more updates across level 2 processes
This commit is contained in:
parent
22fa2404e5
commit
364ca8d06f
|
@ -6,12 +6,10 @@
|
||||||
* [Software](software.md)
|
* [Software](software.md)
|
||||||
* [Hardware](hardware.md)
|
* [Hardware](hardware.md)
|
||||||
* [Glossary](glossary.md)
|
* [Glossary](glossary.md)
|
||||||
|
|
||||||
* [Preparations]()
|
* [Preparations]()
|
||||||
* [Verifying Signatures](verifying-signatures.md)
|
* [Verifying Signatures](verifying-signatures.md)
|
||||||
* [Tamper Evidence Methods](tamper-evidence-methods.md)
|
* [Tamper Evidence Methods](tamper-evidence-methods.md)
|
||||||
* [Online Machine](online-machine-provisioning.md)
|
* [Online Machine](online-machine-provisioning.md)
|
||||||
|
|
||||||
* [Fixed Location Reusable Laptop]()
|
* [Fixed Location Reusable Laptop]()
|
||||||
* [Location](locations.md)
|
* [Location](locations.md)
|
||||||
* [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
|
* [Procure Hardware](fixed-location-reusable-hardware-procurement.md)
|
||||||
|
@ -21,49 +19,38 @@
|
||||||
* [Change Smart Card PINs](setting-smart-card-pins.md)
|
* [Change Smart Card PINs](setting-smart-card-pins.md)
|
||||||
* [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
|
* [PureBoot Restricted Boot](enable-pure-boot-restricted-boot.md)
|
||||||
* [PureBoot Boot Sequence](secure-boot-sequence.md)
|
* [PureBoot Boot Sequence](secure-boot-sequence.md)
|
||||||
|
|
||||||
* [AirgapOS Setup]()
|
* [AirgapOS Setup]()
|
||||||
* [AirgapOS Setup](repeat-use-airgapos.md)
|
* [AirgapOS Setup](repeat-use-airgapos.md)
|
||||||
* [`autorun.sh` Setup](autorun-sh-setup.md)
|
* [`autorun.sh` Setup](autorun-sh-setup.md)
|
||||||
|
|
||||||
* [One Time Use / Portable Use]()
|
* [One Time Use / Portable Use]()
|
||||||
* [Location](one-time-use-locations.md)
|
* [Location](one-time-use-locations.md)
|
||||||
* [Procure Hardware](hardware-procurement-and-chain-of-custody.md)
|
* [Procure Hardware](hardware-procurement-and-chain-of-custody.md)
|
||||||
* [AirgapOS Setup](one-time-use-airgapos.md)
|
* [AirgapOS Setup](one-time-use-airgapos.md)
|
||||||
* [Repository Setup](one-time-repository-setup.md)
|
* [Repository Setup](one-time-repository-setup.md)
|
||||||
* [Selecting Locations](one-time-use-locations.md)
|
* [Selecting Locations](one-time-use-locations.md)
|
||||||
|
* [Post Ceremony]()
|
||||||
* [Root Entropy Ceremonies]()
|
* [Online Artifact Storage](public-ceremony-artifact-storage.md)
|
||||||
* [Ceremony Log Template](ceremony-log-template.md)
|
* [Physical Artifact Storage](physical-artifact-storage.md)
|
||||||
* [Root Entropy Ceremonies](root-entropy-ceremonies.md)
|
|
||||||
* [Local Key Provisioning](local-key-provisioning.md)
|
|
||||||
* [Hybrid Key Provisioning](hybrid-key-provisioning.md)
|
|
||||||
* [Remote Key Provisioning](remote-key-provisioning.md)
|
|
||||||
|
|
||||||
* [Additional Key Ceremonies]()
|
|
||||||
* [Operator Key Provisioning](operator-key-provisioning.md)
|
|
||||||
* [Location Key Provisioning](location-key-provisioning.md)
|
|
||||||
|
|
||||||
* [Post Ceremony]()
|
|
||||||
* [Online Artifact Storage](public-ceremony-artifact-storage.md)
|
|
||||||
* [Physical Artifact Storage](physical-artifact-storage.md)
|
|
||||||
|
|
||||||
* [Ceremonies]()
|
|
||||||
* [One Time Use Laptop Ceremony](one-time-use-laptop-coin-ceremony.md)
|
|
||||||
* [Portable Reusable Laptop Ceremony](portable-reusable-laptop-ceremony.md)
|
|
||||||
* [Fixed Location Reusable Laptop Ceremony](fixed-location-reusable-laptop-ceremony.md)
|
|
||||||
|
|
||||||
* [Lifecycle Management]()
|
* [Lifecycle Management]()
|
||||||
* [Destroying Hardware](hardware-destruction.md)
|
* [Destroying Hardware](hardware-destruction.md)
|
||||||
* [Storage Device Management](storage-device-management.md)
|
* [Storage Device Management](storage-device-management.md)
|
||||||
|
|
||||||
* [Generated Documents]()
|
* [Generated Documents]()
|
||||||
|
* [Root Entropy Generation]()
|
||||||
|
* [Ceremony Log Template](ceremony-log-template.md)
|
||||||
|
* [Root Entropy Ceremonies](root-entropy-ceremonies.md)
|
||||||
|
* [Local Key Provisioning](local-key-provisioning.md)
|
||||||
|
* [Hybrid Key Provisioning](hybrid-key-provisioning.md)
|
||||||
|
* [Remote Key Provisioning](remote-key-provisioning.md)
|
||||||
|
* [Additional Key Ceremonies]()
|
||||||
|
* [Operator Key Provisioning](operator-key-provisioning.md)
|
||||||
|
* [Location Key Provisioning](location-key-provisioning.md)
|
||||||
* [Level 1]()
|
* [Level 1]()
|
||||||
* [Level 2]()
|
* [Level 2]()
|
||||||
* [Fixed-Location]()
|
* [Fixed-Location]()
|
||||||
* [Provisioner](system-roles.md)
|
* [Provisioner](system-roles.md)
|
||||||
* [Procure Equipment & Location](generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md)
|
* [Procure Equipment & Location](generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md)
|
||||||
* [Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.md)
|
* [Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.md)
|
||||||
|
* [Keychain Repository](generated-documents/level-2/fixed-location/provisioner/keychain-repository.md)
|
||||||
* [Proposer](system-roles.md)
|
* [Proposer](system-roles.md)
|
||||||
* [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md)
|
* [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md)
|
||||||
* [Approver](system-roles.md)
|
* [Approver](system-roles.md)
|
||||||
|
@ -72,7 +59,6 @@
|
||||||
* [PYTH-SLN - Sign Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md)
|
* [PYTH-SLN - Sign Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md)
|
||||||
* [Level 3]()
|
* [Level 3]()
|
||||||
* [Level 4]()
|
* [Level 4]()
|
||||||
|
|
||||||
* [Document Components]()
|
* [Document Components]()
|
||||||
* [Git Commit Signing](./component-documents/git-commit-signing.md)
|
* [Git Commit Signing](./component-documents/git-commit-signing.md)
|
||||||
* [GUI Git Commit](./component-documents/gui-git-commit.md)
|
* [GUI Git Commit](./component-documents/gui-git-commit.md)
|
||||||
|
|
|
@ -37,5 +37,10 @@ ceremonies/
|
||||||
policies/
|
policies/
|
||||||
spending-policy.json
|
spending-policy.json
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Procedure: Setting up Repository
|
||||||
|
|
||||||
|
{{ #include ./git-repository-initialization.md:procedure}}
|
||||||
// ANCHOR_END: content
|
// ANCHOR_END: content
|
||||||
/* ANCHOR_END: all */
|
/* ANCHOR_END: all */
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
/* ANCHOR: all */
|
||||||
|
# Git Repository Initialization
|
||||||
|
|
||||||
|
This document explains how a git repository should be set up in order to guarantee authenticity and non-repudiation of data.
|
||||||
|
|
||||||
|
Git is used because it permits cryptographic singing of commits using PGP, as well as historical changes to a set of data.
|
||||||
|
|
||||||
|
## Procedure: Setting up Repository
|
||||||
|
// ANCHOR: procedure
|
||||||
|
1. Create a git repository using a git system such as Forjego, GitLab, GitHub etc.
|
||||||
|
|
||||||
|
1. Set appropriate permissions to limit who can write to the repository.
|
||||||
|
|
||||||
|
* `main` branch should be write protected so that merges to that branch can only be done if at least 2 approvals are present
|
||||||
|
|
||||||
|
* The organization may choose to require more approvals based on risk tolerance and operational capacity
|
||||||
|
|
||||||
|
* The merges should be done via CLI signed commits
|
||||||
|
|
||||||
|
* Require that all commits are signed using well known PGP keys which are from the organization's [keychain repository](TODO)
|
||||||
|
|
||||||
|
1. Optionally set up a chron job that periodically pulls the data from the repository as a backup.
|
||||||
|
// ANCHOR_END: procedure
|
||||||
|
/* ANCHOR_END: all */
|
||||||
|
|
|
@ -10,7 +10,7 @@ This repository contains the trusted keys for the organization.
|
||||||
* MUST require signed commits
|
* MUST require signed commits
|
||||||
|
|
||||||
## Repository Structure
|
## Repository Structure
|
||||||
|
```
|
||||||
trusted-keys/
|
trusted-keys/
|
||||||
proposers/
|
proposers/
|
||||||
<key_id>/
|
<key_id>/
|
||||||
|
@ -19,6 +19,11 @@ trusted-keys/
|
||||||
sig_2.asc
|
sig_2.asc
|
||||||
approvers/
|
approvers/
|
||||||
operators/
|
operators/
|
||||||
|
```
|
||||||
|
|
||||||
|
## Procedure: Setting up Repository
|
||||||
|
|
||||||
|
{{ #include ./git-repository-initialization.md:procedure }}
|
||||||
|
|
||||||
## Procedure: Adding OpenPGP Keys
|
## Procedure: Adding OpenPGP Keys
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
||||||
|
|
||||||
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
|
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
|
||||||
|
|
||||||
* Clone the [Ceremonies Repository](../../../../component-documents/ceremony-repository.md) for your organization to the machine
|
* Clone the [Ceremonies Repository](/generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.html) for your organization to the machine
|
||||||
|
|
||||||
## Procedure
|
## Procedure
|
||||||
|
|
||||||
|
@ -25,3 +25,11 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
||||||
* `gpg --armor --output <approver.sig> --detach-sig <filename>`
|
* `gpg --armor --output <approver.sig> --detach-sig <filename>`
|
||||||
|
|
||||||
1. Commit the detached signature alongside the tx
|
1. Commit the detached signature alongside the tx
|
||||||
|
|
||||||
|
## Appendix
|
||||||
|
|
||||||
|
### Git Commit Signing Configuration
|
||||||
|
{{ #include ../../../../component-documents/git-commit-signing.md:steps }}
|
||||||
|
|
||||||
|
### Generating PGP Keypair & Provisioning Smart Card
|
||||||
|
{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork }}
|
||||||
|
|
|
@ -22,7 +22,7 @@ The proposer must combine these values into a single message, which can be a sim
|
||||||
|
|
||||||
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
|
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
|
||||||
|
|
||||||
* Clone the [Ceremonies Repository](../../../../component-documents/ceremony-repository.md) for your organization to the machine
|
* Clone the [Ceremonies Repository](/generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.html) for your organization to the machine
|
||||||
|
|
||||||
## Procedure
|
## Procedure
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue