diff --git a/bluebuild/recipe.yml b/bluebuild/recipe.yml
index 8fe3550..b91c498 100644
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@@ -149,8 +149,9 @@ modules:
         - veilor-postinstall.service
         - veilor-doctor.timer
 
-  # ── 10. signing config ──────────────────────────────────────────
-  # bluebuild emits cosign.pub at root; CI uses the pinned key
-  # generated for veilor-org. signed-by reference for bootc upgrade
-  # signature verification.
-  - type: signing
\ No newline at end of file
+  # ── 10. signing — DEFERRED ──────────────────────────────────────
+  # The BlueBuild `type: signing` module expects a cosign.pub +
+  # cosign.key pair next to the recipe. Generate + ship those in a
+  # follow-up commit once the operator has rotated the key offline
+  # and stashed cosign.key as a Forgejo Actions secret. Skip for the
+  # first green build.
\ No newline at end of file