more updates across level 2 processes

2024-12-27 13:50:02 -05:00 · 2024-12-27 13:50:02 -05:00 · 364ca8d06f
parent 22fa2404e5
commit 364ca8d06f
6 changed files with 63 additions and 34 deletions
--- a/quorum-key-management/src/SUMMARY.md
+++ b/quorum-key-management/src/SUMMARY.md
@ -6,12 +6,10 @@
    * [Software](software.md)
    * [Hardware](hardware.md)
    * [Glossary](glossary.md)
-
 * [Preparations]()
    * [Verifying Signatures](verifying-signatures.md)
    * [Tamper Evidence Methods](tamper-evidence-methods.md)
    * [Online Machine](online-machine-provisioning.md)
-
    * [Fixed Location Reusable Laptop]()
        * [Location](locations.md)
        * [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
@ -21,49 +19,38 @@
            * [Change Smart Card PINs](setting-smart-card-pins.md)
            * [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
            * [PureBoot Boot Sequence](secure-boot-sequence.md)
-
        * [AirgapOS Setup]()
            * [AirgapOS Setup](repeat-use-airgapos.md)
            * [`autorun.sh` Setup](autorun-sh-setup.md)
-
    * [One Time Use / Portable Use]()
        * [Location](one-time-use-locations.md)
        * [Procure Hardware](hardware-procurement-and-chain-of-custody.md)
        * [AirgapOS Setup](one-time-use-airgapos.md)
        * [Repository Setup](one-time-repository-setup.md)
        * [Selecting Locations](one-time-use-locations.md)
-
-* [Root Entropy Ceremonies]()
-    * [Ceremony Log Template](ceremony-log-template.md)
-    * [Root Entropy Ceremonies](root-entropy-ceremonies.md)
-        * [Local Key Provisioning](local-key-provisioning.md)
-        * [Hybrid Key Provisioning](hybrid-key-provisioning.md)
-        * [Remote Key Provisioning](remote-key-provisioning.md)
-
-    * [Additional Key Ceremonies]()
-        * [Operator Key Provisioning](operator-key-provisioning.md)
-        * [Location Key Provisioning](location-key-provisioning.md)
-
-    * [Post Ceremony]()
-        * [Online Artifact Storage](public-ceremony-artifact-storage.md)
-        * [Physical Artifact Storage](physical-artifact-storage.md)
-
-* [Ceremonies]()
-    * [One Time Use Laptop Ceremony](one-time-use-laptop-coin-ceremony.md)
-    * [Portable Reusable Laptop Ceremony](portable-reusable-laptop-ceremony.md)
-    * [Fixed Location Reusable Laptop Ceremony](fixed-location-reusable-laptop-ceremony.md)
-
+* [Post Ceremony]()
+    * [Online Artifact Storage](public-ceremony-artifact-storage.md)
+    * [Physical Artifact Storage](physical-artifact-storage.md)
 * [Lifecycle Management]()
    * [Destroying Hardware](hardware-destruction.md)
    * [Storage Device Management](storage-device-management.md)
-
 * [Generated Documents]()
+    * [Root Entropy Generation]()
+        * [Ceremony Log Template](ceremony-log-template.md)
+        * [Root Entropy Ceremonies](root-entropy-ceremonies.md)
+            * [Local Key Provisioning](local-key-provisioning.md)
+            * [Hybrid Key Provisioning](hybrid-key-provisioning.md)
+            * [Remote Key Provisioning](remote-key-provisioning.md)
+        * [Additional Key Ceremonies]()
+            * [Operator Key Provisioning](operator-key-provisioning.md)
+            * [Location Key Provisioning](location-key-provisioning.md)
    * [Level 1]()
    * [Level 2]()
        * [Fixed-Location]()
            * [Provisioner](system-roles.md)
                * [Procure Equipment & Location](generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md)
                * [Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.md)
+                * [Keychain Repository](generated-documents/level-2/fixed-location/provisioner/keychain-repository.md)
            * [Proposer](system-roles.md)
                * [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md)
            * [Approver](system-roles.md)
@ -72,8 +59,7 @@
                * [PYTH-SLN - Sign Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md)
    * [Level 3]()
    * [Level 4]()
-
 * [Document Components]()
    * [Git Commit Signing](./component-documents/git-commit-signing.md)
    * [GUI Git Commit](./component-documents/gui-git-commit.md)
-    * [OpenPGP Setup](./component-documents/openpgp-setup.md)
+    * [OpenPGP Setup](./component-documents/openpgp-setup.md)
--- a/quorum-key-management/src/component-documents/ceremony-repository.md
+++ b/quorum-key-management/src/component-documents/ceremony-repository.md
@ -37,5 +37,10 @@ ceremonies/
 policies/
    spending-policy.json
 ```
+
+## Procedure: Setting up Repository
+
+{{ #include ./git-repository-initialization.md:procedure}}
 // ANCHOR_END: content
-/* ANCHOR_END: all */
+/* ANCHOR_END: all */
+
--- a/quorum-key-management/src/component-documents/git-repository-initialization.md
+++ b/quorum-key-management/src/component-documents/git-repository-initialization.md
@ -0,0 +1,25 @@
+/* ANCHOR: all */
+# Git Repository Initialization
+
+This document explains how a git repository should be set up in order to guarantee authenticity and non-repudiation of data.
+
+Git is used because it permits cryptographic singing of commits using PGP, as well as historical changes to a set of data.
+
+## Procedure: Setting up Repository
+// ANCHOR: procedure
+1. Create a git repository using a git system such as Forjego, GitLab, GitHub etc.
+
+1. Set appropriate permissions to limit who can write to the repository.
+
+    * `main` branch should be write protected so that merges to that branch can only be done if at least 2 approvals are present
+
+        * The organization may choose to require more approvals based on risk tolerance and operational capacity
+
+    * The merges should be done via CLI signed commits
+
+    * Require that all commits are signed using well known PGP keys which are from the organization's [keychain repository](TODO) 
+
+1. Optionally set up a chron job that periodically pulls the data from the repository as a backup.
+// ANCHOR_END: procedure
+/* ANCHOR_END: all */
+
--- a/quorum-key-management/src/component-documents/keychain-repository.md
+++ b/quorum-key-management/src/component-documents/keychain-repository.md
@ -10,7 +10,7 @@ This repository contains the trusted keys for the organization.
 * MUST require signed commits

 ## Repository Structure
-
+```
 trusted-keys/
    proposers/
        <key_id>/
@ -19,6 +19,11 @@ trusted-keys/
            sig_2.asc
    approvers/
    operators/
+```
+
+## Procedure: Setting up Repository
+
+{{ #include ./git-repository-initialization.md:procedure }}

 ## Procedure: Adding OpenPGP Keys 

@ -32,4 +37,4 @@ trusted-keys/

 1. The PR should be merged using a signed commit via the git CLI
 // ANCHOR_END: content
-/* ANCHOR_END: all */
+/* ANCHOR_END: all */
--- a/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md
+++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md
@ -8,7 +8,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]

 * Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)

-* Clone the [Ceremonies Repository](../../../../component-documents/ceremony-repository.md) for your organization to the machine
+* Clone the [Ceremonies Repository](/generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.html) for your organization to the machine

 ## Procedure

@ -25,3 +25,11 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
    * `gpg --armor --output <approver.sig> --detach-sig <filename>`

 1. Commit the detached signature alongside the tx  
+
+## Appendix
+
+### Git Commit Signing Configuration
+{{ #include ../../../../component-documents/git-commit-signing.md:steps }}
+
+### Generating PGP Keypair & Provisioning Smart Card
+{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork }}
--- a/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md
+++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md
@ -22,7 +22,7 @@ The proposer must combine these values into a single message, which can be a sim

 * Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)

-* Clone the [Ceremonies Repository](../../../../component-documents/ceremony-repository.md) for your organization to the machine
+* Clone the [Ceremonies Repository](/generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.html) for your organization to the machine

 ## Procedure

@ -63,4 +63,4 @@ The proposer must combine these values into a single message, which can be a sim
 {{ #include ../../../../component-documents/git-commit-signing.md:steps }}

 ### Generating PGP Keypair & Provisioning Smart Card
-{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork }}
+{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork }}