Workflow 2: Build An Author-Only Registry

Acme Inc. does not need a full macro package registry for this governance story. It only needs one reviewed trust source that says which board members are trusted signers and which public keys belong to them.

The registry

The board secretariat maintains one internal registry whose only real job is trust lookup for approved signers.

Bootstrap the key pair first

Before the registry can publish trusted signers, each signer needs a private key for signing and a public key for verification.

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out "./keys/jane-director-private.pem"
openssl rsa -pubout -in "./keys/jane-director-private.pem" -out "./keys/jane-director-public.pem"

The private key stays with Jane Director. The exported public key is what the board secretariat copies into the registry JSON.

{
  "version": 1,
  "name": "acme-board-authors",
  "authors": [
    {
      "name": "Jane Director",
      "trust": "trusted",
      "keys": [
        {
          "id": "board-chair-2026",
          "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
        }
      ]
    },
    {
      "name": "Martin Director",
      "trust": "trusted",
      "keys": [
        {
          "id": "board-member-2026",
          "public_key": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
        }
      ]
    }
  ],
  "packages": []
}

This is still a valid ProtoML registry. It is simply author-focused rather than package-focused.

Why this works

Company hosting choices

Acme Inc. can publish this registry in two equally simple ways:

In both cases the content is still just static JSON. The difference is only how employees reach it.

Continue with

Once the trusted author registry exists, the board chair signs the final ProtoML file in Workflow 3: Sign And Publish The Governance Document.