From af202a9826eb61f3e2d4bbfd0bb4755665d024c7 Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Tue, 28 Jan 2025 05:47:04 -0500 Subject: [PATCH] fix personal pgp key structure in ceremony repo --- .../ceremony-repository.md | 43 ++++++++++++++----- .../approver/approve-transaction.md | 2 +- .../procurer/procure-hardware.md | 4 +- .../proposer/create-transaction-payload.md | 2 +- 4 files changed, 38 insertions(+), 13 deletions(-) diff --git a/quorum-key-management/src/component-documents/ceremony-repository.md b/quorum-key-management/src/component-documents/ceremony-repository.md index 4a3c650..ee6a4c0 100644 --- a/quorum-key-management/src/component-documents/ceremony-repository.md +++ b/quorum-key-management/src/component-documents/ceremony-repository.md @@ -27,11 +27,13 @@ This repository holds data pertaining to ceremonies. The primary data consists o ## Repository Structure ``` - - +keys/ + all/ + fingerprint.asc +/ + ceremonies/ / log.txt - - [ ] TODO: write a layout for the log payloads/ payload_.json payload_.json.sig @@ -40,7 +42,6 @@ This repository holds data pertaining to ceremonies. The primary data consists o policies/ spending-policy.json [NOT IMPLEMENTED] keyring.asc - TODO figure out if we are doing detached sigs shardfile.asc ``` @@ -50,17 +51,39 @@ This repository holds data pertaining to ceremonies. The primary data consists o ## Procedure: Adding a OpenPGP Public Certificate -1. Open a PR submitting the public key to the repository +1. Ensure you are on the correct branch: - * MUST be via commit signed by the PGP key being submitted to the repository + * `git checkout main` -1. One other individual should review the PR and verify that the key belongs to the individual using an out of band channel +1. Pull the latest ceremony repo changes -1. If validates successfully the reviewer should create a detached signature of the key using: + * `git pull origin main` - * `gpg --detach-sign ` +1. Find your key fingerprint: -1. The detached signature should be added to the PR and then the PR should be merged + `gpg --list-keys` + +1. Export your OpenPGP public certificate: + + * `gpg --export --armor > .asc + +1. Place the file in `keys/all/.asc` + +1. Create signed git commit: + + * `git commit -m "add pgp key"` + +1. Push to the commit: + + * `git push origin main` + +1. Communicate your new key fingerprint to all other participants: + + * Preferred: In person + + * Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call) + +1. Get confirmation they have used `gpg --import .asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo // ANCHOR_END: content /* ANCHOR_END: all */ diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md index b1a454c..d99ec0e 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md @@ -4,7 +4,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] ## Requirements -* If necessary, provision a PGP key pair to a smart card using the guide in the [Appendix: Generating PGP Keypair & Provisioning Smart Card](#generating-pgp-keypair--provisioning-smart-card) +* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md) * Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration) diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/procure-hardware.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/procure-hardware.md index 606ac55..59f757e 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/procure-hardware.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/procure-hardware.md @@ -8,10 +8,12 @@ * {{ #include ../../../../component-documents/hardware-models.md:sealable-plastic-bags }} -## Procedure +## Procedure: Local Procurement {{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps}} +## Procedure: Online Procurement + ## Tamper Proofing All hardware: diff --git a/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index 1d2105a..33e43b0 100644 --- a/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -18,7 +18,7 @@ The proposer must combine these values into a single message, which can be a sim ## Requirements -* [Personal PGP Key](../operator/pgp-key-provisioning.md) or [On-Board PGP Key](../../../all-levels/provision-pgp-signing-keys-on-board-smart-card.md) +* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md) * Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)