zamokctl
Installation
SKILL.md
zamokctl — Zamok offline signing CLI
zamokctl (Swift, target in apps/macapp) and the ZamokApp GUI are two thin interfaces over
one shared ZamokSigning core. They share the same root key in the macOS Keychain and the same
/draft → confirm → verbatim-sign → /publish flow. There is no bun/TS signing CLI (removed).
Trust model (read once)
- Root key = offline trust anchor. Private lives ONLY locally (macOS Keychain, service
app.bshk.zamok.root-key, one item perkid); the server never holds it and cannot sign. - Per-product roots. A product's keyset is verified only against that product's roots, listed
(public keys) in the committed
packages/signing-keys/trusted-roots.json({ "<slug>": [{kid,pem}] }). Adding/rotating a root = edit that file → PR → deploy (audited; not env, not admin-mutable). - Keychain is
ThisDeviceOnly→ does NOT survive a wiped/new Mac. Always escrow the exported.age+.identityto a vault (e.g. 1Passwordop document create). Escrow = recovery. - The CLI is ad-hoc-signed/unentitled → uses the file/login keychain; no per-use biometric prompt (a future hardening needs a keychain-access-group entitlement + data-protection keychain).
- JWS:
alg=EdDSA, headerkid, payload = the verbatim/draftpayloadJsonbytes.kid = "root_" + base64url(sha256(spkiDer))[:16].