From 923828a3b86e9f0ee7c3540edfe59782527674c2 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Mon, 3 Feb 2025 00:26:25 -0500 Subject: [PATCH 1/4] use mini quorum commands for proposals and approvals --- .../approver/approve-transaction.md | 20 ++------- .../proposer/create-transaction-payload.md | 43 +++---------------- 2 files changed, 9 insertions(+), 54 deletions(-) diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md index 7f71f10..82711fa 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md @@ -60,27 +60,13 @@ The approver is responsible for verifying a transaction proposed by a [proposer] * `cd /root/vaults` -1. Verify the detached signature for the payload +1. Verify the existing signatures and add your own signature: - * `gpg --verify ..json ...sig` - - * The filename will be of format: `//ceremonies//payloads/payload_.json` - -1. Verify the key is authenticated: - - * `sq-wot --gpg list ""` - - * Ensure the output of the command includes "fully authenticated" - -1. Sign the transaction payload: - - * `gpg --detach-sign /ceremonies//payloads/payload_.json > /ceremonies//payloads/payload__$pgp_key_id.sig` - - * e.g `gpg --detach-sign solana-01/ceremonies/2025-01-01/payloads/payload_1.json > solana-01/ceremonies/2025-01-01/payloads/payload_1_F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D.sig` + * `icepick workflow --add-signature-to-file /ceremonies//payload_.json --keyring /keyring.asc` 1. Stage the modified file: - * `git add /ceremonies//payloads/payload__$pgp_key_id.sig` + * `git add /ceremonies//payloads/*` 1. Create a signed git commit: diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index 22b249f..868b03e 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -98,52 +98,21 @@ The proposer must combine these values into a JSON file, such as: * e.g `touch solana-01/ceremonies/2025-01-01/payloads/payload_1.json` -1. Collect data for the transaction being sent, and structure it according to the template below, replacing values with valid ones. The values have to come from a organization approved list of values, for each field, except for `datetime` which is just the current date and time. - - * Write the data to the file: `vim /ceremonies//payloads/payload_.json` - - ```json - { - "workflow": ["", ""], - "values": { - "": "" - }, - "proposal_datetime": "" - } - ``` - - Example data object: - - ```json - { - "workflow": ["cosmos", "withdraw"], - "values": { - "delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer", - "validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh", - "asset_name": "KYVE", - "asset_amount": "0.4", - "chain_name": "korellia" - }, - "proposal_datetime": "2025-01-28T18:18:00" - } - ``` 1. Import the keys relevant to the ceremony: * `gpg --import /keyring.asc` -1. Sign the data in the CLI using `gpg` or another OpenPGP implementation: +1. Use `icepick workflow --help` to list the available workflows and options - * `gpg --detach-sign /ceremonies//payloads/_.json > /ceremonies//payloads/payload__$smart_card_id.sig` +1. Use icepick to generate and sign the payload: - * e.g `gpg --detach-sign solana-01/ceremonies/2025-01-01/payloads/payload_1.json > solana-01/ceremonies/2025-01-01/payloads/payload_1_F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D.sig` + * `icepick workflow <--option value> <--option value> --export-for-quorum --sign > ` -1. Stage the new file: + * e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > /ceremonies//payloads/payload_.json` - * `git add /ceremonies//payloads/..$smart_card_id.sig` +1. Stage the new files: -1. Create a signed git commit: - - * `git commit -S -m "add payload signature for payload_.sig using $smart_card_id"` + * `git add /ceremonies//payloads/*` 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} From 2f9dd52d54fffb3b7330fb5b2ffa629c8d901c5c Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Mon, 3 Feb 2025 20:30:30 -0500 Subject: [PATCH 2/4] Remove unnecessary commands from approver and proposer docs --- .../fixed-location/approver/approve-transaction.md | 6 +----- .../proposer/create-transaction-payload.md | 10 ---------- 2 files changed, 1 insertion(+), 15 deletions(-) diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md index 82711fa..c598fe8 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md @@ -48,10 +48,6 @@ The approver is responsible for verifying a transaction proposed by a [proposer] 1. Plug in the Operator smart card -1. Set a local variable `pgp_key_id` to the smart card OpenPGP key id: - - * `pgp_key_id="$(oct list -i | head -1)"` - 1. Copy the git repo locally from the Ceremony SD card * `cp -r /media//vaults /root/vaults` @@ -70,7 +66,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] 1. Create a signed git commit: - * `git commit -S -m "add payload signature for payload_.json using $pgp_key_id"` + * `git commit -S -m "add payload signature for payload_.json"` 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index 868b03e..e3e0146 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -92,16 +92,6 @@ The proposer must combine these values into a JSON file, such as: * e.g `mkdir -p solana-01/ceremonies/2025-01-01/payloads` -1. Create a new file `payload_.json`, for example `payload_1.json` - - * `touch /ceremonies//payloads/payload_.json` - - * e.g `touch solana-01/ceremonies/2025-01-01/payloads/payload_1.json` - -1. Import the keys relevant to the ceremony: - - * `gpg --import /keyring.asc` - 1. Use `icepick workflow --help` to list the available workflows and options 1. Use icepick to generate and sign the payload: From a41d9d7917391a0a1fff9657efdb0cb89d3d4a4d Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Mon, 3 Feb 2025 20:32:55 -0500 Subject: [PATCH 3/4] remove old commands which are replaced by mini-quorum --- .../operator/coins/sol/transfer-token.md | 24 ------------------- 1 file changed, 24 deletions(-) diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md index 378b270..77e44e2 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md @@ -50,30 +50,6 @@ 1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine -1. Verify keyring data from the Ceremony SD card: - - 1. Import keys into the system - - * `gpg --import keys/all/*.asc` - - 1. Plug in the operator's smartcard, and ensure it is loaded: - - * `gpg --card-status` - - 1. Print the list of trusted keys: - - * `sq-wot --gpg list` - - 1. Repeat for every operator, ensuring all keys are cross-trusted. - - 1. Terminate `gpg-agent`: `killall gpg-agent` - -1. Verify all signatures for the workflow data: - - * `for file in .*.sig; do echo "Verifying: $file"; gpg --verify "${file}" ""; done` - - * Ensure that the script doesn't output any "WARNING" messages to the console. If it does, abort the ceremony and initiate incident response. - 1. Start Keyfork using the relevant Shardfile: * `keyfork recover shard --daemon /media/external/shard.asc` From 1ece3b4d8d45d13df92237502127cffdc7c91343 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 5 Feb 2025 04:14:27 -0500 Subject: [PATCH 4/4] add --shardfile, use git only on online systems, remove smart_card_id --- .../approver/approve-transaction.md | 18 +++++++++--------- .../operator/coins/sol/transfer-token.md | 2 +- .../proposer/create-transaction-payload.md | 16 ++++++++-------- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md index c598fe8..74592c0 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md @@ -58,15 +58,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] 1. Verify the existing signatures and add your own signature: - * `icepick workflow --add-signature-to-file /ceremonies//payload_.json --keyring /keyring.asc` - -1. Stage the modified file: - - * `git add /ceremonies//payloads/*` - -1. Create a signed git commit: - - * `git commit -S -m "add payload signature for payload_.json"` + * `icepick workflow --add-signature-to-file /ceremonies//payload_.json --shardfile .asc` 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} @@ -88,6 +80,14 @@ The approver is responsible for verifying a transaction proposed by a [proposer] * `cd ~/vaults` +1. Stage the modified file: + + * `git add /ceremonies//payloads/*` + +1. Create a signed git commit: + + * `git commit -S -m "add payload signature for payload_.json"` + 1. Push the latest commit to the repository * `git push origin main` diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md index 77e44e2..3ea24f8 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md @@ -60,7 +60,7 @@ 1. Run the `icepick` command with the transaction payload - * `icepick workflow sol transfer-token --input-file=<(jq .values )` + * `icepick workflow --run-quorum .json --shardfile /media/external/shard.asc` * Follow on screen prompts diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index e3e0146..d540180 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -74,10 +74,6 @@ The proposer must combine these values into a JSON file, such as: 1. Plug in the Operator smart card -1. Set a local variable `smart_card_id` to the smart card OpenPGP key id: - - * `smart_card_id="$(oct list -i | head -1)"` - 1. Copy the git repo locally from the Ceremony SD card * `cp -r /media//vaults /root/vaults` @@ -100,10 +96,6 @@ The proposer must combine these values into a JSON file, such as: * e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > /ceremonies//payloads/payload_.json` -1. Stage the new files: - - * `git add /ceremonies//payloads/*` - 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} 1. Copy the updated ceremonies repo to the SD card @@ -124,6 +116,14 @@ The proposer must combine these values into a JSON file, such as: * `cd ~/vaults` +1. Stage the modified file: + + * `git add /ceremonies//payloads/*` + +1. Create a signed git commit: + + * `git commit -S -m "add payload signature for payload_.json"` + 1. Push the latest commit to the repository * `git push origin main`