From 364ca8d06f7ca95739a128842616247ed6d0a832 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Fri, 27 Dec 2024 13:50:02 -0500 Subject: [PATCH] more updates across level 2 processes --- quorum-key-management/src/SUMMARY.md | 42 +++++++------------ .../ceremony-repository.md | 7 +++- .../git-repository-initialization.md | 25 +++++++++++ .../keychain-repository.md | 9 +++- .../approver/approve-transaction.md | 10 ++++- .../proposer/create-transaction-payload.md | 4 +- 6 files changed, 63 insertions(+), 34 deletions(-) create mode 100644 quorum-key-management/src/component-documents/git-repository-initialization.md diff --git a/quorum-key-management/src/SUMMARY.md b/quorum-key-management/src/SUMMARY.md index f93cf1d..3a6f59c 100644 --- a/quorum-key-management/src/SUMMARY.md +++ b/quorum-key-management/src/SUMMARY.md @@ -6,12 +6,10 @@ * [Software](software.md) * [Hardware](hardware.md) * [Glossary](glossary.md) - * [Preparations]() * [Verifying Signatures](verifying-signatures.md) * [Tamper Evidence Methods](tamper-evidence-methods.md) * [Online Machine](online-machine-provisioning.md) - * [Fixed Location Reusable Laptop]() * [Location](locations.md) * [Procure Hardware](fixed-location-reusable-hardware-procurement.md) @@ -21,49 +19,38 @@ * [Change Smart Card PINs](setting-smart-card-pins.md) * [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md) * [PureBoot Boot Sequence](secure-boot-sequence.md) - * [AirgapOS Setup]() * [AirgapOS Setup](repeat-use-airgapos.md) * [`autorun.sh` Setup](autorun-sh-setup.md) - * [One Time Use / Portable Use]() * [Location](one-time-use-locations.md) * [Procure Hardware](hardware-procurement-and-chain-of-custody.md) * [AirgapOS Setup](one-time-use-airgapos.md) * [Repository Setup](one-time-repository-setup.md) * [Selecting Locations](one-time-use-locations.md) - -* [Root Entropy Ceremonies]() - * [Ceremony Log Template](ceremony-log-template.md) - * [Root Entropy Ceremonies](root-entropy-ceremonies.md) - * [Local Key Provisioning](local-key-provisioning.md) - * [Hybrid Key Provisioning](hybrid-key-provisioning.md) - * [Remote Key Provisioning](remote-key-provisioning.md) - - * [Additional Key Ceremonies]() - * [Operator Key Provisioning](operator-key-provisioning.md) - * [Location Key Provisioning](location-key-provisioning.md) - - * [Post Ceremony]() - * [Online Artifact Storage](public-ceremony-artifact-storage.md) - * [Physical Artifact Storage](physical-artifact-storage.md) - -* [Ceremonies]() - * [One Time Use Laptop Ceremony](one-time-use-laptop-coin-ceremony.md) - * [Portable Reusable Laptop Ceremony](portable-reusable-laptop-ceremony.md) - * [Fixed Location Reusable Laptop Ceremony](fixed-location-reusable-laptop-ceremony.md) - +* [Post Ceremony]() + * [Online Artifact Storage](public-ceremony-artifact-storage.md) + * [Physical Artifact Storage](physical-artifact-storage.md) * [Lifecycle Management]() * [Destroying Hardware](hardware-destruction.md) * [Storage Device Management](storage-device-management.md) - * [Generated Documents]() + * [Root Entropy Generation]() + * [Ceremony Log Template](ceremony-log-template.md) + * [Root Entropy Ceremonies](root-entropy-ceremonies.md) + * [Local Key Provisioning](local-key-provisioning.md) + * [Hybrid Key Provisioning](hybrid-key-provisioning.md) + * [Remote Key Provisioning](remote-key-provisioning.md) + * [Additional Key Ceremonies]() + * [Operator Key Provisioning](operator-key-provisioning.md) + * [Location Key Provisioning](location-key-provisioning.md) * [Level 1]() * [Level 2]() * [Fixed-Location]() * [Provisioner](system-roles.md) * [Procure Equipment & Location](generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md) * [Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.md) + * [Keychain Repository](generated-documents/level-2/fixed-location/provisioner/keychain-repository.md) * [Proposer](system-roles.md) * [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md) * [Approver](system-roles.md) @@ -72,8 +59,7 @@ * [PYTH-SLN - Sign Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md) * [Level 3]() * [Level 4]() - * [Document Components]() * [Git Commit Signing](./component-documents/git-commit-signing.md) * [GUI Git Commit](./component-documents/gui-git-commit.md) - * [OpenPGP Setup](./component-documents/openpgp-setup.md) \ No newline at end of file + * [OpenPGP Setup](./component-documents/openpgp-setup.md) diff --git a/quorum-key-management/src/component-documents/ceremony-repository.md b/quorum-key-management/src/component-documents/ceremony-repository.md index ed9d115..8b65514 100644 --- a/quorum-key-management/src/component-documents/ceremony-repository.md +++ b/quorum-key-management/src/component-documents/ceremony-repository.md @@ -37,5 +37,10 @@ ceremonies/ policies/ spending-policy.json ``` + +## Procedure: Setting up Repository + +{{ #include ./git-repository-initialization.md:procedure}} // ANCHOR_END: content -/* ANCHOR_END: all */ \ No newline at end of file +/* ANCHOR_END: all */ + diff --git a/quorum-key-management/src/component-documents/git-repository-initialization.md b/quorum-key-management/src/component-documents/git-repository-initialization.md new file mode 100644 index 0000000..d45c14f --- /dev/null +++ b/quorum-key-management/src/component-documents/git-repository-initialization.md @@ -0,0 +1,25 @@ +/* ANCHOR: all */ +# Git Repository Initialization + +This document explains how a git repository should be set up in order to guarantee authenticity and non-repudiation of data. + +Git is used because it permits cryptographic singing of commits using PGP, as well as historical changes to a set of data. + +## Procedure: Setting up Repository +// ANCHOR: procedure +1. Create a git repository using a git system such as Forjego, GitLab, GitHub etc. + +1. Set appropriate permissions to limit who can write to the repository. + + * `main` branch should be write protected so that merges to that branch can only be done if at least 2 approvals are present + + * The organization may choose to require more approvals based on risk tolerance and operational capacity + + * The merges should be done via CLI signed commits + + * Require that all commits are signed using well known PGP keys which are from the organization's [keychain repository](TODO) + +1. Optionally set up a chron job that periodically pulls the data from the repository as a backup. +// ANCHOR_END: procedure +/* ANCHOR_END: all */ + diff --git a/quorum-key-management/src/component-documents/keychain-repository.md b/quorum-key-management/src/component-documents/keychain-repository.md index 39f19f0..4ac20f2 100644 --- a/quorum-key-management/src/component-documents/keychain-repository.md +++ b/quorum-key-management/src/component-documents/keychain-repository.md @@ -10,7 +10,7 @@ This repository contains the trusted keys for the organization. * MUST require signed commits ## Repository Structure - +``` trusted-keys/ proposers/ / @@ -19,6 +19,11 @@ trusted-keys/ sig_2.asc approvers/ operators/ +``` + +## Procedure: Setting up Repository + +{{ #include ./git-repository-initialization.md:procedure }} ## Procedure: Adding OpenPGP Keys @@ -32,4 +37,4 @@ trusted-keys/ 1. The PR should be merged using a signed commit via the git CLI // ANCHOR_END: content -/* ANCHOR_END: all */ \ No newline at end of file +/* ANCHOR_END: all */ diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md index 25c03ed..8ff3e9c 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md @@ -8,7 +8,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] * Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration) -* Clone the [Ceremonies Repository](../../../../component-documents/ceremony-repository.md) for your organization to the machine +* Clone the [Ceremonies Repository](/generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.html) for your organization to the machine ## Procedure @@ -25,3 +25,11 @@ The approver is responsible for verifying a transaction proposed by a [proposer] * `gpg --armor --output --detach-sig ` 1. Commit the detached signature alongside the tx + +## Appendix + +### Git Commit Signing Configuration +{{ #include ../../../../component-documents/git-commit-signing.md:steps }} + +### Generating PGP Keypair & Provisioning Smart Card +{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork }} diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index c7fbb9a..adea54e 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -22,7 +22,7 @@ The proposer must combine these values into a single message, which can be a sim * Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration) -* Clone the [Ceremonies Repository](../../../../component-documents/ceremony-repository.md) for your organization to the machine +* Clone the [Ceremonies Repository](/generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.html) for your organization to the machine ## Procedure @@ -63,4 +63,4 @@ The proposer must combine these values into a single message, which can be a sim {{ #include ../../../../component-documents/git-commit-signing.md:steps }} ### Generating PGP Keypair & Provisioning Smart Card -{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork }} \ No newline at end of file +{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork }}