Workflow 3: Sign And Publish The Governance Document

The board chair now signs the final approval file so employees can later verify both integrity and authorship.

If the signer key does not exist yet

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:3072 -out "./keys/jane-director-private.pem"
openssl rsa -pubout -in "./keys/jane-director-private.pem" -out "./keys/jane-director-public.pem"

The public key should already be published in the board author registry before employees start validating released files.

Sign the file

protoparser sign pml "./governance/board-release-approval.pml" "./keys/jane-director-private.pem" "Jane Director" board-chair-2026

This creates a detached board-release-approval.pml.sig.json file next to the document.

What gets distributed internally

• the governance document file
• its matching *.sig.json sidecar
• the author-only registry file or its internal URL

If the document does not depend on external macro packs, employees do not need any macro package registry to validate this story.

Operational note

The detached signature does not replace @signatures or @approvals inside the ProtoML content. It complements them by protecting the file as a file.

Continue with

Now the document reaches Release Operations. Lea validates it in Workflow 4: Employee Validation And Trust Decision.