feat: make Zero secure by default; before it's too late

[txbm]

What

Add first class support for trusted signing keys to Zero packages.

zero-keys.mp4

Why

To head off the terrifying timeline where the language for agents is vulnerable to supply chain attacks.

A generational opportunity to secure the agentic future.

How

A trusted key ledger is distributed and mirrored. Root keys stored in secret vaults of sponsoring orgs.

The binary signature verified during installation and root keys are fetched and verified.

Creating a package signs it with a default developer key and includes a ledger to add as many publisher keys to a package as needed.

Running the ship command signs the package with your developer key. Any developer can then verify a package signature given any publisher key or via the global trust chain.

Developers that wish to publish globally trusted packages can submit a PR with their public keys for inclusion into the trusted key chain. Trusted key refresh can happen anytime.

Compromised keys get revoked or rotated, signing and verification against compromised keys then fails.

Outcome

All Zero package installation becomes verifiable against either a chain of trust or P2P direct public key exchange.

Important because it reserves optionality to the installing party how to define their trust posture.

Lays foundation for enabling trusted agent identities and securing future package registries and CI.

Implementation

• Ed25519 signatures over SHA-256 hashes
• Verification scripts check against OpenSSL
• Signed ledgers are part of package artifacts to enable P2P verification without chain
• Included misc correctness fixes needed during implementation

Transcends future infrastructure. Best to bake in now.

[vercel]

@txbm is attempting to deploy a commit to the Vercel Labs Team on Vercel.

A member of the Team first needs to authorize it.