public
/
docs
5
0
Fork 0
Code Issues 8 Pull Requests 1 Packages Projects Releases Wiki Activity

add command to require touch on smart card

This commit is contained in:
Anton Livaja 2025-02-02 10:18:12 -05:00
parent bb7fcd3861
commit 636af370b7
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
2 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
quorum-vault-system/src/component-documents/openpgp-setup.md
View File

@ -10,11 +10,18 @@ as such need to be set up in a manner that minimizes exposure risks.
1. Insert a smartcard into the system, and get its ID:
* `identifier="$(oct list -i | head -1)"`
* `smart_card_id="$(oct list -i | head -1)"`
1. Set the smart card to require touch for all operations:
* `oct admin --card $smart_card_id touch --key SIG --policy On`
* `oct admin --card $smart_card_id touch --key DEC --policy On`
* `oct admin --card $smart_card_id touch --key AUT --policy On`
* `oct admin --card $smart_card_id touch --key ATT --policy On`
1. Generate a mnemonic, encrypting to a newly-generated key:
* `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$identifier"`
* `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"`
1. If additional keys are required, recover the Keyfork key from the encrypted
mnemonic:
@ -25,9 +32,9 @@ as such need to be set up in a manner that minimizes exposure risks.
* Remove your previous key, and plug in the new key.
* `identifier="$(oct list -i | head -1)"`
* `smart_card_id="$(oct list -i | head -1)"`
* `keyfork provision openpgp-card --identifier "$identifier" --account-id 0`
* `keyfork provision openpgp-card --identifier "$smart_card_id" --account-id 0`
1. Insert an SD card to contain the public certificate and the encrypted mnemonic.

10
quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md
View File

@ -76,9 +76,9 @@ The proposer must combine these values into a JSON file, such as:
1. Plug in the Operator smart card
1. Set a local variable `pgp_key_id` to the smart card OpenPGP key id:
1. Set a local variable `smart_card_id` to the smart card OpenPGP key id:
* `pgp_key_id="$(oct list -i | head -1)"`
* `smart_card_id="$(oct list -i | head -1)"`
1. Copy the git repo locally from the Ceremony SD card
@ -135,17 +135,17 @@ The proposer must combine these values into a JSON file, such as:
1. Sign the data in the CLI using `gpg` or another OpenPGP implementation:
* `gpg --detach-sign <namespace>/ceremonies/<date>/payloads/<payload>_<num>.json > <namespace>/ceremonies/<date>/payloads/payload_<num>_$pgp_key_id.sig`
* `gpg --detach-sign <namespace>/ceremonies/<date>/payloads/<payload>_<num>.json > <namespace>/ceremonies/<date>/payloads/payload_<num>_$smart_card_id.sig`
* e.g `gpg --detach-sign solana-01/ceremonies/2025-01-01/payloads/payload_1.json > solana-01/ceremonies/2025-01-01/payloads/payload_1_F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D.sig`
1. Stage the new file:
* `git add <namespace>/ceremonies/<date>/payloads/<payload>.<num>.$pgp_key_id.sig`
* `git add <namespace>/ceremonies/<date>/payloads/<payload>.<num>.$smart_card_id.sig`
1. Create a signed git commit:
* `git commit -S -m "add payload signature for payload_<num>.sig using $pgp_key_id"`
* `git commit -S -m "add payload signature for payload_<num>.sig using $smart_card_id"`
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}