diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 861b04eaab1..aa8a894bfd2 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -3174,9 +3174,27 @@ system and gives an overview of their function and contents.
       class will sign the kernel, dtb and ramdisk images individually in addition
       to signing the FIT image itself. This could be useful if you are
       intending to verify signatures in another context than booting via
-      U-Boot.
+      U-Boot. This variable is set to "0" by default.
 
-      This variable is set to "0" by default.
+      If :term:`UBOOT_SIGN_ENABLE` is set to "1" and :term:`FIT_SIGN_INDIVIDUAL`
+      is left at its default value of "0", only the configurations are signed.
+      However, the configuration signatures include the hashes of the referenced
+      nodes. This means that the integrity of the entire FIT image is ensured
+      because each hash is compared against a runtime-computed hash for each
+      node.
+      Further information can be found in the U-Boot documentation:
+      `U-Boot fit signature <https://docs.u-boot.org/en/latest/usage/fit/signature.html>`__
+      and more specifically at:
+      `U-Boot signed configurations <https://docs.u-boot.org/en/latest/usage/fit/signature.html#signed-configurations>`__.
+
+      If :term:`UBOOT_SIGN_ENABLE` is set to "1" and :term:`FIT_SIGN_INDIVIDUAL`
+      is set to "1", then the FIT image is signed twice, which is redundant.
+      As this leads to additional complexity without providing any obvious
+      advantage, this feature will likely be removed in a future version.
+
+      Signing only the image nodes is intentionally not implemented by
+      :term:`OpenEmbedded-Core (OE-Core)`, as it is vulnerable to mix-and-match
+      attacks.
 
    :term:`FIT_SIGN_NUMBITS`
       Size of the private key used in the FIT image, in number of bits.