2024-08-03 21:23:14 +00:00
|
|
|
# Repository Setup
|
|
|
|
|
|
|
|
Before the one time ceremony, a git repository should be set up which contains
|
|
|
|
several items which will be relevant to the ceremony. Namely the following:
|
|
|
|
|
|
|
|
* PGP public certificates of the Location Keys which will be used for the
|
|
|
|
ceremony. The key ids of these certificates will be verified during the
|
|
|
|
ceremony.
|
|
|
|
|
|
|
|
* `ceremony.sh` a script which imports the PGP public certificates of the
|
|
|
|
location keys, and displays their ids so that Operators can verify that they are
|
|
|
|
the correct ones. This script will also execute the appropriate `keyfork`
|
|
|
|
command with a desired threshold:
|
|
|
|
```
|
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
script_dir="$(dirname "$(realpath "$0")")"
|
|
|
|
|
2024-08-04 23:28:16 +00:00
|
|
|
read -p "Provide the absoute path to PGP certificates which will be used for the ceremony: " directory_path
|
2024-08-03 21:23:14 +00:00
|
|
|
|
|
|
|
if [ ! -d "$directory_path" ]; then
|
2024-08-04 23:28:16 +00:00
|
|
|
echo "Directory does not exist. Please enter a valid directory path."
|
|
|
|
exit 1
|
2024-08-03 21:23:14 +00:00
|
|
|
fi
|
|
|
|
|
|
|
|
for file in "$directory_path"/*; do
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
echo "Processing file: $file"
|
|
|
|
gpg --import --import-options import-show $file
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
read -p "Do the PGP key IDs match what you expect? (y/n): " matches_expectation
|
|
|
|
|
|
|
|
if [ $matches_expectation != "y" ]; then
|
|
|
|
echo "Ceasing ceremony as PGP key IDs don't match"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2024-08-04 23:28:16 +00:00
|
|
|
keyfork wizard bottoms-up --threshold 2 --output-cert /dev/null --output-shardfile /dev/null --user-id "Distrust Key Ceremony" public-certificates/
|
2024-08-03 21:23:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
* The `airgap.iso` which is to be used during the ceremony
|
|
|
|
|
|
|
|
* Each operator should produce Ceremony Notes which contain:
|
|
|
|
|
|
|
|
* `sha256sum` of `airgap.iso`
|
|
|
|
|
|
|
|
* The AirgapOS commit and date for the version that was used
|
|
|
|
|
|
|
|
* `sha256sum` of `ceremony.sh`
|
|
|
|
|
|
|
|
* Key ID of each PGP Public Certificate located in `public-certificates`
|
|
|
|
in the ceremony repository
|