From 17bc691cf6569bc8ba3ea86a6ad013d9da85129d Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Wed, 15 Jan 2025 14:17:38 -0500 Subject: [PATCH] more refactoring --- quorum-key-management/src/SUMMARY.md | 3 +- ...on-pgp-signing-keys-on-board-smart-card.md | 2 +- .../coins/pyth-spl/sign-transaction.md | 20 ++----------- .../operator/pgp-key-provisioning.md | 30 +++++++++++++++++-- .../operator/root-entropy-generation.md | 3 +- .../level-2/fixed-location/procurer/index.md | 2 +- .../level-2/operator-requirements.md | 6 ++-- quorum-key-management/src/key-types.md | 2 ++ 8 files changed, 42 insertions(+), 26 deletions(-) rename quorum-key-management/src/generated-documents/{level-2/fixed-location/procurer => all-levels}/provision-pgp-signing-keys-on-board-smart-card.md (60%) diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md index bac9780..70b6c8e 100644 --- a/quorum-key-management/src/SUMMARY.md +++ b/quorum-key-management/src/SUMMARY.md @@ -8,11 +8,12 @@ * [Location](locations.md) * [Glossary](glossary.md) * [Generated Documents]() + * [All Levels]() + * [Provision Personal PGP Signing Keys On-Board Smart Card](generated-documents/all-levels/provision-pgp-signing-keys-on-board-smart-card.md) * [Level 2]() * [Fixed-Location]() * [Procurer](generated-documents/level-2/fixed-location/procurer/index.md) * [Procure Facility](generated-documents/level-2/fixed-location/procurer/procure-facility.md) - * [Provision PGP Signing Keys On-Board Smart Card](generated-documents/level-2/fixed-location/procurer/provision-pgp-signing-keys-on-board-smart-card.md) * [Procure Tamper Proofing Equipment](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.md) * [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md) * [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md) diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/provision-pgp-signing-keys-on-board-smart-card.md b/quorum-key-management/src/generated-documents/all-levels/provision-pgp-signing-keys-on-board-smart-card.md similarity index 60% rename from quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/provision-pgp-signing-keys-on-board-smart-card.md rename to quorum-key-management/src/generated-documents/all-levels/provision-pgp-signing-keys-on-board-smart-card.md index b211839..fb8578b 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/provision-pgp-signing-keys-on-board-smart-card.md +++ b/quorum-key-management/src/generated-documents/all-levels/provision-pgp-signing-keys-on-board-smart-card.md @@ -8,4 +8,4 @@ ## Procedure -{{ #include ../../../../component-documents/openpgp-setup.md:steps-on-key-gen }} +{{ #include ../../component-documents/openpgp-setup.md:steps-on-key-gen }} diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md index bff0444..2f17b0d 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md @@ -2,28 +2,12 @@ ## Requirements -* 2 Operators +* [Operator PGP key pairs](../../key-types.md#operator-pgp-keypair) -* Ensure both primary operators have their [Shard-Bearer Keys](../../pgp-key-provisioning.md) - -* Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object. - - * The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys (found in ceremonies repo) - -* Shardfile on SD card - -* Keychain SD card +{{ #include ../../../../operator-requirements.md:requirements }} * Air-gapped bundle -* Tamper proofing equipment - -* Ceremony notes - - * AirgapOS hash - - * Trusted PGP key fingeprints IDs - ## Procedure 1. Verify all transactions for the ceremony in the `ceremonies` repository, ensuring that all the transactions are properly signed by the proposer and the approver using PGP keys which have been checked into ceremonies repository. diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/pgp-key-provisioning.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/pgp-key-provisioning.md index f0047ce..a262a7d 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/pgp-key-provisioning.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/pgp-key-provisioning.md @@ -2,7 +2,17 @@ ## Requirements -{{ #include ../../operator-requirements.md:requirements }} +* 2 Operators + +* [Personal PGP key pairs](../../key-types.md#personal-pgp-keypair) + +* Air-gapped bundle + +* Tamper-proofing equipment + +* Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object. + + * The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo * For each new key to be provisioned: @@ -18,4 +28,20 @@ 1. Unseal the Air-Gapped bundle consisting of a air-gapped laptop, "AirgapOS" SD card and "Keychain" SD card -{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}} \ No newline at end of file +{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork}} + +#### Sealing + +1. Gather all the original items that were in the air-gapped bundle: + + * Air-gapped computer + + * AirgapOS SD card + + * Shardfile SD card + + * Keychain SD card + +{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} + + diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/root-entropy-generation.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/root-entropy-generation.md index 6032abb..e776ac6 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/root-entropy-generation.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/operator/root-entropy-generation.md @@ -4,8 +4,9 @@ This is a ceremony for generating root entropy. ## Requirements -{{ #include ../../operator-requirements.md:requirements }} +* [Operator PGP key pairs](../../key-types.md#operator-pgp-keypair) +{{ #include ../../operator-requirements.md:requirements }} * Each member needs to bring their: diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/index.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/index.md index 4d3f3f8..f20bf59 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/index.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/index.md @@ -18,7 +18,7 @@ The procurer is responsible for: ## Order of Operations -1. Provisioning [Signing PGP Keys](./provision-pgp-signing-keys-on-board-smart-card.md) +1. Provisioning [Personal PGP Keys](./provision-pgp-signing-keys-on-board-smart-card.md) 1. Procuring a [facility](./procure-facility.md) diff --git a/quorum-key-management/src/generated-documents/level-2/operator-requirements.md b/quorum-key-management/src/generated-documents/level-2/operator-requirements.md index 8e5525c..b7a17f4 100644 --- a/quorum-key-management/src/generated-documents/level-2/operator-requirements.md +++ b/quorum-key-management/src/generated-documents/level-2/operator-requirements.md @@ -4,9 +4,11 @@ ## For Quorum Based Operations // ANCHOR: requirements -* Adequate quorum (M individuals of a M of N quorum) +* [Personal PGP key pairs](../../key-types.md#personal-pgp-keypair) -* [Operator PGP key pairs](../../key-types.md#operator-pgp-keypair) +* Air-gapped bundle + +* Adequate quorum (M individuals of a M of N quorum) * Tamper-proofing equipment diff --git a/quorum-key-management/src/key-types.md b/quorum-key-management/src/key-types.md index 44f1faf..56ae9b8 100644 --- a/quorum-key-management/src/key-types.md +++ b/quorum-key-management/src/key-types.md @@ -4,6 +4,8 @@ Used for day to day operations such as signing keys being added to keychain, signing tamper evidence, signing transaction requests and approvals etc. +When bootstrapping a system, the initial PGP keys can be generated on-board a smart card using [this guide](./generated-documents/all-levels/provision-pgp-signing-keys-on-board-smart-card.md). + ### Requirements * MUST not be transferred