From 636af370b7a877876eaec564f69d06b039e19b76 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Sun, 2 Feb 2025 10:18:12 -0500 Subject: [PATCH] add command to require touch on smart card --- .../src/component-documents/openpgp-setup.md | 15 +++++++++++---- .../proposer/create-transaction-payload.md | 10 +++++----- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/quorum-vault-system/src/component-documents/openpgp-setup.md b/quorum-vault-system/src/component-documents/openpgp-setup.md index 0fcbc2e..7218412 100644 --- a/quorum-vault-system/src/component-documents/openpgp-setup.md +++ b/quorum-vault-system/src/component-documents/openpgp-setup.md @@ -10,11 +10,18 @@ as such need to be set up in a manner that minimizes exposure risks. 1. Insert a smartcard into the system, and get its ID: - * `identifier="$(oct list -i | head -1)"` + * `smart_card_id="$(oct list -i | head -1)"` + +1. Set the smart card to require touch for all operations: + + * `oct admin --card $smart_card_id touch --key SIG --policy On` + * `oct admin --card $smart_card_id touch --key DEC --policy On` + * `oct admin --card $smart_card_id touch --key AUT --policy On` + * `oct admin --card $smart_card_id touch --key ATT --policy On` 1. Generate a mnemonic, encrypting to a newly-generated key: - * `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$identifier"` + * `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"` 1. If additional keys are required, recover the Keyfork key from the encrypted mnemonic: @@ -25,9 +32,9 @@ as such need to be set up in a manner that minimizes exposure risks. * Remove your previous key, and plug in the new key. - * `identifier="$(oct list -i | head -1)"` + * `smart_card_id="$(oct list -i | head -1)"` - * `keyfork provision openpgp-card --identifier "$identifier" --account-id 0` + * `keyfork provision openpgp-card --identifier "$smart_card_id" --account-id 0` 1. Insert an SD card to contain the public certificate and the encrypted mnemonic. diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index fb0688f..afdc17a 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -76,9 +76,9 @@ The proposer must combine these values into a JSON file, such as: 1. Plug in the Operator smart card -1. Set a local variable `pgp_key_id` to the smart card OpenPGP key id: +1. Set a local variable `smart_card_id` to the smart card OpenPGP key id: - * `pgp_key_id="$(oct list -i | head -1)"` + * `smart_card_id="$(oct list -i | head -1)"` 1. Copy the git repo locally from the Ceremony SD card @@ -135,17 +135,17 @@ The proposer must combine these values into a JSON file, such as: 1. Sign the data in the CLI using `gpg` or another OpenPGP implementation: - * `gpg --detach-sign /ceremonies//payloads/_.json > /ceremonies//payloads/payload__$pgp_key_id.sig` + * `gpg --detach-sign /ceremonies//payloads/_.json > /ceremonies//payloads/payload__$smart_card_id.sig` * e.g `gpg --detach-sign solana-01/ceremonies/2025-01-01/payloads/payload_1.json > solana-01/ceremonies/2025-01-01/payloads/payload_1_F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D.sig` 1. Stage the new file: - * `git add /ceremonies//payloads/..$pgp_key_id.sig` + * `git add /ceremonies//payloads/..$smart_card_id.sig` 1. Create a signed git commit: - * `git commit -S -m "add payload signature for payload_.sig using $pgp_key_id"` + * `git commit -S -m "add payload signature for payload_.sig using $smart_card_id"` 1. {{ #include ../../../../component-documents/finding-device-name.md:content }}