2024-08-03 21:23:14 +00:00
|
|
|
# Repository Setup
|
|
|
|
|
|
|
|
Before the one time ceremony, a git repository should be set up which contains
|
|
|
|
several items which will be relevant to the ceremony. Namely the following:
|
|
|
|
|
|
|
|
* PGP public certificates of the Location Keys which will be used for the
|
|
|
|
ceremony. The key ids of these certificates will be verified during the
|
|
|
|
ceremony.
|
|
|
|
|
|
|
|
* `ceremony.sh` a script which imports the PGP public certificates of the
|
|
|
|
location keys, and displays their ids so that Operators can verify that they are
|
|
|
|
the correct ones. This script will also execute the appropriate `keyfork`
|
|
|
|
command with a desired threshold:
|
|
|
|
```
|
|
|
|
#!/bin/sh
|
|
|
|
|
2024-09-03 15:57:46 +00:00
|
|
|
read -p "Generate hardware interrupt entropy by typing randomly on keyboard" entropy
|
2024-08-03 21:23:14 +00:00
|
|
|
|
2024-09-03 15:57:46 +00:00
|
|
|
mount
|
2024-08-03 21:23:14 +00:00
|
|
|
|
2024-09-03 15:57:46 +00:00
|
|
|
read -p "Provide the path to PGP certificates which will be used for the ceremony: " absolute_path
|
|
|
|
|
|
|
|
if [ ! -d "$absolute_path" ]; then
|
|
|
|
echo "Directory does not exist. Please enter a valid absolute path."
|
|
|
|
exit 1
|
2024-08-03 21:23:14 +00:00
|
|
|
fi
|
|
|
|
|
2024-09-03 15:57:46 +00:00
|
|
|
for file in "$absolute_path"/keys/*; do
|
2024-08-03 21:23:14 +00:00
|
|
|
if [ -f "$file" ]; then
|
|
|
|
echo "Processing file: $file"
|
|
|
|
gpg --import --import-options import-show $file
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
|
|
|
|
read -p "Do the PGP key IDs match what you expect? (y/n): " matches_expectation
|
|
|
|
|
2024-09-03 15:57:46 +00:00
|
|
|
if [ "$matches_expectation" != "y" ]; then
|
2024-08-03 21:23:14 +00:00
|
|
|
echo "Ceasing ceremony as PGP key IDs don't match"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2024-09-03 15:57:46 +00:00
|
|
|
keyfork wizard bottoms-up --threshold 2 --output-cert "$absolute_path"/cert --output-shardfile "$absolute_path"/shardfile --user-id "QKM Ceremony" "$absolute_path"/keys
|
2024-08-03 21:23:14 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
* The `airgap.iso` which is to be used during the ceremony
|
|
|
|
|
|
|
|
* Each operator should produce Ceremony Notes which contain:
|
|
|
|
|
|
|
|
* `sha256sum` of `airgap.iso`
|
|
|
|
|
|
|
|
* The AirgapOS commit and date for the version that was used
|
|
|
|
|
|
|
|
* `sha256sum` of `ceremony.sh`
|
|
|
|
|
|
|
|
* Key ID of each PGP Public Certificate located in `public-certificates`
|
|
|
|
in the ceremony repository
|