add cosmos docs and clean up
This commit is contained in:
parent
2237d0cd21
commit
9b2eb36cbe
|
@ -16,3 +16,4 @@ indent_size = 4
|
|||
[*]
|
||||
end_of_line = lf
|
||||
insert_final_newline = true
|
||||
trim_trailing_whitespace = true
|
||||
|
|
|
@ -35,6 +35,10 @@
|
|||
* [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md)
|
||||
* [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md)
|
||||
* [Export Namespace Mnemonic](generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md)
|
||||
* [Coins - SOL]()
|
||||
* [SOL - Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md)
|
||||
* [SOL - Transfer Token](generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md)
|
||||
* [Coins]()
|
||||
* [Solana]()
|
||||
* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md)
|
||||
* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/sol/sign-and-broadcast-transaction.md)
|
||||
* [Cosmos]()
|
||||
* [Generate Address](generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md)
|
||||
* [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md)
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
/* ANCHOR: all */
|
||||
// ANCHOR: content
|
||||
1. Connect SD card to online machine
|
||||
1. Connect SD card to online linux workstation
|
||||
|
||||
1. {{ #include finding-device-name.md:content }}
|
||||
|
||||
1. If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
|
||||
|
||||
1. Copy the repository with updated files to an online machine, sign, commit and push to the `vaults` repository:
|
||||
1. Copy the repository with updated files to an online linux workstation, sign, commit and push to the `vaults` repository:
|
||||
```
|
||||
$ cp -r /media/vaults ~/vaults/
|
||||
$ cd ~/vaults
|
||||
|
@ -15,4 +15,4 @@
|
|||
$ git push origin HEAD
|
||||
```
|
||||
// ANCHOR_END: content
|
||||
/* ANCHOR_END: all */
|
||||
/* ANCHOR_END: all */
|
||||
|
|
|
@ -114,7 +114,7 @@ Sealing bags of standard size objects which need to be protected can fit in. The
|
|||
#### Sealing
|
||||
// ANCHOR: vsbwf-procedure-sealing
|
||||
|
||||
1. Insert object(s) into plastic bag
|
||||
1. Insert object(s) into plastic sealing bag
|
||||
|
||||
1. Fill bag with enough plastic beads that most of the object is surrounded
|
||||
|
||||
|
@ -132,11 +132,11 @@ Sealing bags of standard size objects which need to be protected can fit in. The
|
|||
// ANCHOR: vsbwf-procedure-unsealing
|
||||
|
||||
a. Retrieve digital/physical photographs of both sides of sealed bundle
|
||||
|
||||
|
||||
b. Compare all photographs to object for differences
|
||||
|
||||
|
||||
c. Proceed with unsealing the object if no differences are detected
|
||||
|
||||
|
||||
// ANCHOR_END: vsbwf-procedure-unsealing
|
||||
|
||||
// ANCHOR_END: vsbwf-procedure
|
||||
|
|
|
@ -6,7 +6,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
|||
|
||||
* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
|
||||
|
||||
* [Online Machine](TODO)
|
||||
{{ #include ../../../../component-documents/linux-workstation.md:content }}
|
||||
|
||||
* [SD Card Pack](../provisioner/provision-sd-card.md)
|
||||
|
||||
|
@ -20,7 +20,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
|||
|
||||
## Procedure
|
||||
|
||||
1. Turn on online machine
|
||||
1. Turn on online linux workstation
|
||||
|
||||
1. Pull the latest changes from the `vaults` repository
|
||||
|
||||
|
@ -28,7 +28,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
|||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
|
||||
|
||||
1. Plug a fresh SD card into the online machine
|
||||
1. Plug a fresh SD card into the online linux workstation
|
||||
|
||||
1. Save the `vaults` repository to the SD card, referred to as the Ceremony SD card
|
||||
|
||||
|
@ -40,7 +40,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
|||
|
||||
1. Insert the AirgapOS SD card into the airgapped machine and turn it on
|
||||
|
||||
1. Once booted, unplug the AirgapOS SD card
|
||||
1. Once booted, unplug the AirgapOS SD card
|
||||
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
|
@ -65,7 +65,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
|
|||
|
||||
1. Unplug the SD card from the air-gapped machine
|
||||
|
||||
1. Plug in the SD card into the online machine
|
||||
1. Plug in the SD card into the online linux workstation
|
||||
|
||||
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
|
|
|
@ -0,0 +1,44 @@
|
|||
# Cosmos: Generate Address
|
||||
|
||||
## Requirements
|
||||
|
||||
{{ #include ../../../../operator-requirements.md:requirements }}
|
||||
|
||||
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
|
||||
|
||||
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
|
||||
|
||||
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
|
||||
|
||||
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
|
||||
|
||||
## Procedure
|
||||
|
||||
1. Enter the designated location with the quorum of operators and all required equipment
|
||||
|
||||
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
|
||||
|
||||
1. Place Ceremony SD card in High Visibility Storage
|
||||
|
||||
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
|
||||
|
||||
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
|
||||
|
||||
1. Place all contents except for the laptop into High Visibility Storage
|
||||
|
||||
### Offline Machine: Generate Address
|
||||
|
||||
{{ #include ../template-gen-address-0.md:content }}
|
||||
|
||||
1. Generate a new address:
|
||||
|
||||
* `icepick workflow cosmos generate-address --account $account_id | jq -r .pubkey > $account_id.txt`
|
||||
* [38 removes need to use jq](https://git.distrust.co/public/icepick/issues/38)
|
||||
|
||||
{{ #include ../template-gen-address-1.md:content }}
|
||||
|
||||
### Online Machine: Updating Vaults Repository
|
||||
|
||||
1. Turn on online linux workstation
|
||||
|
||||
{{ #include ../../../../../../component-documents/git-basics.md:content }}
|
|
@ -0,0 +1,99 @@
|
|||
# Solana: Sign and Broadcast Transaction
|
||||
|
||||
## Requirements
|
||||
|
||||
{{ #include ../../../../operator-requirements.md:requirements }}
|
||||
|
||||
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
|
||||
|
||||
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
|
||||
|
||||
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
|
||||
|
||||
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
|
||||
|
||||
## Procedure
|
||||
|
||||
1. Enter the designated location with the quorum of operators and all required equipment
|
||||
|
||||
1. Lock access to the location - there should be no inflow or outflow of people during the ceremony
|
||||
|
||||
1. Place Ceremony SD card in High Visibility Storage
|
||||
|
||||
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
|
||||
|
||||
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
|
||||
|
||||
1. Place all contents except for the laptop into High Visibility Storage
|
||||
|
||||
### Offline Machine: Create and Sign Transaction
|
||||
|
||||
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
|
||||
|
||||
1. Boot the computer
|
||||
|
||||
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
|
||||
|
||||
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
|
||||
|
||||
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
1. Start Keyfork using the relevant Shardfile:
|
||||
```
|
||||
$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc
|
||||
```
|
||||
* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
|
||||
|
||||
1. Follow on screen prompts
|
||||
|
||||
1. Set `ICEPICK_DATA_DIRECTORY`:
|
||||
```
|
||||
$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
|
||||
```
|
||||
1. Run the `icepick` command with the transaction payload
|
||||
|
||||
* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...)
|
||||
```
|
||||
$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc
|
||||
```
|
||||
* Follow on screen prompts
|
||||
|
||||
1. Unplug the Ceremony SD card and place it in High Visibility Storage
|
||||
|
||||
### Broadcast Transaction: Online Machine
|
||||
|
||||
1. Power on linux workstation
|
||||
|
||||
1. Retrieve Ceremony SD from High Visibility Storage and plug it into linux workstation
|
||||
|
||||
1. Run the broadcast command:
|
||||
```
|
||||
$ keyfork workflow cosmos broadcast --input-file <payload.json>
|
||||
```
|
||||
1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
|
||||
|
||||
1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
|
||||
```
|
||||
$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
|
||||
```
|
||||
1. Unplug the Ceremony SD card and place it in High Visibility Storage
|
||||
|
||||
### Repeat
|
||||
|
||||
1. You may repeat previous steps as many times as necessary to process all workflow payloads
|
||||
|
||||
## Finalization
|
||||
|
||||
1. Shut down online linux workstation
|
||||
|
||||
1. Shut down the air gapped machine
|
||||
|
||||
### Sealing
|
||||
|
||||
1. Gather all the original items that were in the air-gapped bundle:
|
||||
|
||||
* Air-gapped computer
|
||||
|
||||
* AirgapOS SD card
|
||||
|
||||
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
|
|
@ -1,4 +1,4 @@
|
|||
# SOL - Generate Address
|
||||
# Solana: Generate Address
|
||||
|
||||
## Requirements
|
||||
|
||||
|
@ -8,9 +8,9 @@
|
|||
|
||||
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
|
||||
|
||||
* [Quorum PGP key pairs](../../key-types.md#quorum-pgp-keypair)
|
||||
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
|
||||
|
||||
* [Ceremony SD card](../../ceremony-sd-card-provisioning.md)
|
||||
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
|
||||
|
||||
## Procedure
|
||||
|
||||
|
@ -28,87 +28,33 @@
|
|||
|
||||
### Offline Machine: Generate Address
|
||||
|
||||
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
|
||||
|
||||
1. Turn on air-gapped machine
|
||||
|
||||
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
|
||||
|
||||
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
|
||||
|
||||
1. Copy the `vaults` repository to the machine and switch to it
|
||||
```
|
||||
$ cp -r /media/vaults /root/
|
||||
$ cd /root/vaults
|
||||
```
|
||||
|
||||
1. Start Keyfork using the relevant Shardfile:
|
||||
|
||||
1. `keyfork recover shard --daemon <namespace>/shardfile.asc`
|
||||
|
||||
1. Follow on screen prompts
|
||||
|
||||
1. If the desired `<coin>` directory doesn't exist for the namespace, create it:
|
||||
|
||||
* `mkdir -p <namespace>/<coin>`
|
||||
|
||||
* e.g `mkdir -p vault_1/sol/`
|
||||
|
||||
1. Connect to the appropriate coin directory:
|
||||
|
||||
* `cd <namespace>/<coin>/`
|
||||
|
||||
1. Check what the latest address account is:
|
||||
|
||||
* `ls -la .`
|
||||
|
||||
1. Find what the latest number for the address is, and add 1 to it. This will be the new address account.
|
||||
|
||||
* For example if the latest address file is 42, the new account_id would be 43. The addresses should start at `0`
|
||||
|
||||
* Set an environment variable with the new account_id:
|
||||
|
||||
* `account_id=<num>`, e.g `account_id=43`
|
||||
{{ #include ../template-gen-address-0.md:content }}
|
||||
|
||||
1. Generate a new address:
|
||||
```
|
||||
$ icepick workflow sol generate-address --account $account_id | jq -r .pubkey > $account_id.txt
|
||||
```
|
||||
* [38 removes need to use jq](https://git.distrust.co/public/icepick/issues/38)
|
||||
|
||||
* `icepick workflow sol generate-address --account $account_id | jq -r .pubkey > $account_id.txt`
|
||||
* [38 removes need to use jq](https://git.distrust.co/public/icepick/issues/38)
|
||||
|
||||
1. Sign the file using:
|
||||
|
||||
* Import OpenPGP keys:
|
||||
|
||||
* `gpg --import /media/<device_name>/vaults/keys/all/*.asc`
|
||||
|
||||
* `gpg --detach-sign $account_id.txt`
|
||||
|
||||
1. You may repeat the previous steps, starting at the step where the `account_id` is set.
|
||||
|
||||
1. Once finished, copy the updated repository back to the Ceremony SD card:
|
||||
|
||||
* `cp -rf /root/vaults /media/`
|
||||
|
||||
1. Shut down the air gapped machine
|
||||
|
||||
1. Unplug the Ceremony SD card and place it into High Visibility Storage
|
||||
{{ #include ../template-gen-address-1.md:content }}
|
||||
|
||||
### Online Machine: Generate Nonce Account
|
||||
|
||||
1. Turn on online machine
|
||||
|
||||
1. Make sure `jq` is installed:
|
||||
|
||||
* `sudo apt install jq`
|
||||
```
|
||||
$ sudo apt install jq
|
||||
```
|
||||
|
||||
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
|
||||
|
||||
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
1. Copy the `vaults` repository from the Ceremony SD card:
|
||||
|
||||
* `cp -r /media/vaults ~/`
|
||||
|
||||
```
|
||||
$ cp -r /media/vaults ~/
|
||||
```
|
||||
* If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step
|
||||
|
||||
1. Ensure `keyfork` is available on the system:
|
||||
|
@ -120,35 +66,37 @@
|
|||
* Follow steps from [installation guide](TODO)
|
||||
|
||||
1. Set unsafe `keyfork` usage variable:
|
||||
|
||||
* `export SHOOT_SELF_IN_FOOT=1`
|
||||
|
||||
1. Generate throwaway mnemonic to generate address which will be used for funding the creation of nonce account:
|
||||
|
||||
* `keyfork mnemonic generate | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon`
|
||||
|
||||
```
|
||||
$ export SHOOT_SELF_IN_FOOT=1
|
||||
```
|
||||
1. Generate throwaway mnemonic to generate address which will be used for funding the creation of nonce account:
|
||||
```
|
||||
$ keyfork mnemonic generate | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon
|
||||
```
|
||||
1. Change directory into the desired \<namespace>/\<coin> directory:
|
||||
|
||||
* `cd ~/vaults/<namespace>/<coin>`
|
||||
|
||||
```
|
||||
$ cd ~/vaults/<namespace>/<coin>
|
||||
```
|
||||
1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory:
|
||||
|
||||
* `ls -la .`
|
||||
|
||||
```
|
||||
$ ls -la .
|
||||
```
|
||||
1. Once you have selected the appropriate account, set the account_id variable:
|
||||
|
||||
* `account_id=<num>`
|
||||
|
||||
```
|
||||
$ account_id=<num>
|
||||
```
|
||||
1. Use `icepick` to generate nonce account:
|
||||
|
||||
* The following command will need to be updated to use the appropriate \<cluster>, which can be `devnet`, `testnet` or `mainnet-beta`
|
||||
* The following command will need to be updated to use the appropriate \<cluster>, which can be `devnet`, `testnet` or `mainnet-beta`
|
||||
|
||||
* Set `icepick` config file:
|
||||
|
||||
* `export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml`
|
||||
|
||||
* `icepick workflow sol generate-nonce-account --authorization-address "$(cat $account_id.txt)" | jq -r .nonce_account > $account_id-na.txt`
|
||||
* [38 removes he need to use jq and cat](https://git.distrust.co/public/icepick/issues/38)
|
||||
```
|
||||
$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml`
|
||||
```
|
||||
```
|
||||
$ icepick workflow sol generate-nonce-account --authorization-address "$(cat $account_id.txt)" | jq -r .nonce_account > $account_id-na.txt
|
||||
```
|
||||
* [38 removes he need to use jq and cat](https://git.distrust.co/public/icepick/issues/38)
|
||||
|
||||
* Repeat command if returned message is "The transaction was possibly not received by the cluster."
|
||||
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
# Operator - SPL Token Transfer
|
||||
# Solana: Sign and Broadcast Transaction
|
||||
|
||||
## Requirements
|
||||
|
||||
{{ #include ../../../../operator-requirements.md:requirements }}
|
||||
|
||||
* Online machine
|
||||
{{ #include ../../../../../../component-documents/linux-workstation.md:content }}
|
||||
|
||||
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
|
||||
|
||||
* [Quorum PGP key pairs](../../key-types.md#quorum-pgp-keypair)
|
||||
* [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair)
|
||||
|
||||
* [Ceremony SD card](../../ceremony-sd-card-provisioning.md)
|
||||
* [Ceremony SD card](../../../ceremony-sd-card-provisioning.md)
|
||||
|
||||
## Procedure
|
||||
|
||||
|
@ -28,7 +28,7 @@
|
|||
|
||||
### Online Machine: Acquire Nonce
|
||||
|
||||
1. Turn on online machine
|
||||
1. Turn on online linux workstation
|
||||
|
||||
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
|
||||
|
||||
|
@ -37,21 +37,24 @@
|
|||
* e.g `vaults/<namespace>/<coin>/0-na.txt`
|
||||
|
||||
* Set the nonce address variable:
|
||||
|
||||
* `nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)"`
|
||||
|
||||
```
|
||||
$ nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)"
|
||||
```
|
||||
1. Set `ICEPICK_DATA_DIRECTORY`:
|
||||
|
||||
{{ #include ../../../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
* `export ICEPICK_DATA_DIRECTORY=/media/external/`
|
||||
```
|
||||
$ export ICEPICK_DATA_DIRECTORY=/media/external/
|
||||
```
|
||||
|
||||
1. set `ICEPICK_CONFIG_FILE`
|
||||
|
||||
* `export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
|
||||
|
||||
1. Run the command: `icepick workflow sol broadcast --nonce-address=$nonce_address`
|
||||
|
||||
```
|
||||
$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml`
|
||||
```
|
||||
1. Run the command:
|
||||
```
|
||||
$ icepick workflow sol broadcast --nonce-address=$nonce_address
|
||||
```
|
||||
* Await completion message before removing Ceremony SD card
|
||||
|
||||
* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
|
||||
|
@ -60,30 +63,33 @@
|
|||
|
||||
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
|
||||
|
||||
1. Boot the computer
|
||||
1. Boot the computer
|
||||
|
||||
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
|
||||
|
||||
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
|
||||
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
|
||||
|
||||
1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
1. Start Keyfork using the relevant Shardfile:
|
||||
|
||||
* `keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc`
|
||||
```
|
||||
$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc
|
||||
```
|
||||
|
||||
* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files.
|
||||
|
||||
1. Follow on screen prompts
|
||||
|
||||
1. Set `ICEPICK_DATA_DIRECTORY`:
|
||||
|
||||
* `export ICEPICK_DATA_DIRECTORY=/media/<device_name>`
|
||||
|
||||
```
|
||||
$ export ICEPICK_DATA_DIRECTORY=/media/<device_name>
|
||||
```
|
||||
1. Run the `icepick` command with the transaction payload
|
||||
|
||||
* `icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc`
|
||||
|
||||
* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...)
|
||||
```
|
||||
$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc
|
||||
```
|
||||
* Follow on screen prompts
|
||||
|
||||
1. Unplug the Ceremony SD card and place it in High Visibility Storage
|
||||
|
@ -97,10 +103,10 @@
|
|||
1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
|
||||
|
||||
1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY`
|
||||
|
||||
* `rm $ICEPICK_DATA_DIRECTORY/transaction.json`
|
||||
|
||||
* `rm $ICEPICK_DATA_DIRECTORY/nonce.json`
|
||||
```
|
||||
$ rm $ICEPICK_DATA_DIRECTORY/transaction.json
|
||||
$ rm $ICEPICK_DATA_DIRECTORY/nonce.json
|
||||
```
|
||||
|
||||
1. Unplug the Ceremony SD card and place it in High Visibility Storage
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
/* ANCHOR: all */
|
||||
// ANCHOR: content
|
||||
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
|
||||
|
||||
1. Turn on air-gapped machine
|
||||
|
||||
1. Unplug the AirgapOS SD card and place it in High Visibility Storage
|
||||
|
||||
1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine
|
||||
|
||||
1. Copy the `vaults` repository to the machine and switch to it
|
||||
```
|
||||
$ cp -r /media/vaults /root/
|
||||
$ cd /root/vaults
|
||||
```
|
||||
1. Start Keyfork using the relevant Shardfile:
|
||||
```
|
||||
$ keyfork recover shard --daemon <namespace>/shardfile.asc
|
||||
```
|
||||
* Follow on screen prompts
|
||||
1. If the desired `<coin>` directory doesn't exist for the namespace, create it:
|
||||
```
|
||||
$ mkdir -p <namespace>/<coin>
|
||||
```
|
||||
1. Connect to the appropriate coin directory:
|
||||
```
|
||||
$ cd <namespace>/<coin>/
|
||||
```
|
||||
1. Check what the latest address account is:
|
||||
```
|
||||
$ ls -la .
|
||||
```
|
||||
1. Find what the latest number for the address is, and add 1 to it. This will be the new address account.
|
||||
|
||||
* For example if the latest address file is 42, the new account_id would be 43. The addresses should start at `0`
|
||||
|
||||
* Set an environment variable with the new account_id:
|
||||
```
|
||||
$ account_id=<num>
|
||||
```
|
||||
// ANCHOR_END: content
|
||||
/* ANCHOR_END: all */
|
|
@ -0,0 +1,22 @@
|
|||
|
||||
/* ANCHOR: all */
|
||||
// ANCHOR: content
|
||||
1. Sign the file using:
|
||||
|
||||
* Import OpenPGP keys:
|
||||
|
||||
* `gpg --import /media/<device_name>/vaults/keys/all/*.asc`
|
||||
|
||||
* `gpg --detach-sign $account_id.txt`
|
||||
|
||||
1. You may repeat the previous steps, starting at the step where the `account_id` is set.
|
||||
|
||||
1. Once finished, copy the updated repository back to the Ceremony SD card:
|
||||
|
||||
* `cp -rf /root/vaults /media/`
|
||||
|
||||
1. Shut down the air gapped machine
|
||||
|
||||
1. Unplug the Ceremony SD card and place it into High Visibility Storage
|
||||
// ANCHOR_END: content
|
||||
/* ANCHOR_END: all */
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
{{ #include ../../operator-requirements.md:requirements }}
|
||||
|
||||
* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
|
||||
* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
|
||||
|
||||
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
|
||||
|
||||
|
@ -19,20 +19,20 @@
|
|||
* `cp -r /media/vaults /root/`
|
||||
|
||||
1. Start `keyfork` using the relevant Shardfile:
|
||||
|
||||
* `keyfork recover shard --daemon /root/vaults/<namespace>/shardfile.asc`
|
||||
|
||||
```
|
||||
$ keyfork recover shard --daemon /root/vaults/<namespace>/shardfile.asc
|
||||
```
|
||||
* Follow on screen prompts
|
||||
|
||||
1. Derive the OpenPGP root certificate:
|
||||
|
||||
* `keyfork derive openpgp > secret_key.asc`
|
||||
|
||||
```
|
||||
$ keyfork derive openpgp > secret_key.asc
|
||||
```
|
||||
1. Decrypt the secret material:
|
||||
|
||||
* `sq decrypt --recipient-file secret_key.asc < encrypted.asc --output decrypted`
|
||||
|
||||
1. Proceed to transfer the secret (`decrypted`) to desired location such as hardware wallet, power washed chromebook (via SD card) etc.
|
||||
1. Proceed to transfer the secret (`decrypted`) to desired location such as hardware wallet, power washed chromebook (via SD card) etc.
|
||||
|
||||
1. Shut down the air gapped machine
|
||||
|
||||
|
@ -42,4 +42,4 @@
|
|||
|
||||
* AirgapOS SD card
|
||||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
|
||||
|
|
|
@ -8,21 +8,22 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
|
|||
|
||||
* [SD Card Pack](../procurer/procure-sd-card-pack.md)
|
||||
|
||||
* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
|
||||
* [Ceremony SD Card](../operator/ceremony-sd-card-provisioning.md)
|
||||
|
||||
* [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
|
||||
|
||||
## Procedure
|
||||
## Procedure
|
||||
|
||||
{{ #include template-ceremony-setup.md:content }}
|
||||
|
||||
1. Plug the Ceremony SD card into the machine
|
||||
1. Plug the Ceremony SD card into the machine
|
||||
|
||||
1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
|
||||
|
||||
* Replace the values: <path_to_input_shard>, <pgp_user_id>
|
||||
|
||||
* `keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'
|
||||
```
|
||||
$ keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive=openpgp --public "<pgp_user_id>" --output certificate.asc
|
||||
```
|
||||
|
||||
1. Unseal an SD card pack
|
||||
|
||||
|
@ -32,7 +33,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
|
|||
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
1. Back up the files
|
||||
1. Back up the files
|
||||
```
|
||||
$ cp shardfile.asc /media/vaults/<namespace>/
|
||||
$ cp certificate.asc /media/vaults/<namespace>/
|
||||
|
@ -53,7 +54,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
|
|||
|
||||
1. Power down the air-gapped machine
|
||||
|
||||
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
|
||||
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
|
||||
|
||||
{{ #include ../../../../component-documents/git-basics.md:content }}
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Quorum Entropy Ceremony
|
||||
|
||||
This is a ceremony for generating entropy which is used to derive Quorum PGP keys, load them into smart cards and shard entropy to them.
|
||||
This is a ceremony for generating entropy which is used to derive Quorum PGP keys, load them into smart cards and shard entropy to them.
|
||||
|
||||
## Requirements
|
||||
|
||||
|
@ -14,16 +14,17 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
* High Visibility Storage: plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk.
|
||||
|
||||
## Procedure
|
||||
## Procedure
|
||||
|
||||
{{ #include template-ceremony-setup.md:content }}
|
||||
|
||||
1. Run the relevant keyfork operation to perform the ceremony:
|
||||
|
||||
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with appropriate values
|
||||
* Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with appropriate values
|
||||
```
|
||||
$ keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive=openpgp --public "<pgp_user_id>" --output certificate.asc
|
||||
```
|
||||
|
||||
* `keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'`
|
||||
|
||||
1. Unseal an SD card pack by following tamper proofing steps:
|
||||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
|
||||
|
@ -32,9 +33,9 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
1. Back up the files
|
||||
1. Back up the files
|
||||
```
|
||||
$ cp shardfile.asc /media/vaults/<namespace>/
|
||||
$ cp shardfile.asc /media/vaults/<namespace>/
|
||||
$ cp keyring.asc /media/vaults/<namespace>/
|
||||
$ cp certificate.asc /media/vaults/<namespace>/
|
||||
$ cp -r /media/vaults /root/
|
||||
|
@ -46,7 +47,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
1. `cp -r /root/vaults /media/`
|
||||
|
||||
1. Unplug the SD card
|
||||
1. Unplug the SD card
|
||||
|
||||
1. Label the SD card "Ceremony [date]"
|
||||
|
||||
|
@ -54,7 +55,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
|
|||
|
||||
1. Power down the air-gapped machine
|
||||
|
||||
1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
|
||||
1. Transfer the ceremony artifacts to online linux workstation using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card
|
||||
|
||||
{{ #include ../../../../component-documents/git-basics.md:content }}
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ The proposer must combine these values into a JSON file, such as:
|
|||
|
||||
## Procedure
|
||||
|
||||
1. Turn on online machine
|
||||
1. Turn on online linux workstation
|
||||
|
||||
1. Clone the `vaults` repository if it's not available locally and get the latest changes:
|
||||
```
|
||||
|
@ -47,14 +47,14 @@ The proposer must combine these values into a JSON file, such as:
|
|||
|
||||
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
|
||||
|
||||
1. Plug a fresh SD card into the online machine
|
||||
1. Plug a fresh SD card into the online linux workstation
|
||||
|
||||
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
|
||||
|
||||
1. Save the `vaults` repo to the SD card, referred to as the Ceremony SD card
|
||||
|
||||
* `cp -r ~/vaults/ /media`
|
||||
|
||||
```
|
||||
$ cp -r ~/vaults/ /media
|
||||
```
|
||||
1. Unplug the Ceremony SD card
|
||||
|
||||
1. Unseal the tamper proofed bundle
|
||||
|
@ -63,7 +63,7 @@ The proposer must combine these values into a JSON file, such as:
|
|||
|
||||
1. Insert the AirgapOS SD card into the airgapped machine and turn it on
|
||||
|
||||
1. Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage
|
||||
1. Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage
|
||||
|
||||
1. Plug in the Ceremony SD card
|
||||
|
||||
|
@ -83,17 +83,17 @@ The proposer must combine these values into a JSON file, such as:
|
|||
1. Plug in the Operator smart card
|
||||
|
||||
1. Use icepick to generate and sign the payload:
|
||||
```
|
||||
$ icepick workflow <chain> <workflow> <--option value> <--option value> --export-for-quorum --sign > <output_file>
|
||||
```
|
||||
* e.g `$ icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json`
|
||||
|
||||
* `icepick workflow <chain> <workflow> <--option value> <--option value> --export-for-quorum --sign > <output_file>`
|
||||
|
||||
* e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json`
|
||||
|
||||
* e.g `icepick workflow sol transfer --from-address "$(cat <namespace>/<coin>/0.txt)" --to-address "$(cat to_address.txt)" --amount <amount> --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json`
|
||||
* e.g `$ icepick workflow sol transfer --from-address "$(cat <namespace>/<coin>/0.txt)" --to-address "$(cat to_address.txt)" --amount <amount> --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json`
|
||||
|
||||
1. Copy the updated ceremonies repo to the SD card
|
||||
|
||||
* `cp -r /root/vaults /media`
|
||||
|
||||
```
|
||||
$ cp -r /root/vaults /media
|
||||
```
|
||||
1. Transfer the SD card from the air-gapped machine to the online machine
|
||||
|
||||
1. {{ #include ../../../../component-documents/finding-device-name.md:content }}
|
||||
|
|
Loading…
Reference in New Issue