From bd3cc8c11818c5d6dd5e87790f2fe1a7a3718661 Mon Sep 17 00:00:00 2001 From: ryan Date: Tue, 28 Jan 2025 20:01:24 -0500 Subject: [PATCH] qvs: update docs prior to meeting --- quorum-vault-system/src/SUMMARY.md | 2 +- .../ceremony-repository.md | 48 ------------ .../create-ceremonies-repository.md | 3 + .../all-levels/pgp-key-provisioning.md | 50 ++++++++++++- .../operator/coins/sol/transfer-token.md | 10 ++- .../operator/namespace-entropy-ceremony.md | 8 +- .../operator/quorum-entropy-ceremony.md | 2 + .../proposer/create-transaction-payload.md | 75 ++++++++++--------- 8 files changed, 108 insertions(+), 90 deletions(-) create mode 100644 quorum-vault-system/src/generated-documents/all-levels/create-ceremonies-repository.md diff --git a/quorum-vault-system/src/SUMMARY.md b/quorum-vault-system/src/SUMMARY.md index a8a8500..190640f 100644 --- a/quorum-vault-system/src/SUMMARY.md +++ b/quorum-vault-system/src/SUMMARY.md @@ -9,6 +9,7 @@ * [Glossary](glossary.md) * [Generated Documents]() * [All Levels]() + * [Create Ceremony Repository](generated-documents/all-levels/create-ceremonies-repository.md) * [Personal PGP Key Provisioning](generated-documents/all-levels/pgp-key-provisioning.md) * [Level 2]() * [Fixed-Location]() @@ -18,7 +19,6 @@ * [Procure SD Card Pack](generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md) * [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md) * [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md) - * [Provision Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md) * [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md) * [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md) * [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md) diff --git a/quorum-vault-system/src/component-documents/ceremony-repository.md b/quorum-vault-system/src/component-documents/ceremony-repository.md index a3b7650..3cec977 100644 --- a/quorum-vault-system/src/component-documents/ceremony-repository.md +++ b/quorum-vault-system/src/component-documents/ceremony-repository.md @@ -49,54 +49,6 @@ keys/ {{ #include ./git-repository-initialization.md:procedure}} -## Procedure: Adding a OpenPGP Public Certificate - -1. Ensure you are on the correct branch: - - * `git checkout main` - -1. Pull the latest ceremony repo changes - - * `git pull origin main` - -1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html): - - 1. Obtain the fingerprint for the certificate: - - * `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"` - - 2. Copy the certificate to a name based on the keyring: - - * `cp cert.asc "${fingerprint}.asc"` - -1. If exporting a certificate from GnuPG: - - 1. Find your key fingerprint: - - * `gpg --list-keys` - - 1. Export your OpenPGP public certificate: - - * `gpg --export --armor > .asc` - -1. Place the file in `keys/all/.asc` - -1. Create signed git commit: - - * `git commit -S -m "add pgp key"` - -1. Push to the commit: - - * `git push origin main` - -1. Communicate your new key fingerprint to all other participants: - - * Preferred: In person - - * Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call) - -1. Get confirmation they have used `gpg --import .asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo - // ANCHOR_END: content /* ANCHOR_END: all */ diff --git a/quorum-vault-system/src/generated-documents/all-levels/create-ceremonies-repository.md b/quorum-vault-system/src/generated-documents/all-levels/create-ceremonies-repository.md new file mode 100644 index 0000000..750bdd5 --- /dev/null +++ b/quorum-vault-system/src/generated-documents/all-levels/create-ceremonies-repository.md @@ -0,0 +1,3 @@ +# Create Ceremony Repository + +{{ #include ../../component-documents/ceremony-repository.md:content }} diff --git a/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md b/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md index b4bafe9..e748523 100644 --- a/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md +++ b/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md @@ -10,7 +10,7 @@ * 2+ SD cards -## Procedure +## Generate OpenPGP Key 1. Insert AirgapOS SD card into computer @@ -21,3 +21,51 @@ * [Disabling secure boot](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html) may be necessary {{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}} + +## Adding a OpenPGP Public Certificate to the Ceremony Repository + +1. Ensure you are on the correct branch: + + * `git checkout main` + +1. Pull the latest ceremony repo changes + + * `git pull origin main` + +1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html): + + 1. Obtain the fingerprint for the certificate: + + * `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"` + + 2. Copy the certificate to a name based on the keyring: + + * `cp cert.asc "${fingerprint}.asc"` + +1. If exporting a certificate from GnuPG: + + 1. Find your key fingerprint: + + * `gpg --list-keys` + + 1. Export your OpenPGP public certificate: + + * `gpg --export --armor > .asc` + +1. Place the file in `keys/all/.asc` + +1. Create signed git commit: + + * `git commit -S -m "add pgp key"` + +1. Push to the commit: + + * `git push origin main` + +1. Communicate your new key fingerprint to all other participants: + + * Preferred: In person + + * Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call) + +1. Get confirmation they have used `gpg --import .asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md index f17daf7..2128208 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md @@ -1,4 +1,4 @@ -# Operator - Sign PYTH-SPL Transaction +# Operator - SPL Token Transfer ## Requirements @@ -70,7 +70,7 @@ 1. Verify all signatures for the workflow data: - * `for file in .*.sig; do echo "Verifying: $file"; gpg --verify "${file}.json" "$file"; done` + * `for file in .*.sig; do echo "Verifying: $file"; gpg --verify "${file}" ""; done` * Ensure that the script doesn't output any "WARNING" messages to the console. If it does, abort the ceremony and initiate incident response. @@ -82,14 +82,14 @@ 1. Follow on screen prompts -1. Unplug the Shard SD card and place it in High Visibility Storage - 1. Run the `icepick` command with the transaction payload * `icepick workflow sol transfer-token --input-file=<(jq .values )` * Follow on screen prompts +1. Unplug the Ceremony SD card and place it in High Visibility Storage + ### Broadcast Transaction: Online Machine 1. Retrieve Ceremony SD from High Visibility Storage and plug it into online machine @@ -98,6 +98,8 @@ 1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository +1. Unplug the Ceremony SD card and place it in High Visibility Storage + ### Repeat 1. You may repeat previous steps as many times as necessary to process all workflow payloads diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md index d6b728a..7782035 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md @@ -32,7 +32,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile: - * `keyfork mnemonic generate --size 256 --shard-to ,output=` + * `keyfork mnemonic generate --size 256 --shard-to ,output=` 1. Unseal an SD card pack @@ -48,9 +48,15 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor 1. Each backup should be placed into High Visibility Storage after it's made + + +1. Unplug the SD card and place it in High Visibility Storage + +1. Label the SD card "Shardfile \[date\] \[namespace\]" 1. Gather all the original items that were in the air-gapped bundle: diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md index dd9262e..caa3ba0 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md @@ -52,9 +52,11 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key * `cp keyring.asc /media/` + 1. Unplug the SD card and place it in High Visibility Storage diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index a84ed52..0ee0e4c 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -8,14 +8,14 @@ The proposer must combine these values into a JSON file, such as: ```json { - "workflow": ["cosmos", "withdraw"], - "values": { - "delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer", - "validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh", - "asset_name": "KYVE", - "asset_amount": "0.4", - "chain_name": "korellia" - }, + "workflow": ["cosmos", "withdraw"], + "values": { + "delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer", + "validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh", + "asset_name": "KYVE", + "asset_amount": "0.4", + "chain_name": "korellia" + }, "proposal_datetime": "2025-01-28T18:18:00" } ``` @@ -75,39 +75,40 @@ The proposer must combine these values into a JSON file, such as: 1. Collect data for the transaction being sent, and structure it according to the template below, replacing values with valid ones. The values have to come from a organization approved list of values, for each field, except for `datetime` which is just the current date and time. - ```json - { - "workflow": ["", ""], - "values": { - "": "" - }, - "proposal_datetime": "" - } - ``` + ```json + { + "workflow": ["", ""], + "values": { + "": "" + }, + "proposal_datetime": "" + } + ``` - Example data object: - ```json - { - "workflow": ["cosmos", "withdraw"], - "values": { - "delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer", - "validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh", - "asset_name": "KYVE", - "asset_amount": "0.4", - "chain_name": "korellia" - }, - "proposal_datetime": "2025-01-28T18:18:00" - } - ``` + Example data object: + + ```json + { + "workflow": ["cosmos", "withdraw"], + "values": { + "delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer", + "validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh", + "asset_name": "KYVE", + "asset_amount": "0.4", + "chain_name": "korellia" + }, + "proposal_datetime": "2025-01-28T18:18:00" + } + ``` + +1. Import the keys relevant to the ceremony: + + * `gpg --import keys/all/*.asc` 1. Sign the data in the CLI using `gpg` or another OpenPGP implementation: * `gpg --detach-sign .1.sig` -1. Create a signed git commit: - - * `git commit -S -m "add pgp key"` - 1. Copy the updated ceremonies repo to the SD card * `cp -r . /media/external/ceremonies` @@ -116,6 +117,10 @@ The proposer must combine these values into a JSON file, such as: 1. Plug in the SD card into the online machine +1. Create a signed git commit: + + * `git commit -S -m "add pgp key"` + 1. Push the latest commit to the repository 1. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.