public
/
docs
5
0
Fork 0
Code Issues 14 Pull Requests 1 Packages Projects Releases Wiki Activity

fix personal pgp key structure in ceremony repo

This commit is contained in:
Anton Livaja 2025-01-28 05:47:04 -05:00
parent 175e4d1dd5
commit af202a9826
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
4 changed files with 38 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
quorum-key-management/src/component-documents/ceremony-repository.md
View File

@ -27,11 +27,13 @@ This repository holds data pertaining to ceremonies. The primary data consists o
## Repository Structure
```
<namespace>
<ceremonies/>
keys/
all/
fingerprint.asc
<namespace>/
ceremonies/
<date>/
log.txt
- [ ] TODO: write a layout for the log
payloads/
payload_<num>.json
payload_<num>.json.sig
@ -40,7 +42,6 @@ This repository holds data pertaining to ceremonies. The primary data consists o
policies/
spending-policy.json [NOT IMPLEMENTED]
keyring.asc
TODO figure out if we are doing detached sigs
shardfile.asc
```
@ -50,17 +51,39 @@ This repository holds data pertaining to ceremonies. The primary data consists o
## Procedure: Adding a OpenPGP Public Certificate
1. Open a PR submitting the public key to the repository
1. Ensure you are on the correct branch:
* MUST be via commit signed by the PGP key being submitted to the repository
* `git checkout main`
1. One other individual should review the PR and verify that the key belongs to the individual using an out of band channel
1. Pull the latest ceremony repo changes
1. If validates successfully the reviewer should create a detached signature of the key using:
* `git pull origin main`
* `gpg --detach-sign <file_name>`
1. Find your key fingerprint:
1. The detached signature should be added to the PR and then the PR should be merged
`gpg --list-keys`
1. Export your OpenPGP public certificate:
* `gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc
1. Place the file in `keys/all/<key_fingerprint>.asc`
1. Create signed git commit:
* `git commit -m "add <name> pgp key"`
1. Push to the commit:
* `git push origin main`
1. Communicate your new key fingerprint to all other participants:
* Preferred: In person
* Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
1. Get confirmation they have used `gpg --import <your_key_id>.asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo
// ANCHOR_END: content
/* ANCHOR_END: all */

2
quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md
View File

@ -4,7 +4,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
## Requirements
* If necessary, provision a PGP key pair to a smart card using the guide in the [Appendix: Generating PGP Keypair & Provisioning Smart Card](#generating-pgp-keypair--provisioning-smart-card)
* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)

4
quorum-key-management/src/generated-documents/level-2/fixed-location/procurer/procure-hardware.md
View File

@ -8,10 +8,12 @@
* {{ #include ../../../../component-documents/hardware-models.md:sealable-plastic-bags }}
## Procedure
## Procedure: Local Procurement
{{ #include ../../../../component-documents/hardware-procurement-and-chain-of-custody.md:steps}}
## Procedure: Online Procurement
## Tamper Proofing
All hardware:

2
quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md
View File

@ -18,7 +18,7 @@ The proposer must combine these values into a single message, which can be a sim
## Requirements
* [Personal PGP Key](../operator/pgp-key-provisioning.md) or [On-Board PGP Key](../../../all-levels/provision-pgp-signing-keys-on-board-smart-card.md)
* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)