401e742 100644
--- a/docs/documentation/trusted-build-systems/jenkins.md
+++ b/docs/trusted-build-systems/jenkins.md
@@ -9,7 +9,7 @@ description: Jenkins Plugin
 ## Prerequisites
 
 * The Jenkins plugin has been installed on the respective Jenkins instance (Jenkins 2.359 or higher are supported).
-* The plugin has been registered as a _custom_ Trusted Build System within SignPath and linked to the respective project (see the [configuration](/documentation/trusted-build-systems#configuration) section).
+* The plugin has been registered as a _custom_ Trusted Build System within SignPath and linked to the respective project (see the [configuration](/trusted-build-systems#configuration) section).
 * The following plugins are installed on the Jenkins server: 
   * [Credentials binding](https://plugins.jenkins.io/credentials-binding/)
   * [Git](https://plugins.jenkins.io/git/)
@@ -19,7 +19,7 @@ description: Jenkins Plugin
 
 The plugin ensures that 
 * A build was actually performed by a specific Jenkins CI instance, not by some other entity in possession of the API token
-* [Origin metadata](/documentation/origin-verification) is provided by Jenkins CI, not the build script, and can therefore not be forged
+* [Origin metadata](/origin-verification) is provided by Jenkins CI, not the build script, and can therefore not be forged
 * The artifact is stored as an immutable Jenkins artifact before it is submitted for signing
 
 ## Installation
@@ -71,7 +71,7 @@ Include the `submitSigningRequest` and optionally, the `getSignedArtifact` steps
 | `inputArtifactPath`          | (mandatory)                               | The relative path of the artifact to be signed
 | `outputArtifactPath`         |                                           | The relative path where the signed artifact is stored after signing
 | `waitForCompletion`          | (mandatory)                               | Set to `true` for synchronous and `false` for asynchronous signing requests
-| `parameters`                 |                                           | A `Map<String, String>` with key/value pairs that map to [user-defined parameters](/documentation/artifact-configuration/syntax#parameters) in the Artifact Configuration.
+| `parameters`                 |                                           | A `Map<String, String>` with key/value pairs that map to [user-defined parameters](/artifact-configuration/syntax#parameters) in the Artifact Configuration.
 
 #### Parameters for the `getSignedArtifact` step
 
diff --git a/docs/documentation/users.md b/docs/users.md
similarity index 97%
rename from docs/documentation/users.md
rename to docs/users.md
index d62ee7e..cc55b8c 100644
--- a/docs/documentation/users.md
+++ b/docs/users.md
@@ -55,7 +55,7 @@ Accepting invitations:
 
 SignPath provides synchronization with Microsoft Entra ID/Azure Active Directory via SCIM. This allows you to perform user management in your organization's directory and use existing users and groups.
 
-See [directory synchronization](/documentation/directory-synchronization). 
+See [directory synchronization](/directory-synchronization). 
 
 ### API tokens {#interactive-api-token}
 
@@ -91,7 +91,7 @@ CI users can only authenticate with an API token.
 > 
 > We recommend using a dedicated CI user per project, but you may opt to share CI users for all projects in a team.
 > 
-> If you don't use [origin verification](/documentation/origin-verification), you should create a CI user per signing policy and strongly restrict access to the user's API token through your CI systems _secrets_ configuration.
+> If you don't use [origin verification](/origin-verification), you should create a CI user per signing policy and strongly restrict access to the user's API token through your CI systems _secrets_ configuration.
 > 
 > Example: Assume _Team 1_ has two projects _A_ and _B_, each with _test-signing_ and _release-signing_ signing policies. Consider creating CI users as follows:
 >