docs/quorum-key-management/src/one-time-repository-setup.md

56 lines
1.8 KiB
Markdown
Raw Normal View History

2024-08-03 21:23:14 +00:00
# Repository Setup
Before the one time ceremony, a git repository should be set up which contains
several items which will be relevant to the ceremony. Namely the following:
* PGP public certificates of the Location Keys which will be used for the
ceremony. The key ids of these certificates will be verified during the
ceremony.
* `ceremony.sh` a script which imports the PGP public certificates of the
location keys, and displays their ids so that Operators can verify that they are
the correct ones. This script will also execute the appropriate `keyfork`
command with a desired threshold:
```
#!/bin/sh
read -p "Generate hardware interrupt entropy by typing randomly on keyboard" entropy
2024-08-03 21:23:14 +00:00
mount
2024-08-03 21:23:14 +00:00
read -p "Provide the path to PGP certificates which will be used for the ceremony: " absolute_path
if [ ! -d "$absolute_path" ]; then
echo "Directory does not exist. Please enter a valid absolute path."
exit 1
2024-08-03 21:23:14 +00:00
fi
for file in "$absolute_path"/keys/*; do
2024-08-03 21:23:14 +00:00
if [ -f "$file" ]; then
echo "Processing file: $file"
gpg --import --import-options import-show $file
fi
done
read -p "Do the PGP key IDs match what you expect? (y/n): " matches_expectation
if [ "$matches_expectation" != "y" ]; then
2024-08-03 21:23:14 +00:00
echo "Ceasing ceremony as PGP key IDs don't match"
exit 1
fi
keyfork wizard bottoms-up --threshold 2 --output-cert "$absolute_path"/cert --output-shardfile "$absolute_path"/shardfile --user-id "QKM Ceremony" "$absolute_path"/keys
2024-08-03 21:23:14 +00:00
```
* The `airgap.iso` which is to be used during the ceremony
* Each operator should produce Ceremony Notes which contain:
* `sha256sum` of `airgap.iso`
* The AirgapOS commit and date for the version that was used
* `sha256sum` of `ceremony.sh`
* Key ID of each PGP Public Certificate located in `public-certificates`
in the ceremony repository