zamokctl

Installation
SKILL.md

zamokctl — Zamok offline signing CLI

zamokctl (Swift, target in apps/macapp) and the ZamokApp GUI are two thin interfaces over one shared ZamokSigning core. They share the same root key in the macOS Keychain and the same /draft → confirm → verbatim-sign → /publish flow. There is no bun/TS signing CLI (removed).

Trust model (read once)

  • Root key = offline trust anchor. Private lives ONLY locally (macOS Keychain, service app.bshk.zamok.root-key, one item per kid); the server never holds it and cannot sign.
  • Per-product roots. A product's keyset is verified only against that product's roots, listed (public keys) in the committed packages/signing-keys/trusted-roots.json ({ "<slug>": [{kid,pem}] }). Adding/rotating a root = edit that file → PR → deploy (audited; not env, not admin-mutable).
  • Keychain is ThisDeviceOnly → does NOT survive a wiped/new Mac. Always escrow the exported .age + .identity to a vault (e.g. 1Password op document create). Escrow = recovery.
  • The CLI is ad-hoc-signed/unentitled → uses the file/login keychain; no per-use biometric prompt (a future hardening needs a keychain-access-group entitlement + data-protection keychain).
  • JWS: alg=EdDSA, header kid, payload = the verbatim /draft payloadJson bytes. kid = "root_" + base64url(sha256(spkiDer))[:16].
Installs
1
GitHub Stars
3
First Seen
Jun 12, 2026
zamokctl — beshkenadze/claude-skills-marketplace