qvs: update docs prior to meeting

This commit is contained in:
Ryan Heywood 2025-01-28 20:01:24 -05:00
parent 695421bdbe
commit bd3cc8c118
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
8 changed files with 108 additions and 90 deletions

View File

@ -9,6 +9,7 @@
* [Glossary](glossary.md) * [Glossary](glossary.md)
* [Generated Documents]() * [Generated Documents]()
* [All Levels]() * [All Levels]()
* [Create Ceremony Repository](generated-documents/all-levels/create-ceremonies-repository.md)
* [Personal PGP Key Provisioning](generated-documents/all-levels/pgp-key-provisioning.md) * [Personal PGP Key Provisioning](generated-documents/all-levels/pgp-key-provisioning.md)
* [Level 2]() * [Level 2]()
* [Fixed-Location]() * [Fixed-Location]()
@ -18,7 +19,6 @@
* [Procure SD Card Pack](generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md) * [Procure SD Card Pack](generated-documents/level-2/fixed-location/procurer/procure-sd-card-pack.md)
* [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md) * [Procure Hardware](generated-documents/level-2/fixed-location/procurer/procure-hardware.md)
* [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md) * [Provisioner](generated-documents/level-2/fixed-location/provisioner/index.md)
* [Provision Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/provision-ceremonies-repository.md)
* [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md) * [Provision Computer](generated-documents/level-2/fixed-location/provisioner/provision-computer.md)
* [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md) * [Provision AirgapOS](generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md)
* [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md) * [Provision Air-Gapped Bundle](generated-documents/level-2/fixed-location/provisioner/air-gapped-bundle.md)

View File

@ -49,54 +49,6 @@ keys/
{{ #include ./git-repository-initialization.md:procedure}} {{ #include ./git-repository-initialization.md:procedure}}
## Procedure: Adding a OpenPGP Public Certificate
1. Ensure you are on the correct branch:
* `git checkout main`
1. Pull the latest ceremony repo changes
* `git pull origin main`
1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html):
1. Obtain the fingerprint for the certificate:
* `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"`
2. Copy the certificate to a name based on the keyring:
* `cp cert.asc "${fingerprint}.asc"`
1. If exporting a certificate from GnuPG:
1. Find your key fingerprint:
* `gpg --list-keys`
1. Export your OpenPGP public certificate:
* `gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc`
1. Place the file in `keys/all/<key_fingerprint>.asc`
1. Create signed git commit:
* `git commit -S -m "add <name> pgp key"`
1. Push to the commit:
* `git push origin main`
1. Communicate your new key fingerprint to all other participants:
* Preferred: In person
* Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
1. Get confirmation they have used `gpg --import <your_key_id>.asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo
// ANCHOR_END: content // ANCHOR_END: content
/* ANCHOR_END: all */ /* ANCHOR_END: all */

View File

@ -0,0 +1,3 @@
# Create Ceremony Repository
{{ #include ../../component-documents/ceremony-repository.md:content }}

View File

@ -10,7 +10,7 @@
* 2+ SD cards * 2+ SD cards
## Procedure ## Generate OpenPGP Key
1. Insert AirgapOS SD card into computer 1. Insert AirgapOS SD card into computer
@ -21,3 +21,51 @@
* [Disabling secure boot](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html) may be necessary * [Disabling secure boot](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html) may be necessary
{{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}} {{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}
## Adding a OpenPGP Public Certificate to the Ceremony Repository
1. Ensure you are on the correct branch:
* `git checkout main`
1. Pull the latest ceremony repo changes
* `git pull origin main`
1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html):
1. Obtain the fingerprint for the certificate:
* `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"`
2. Copy the certificate to a name based on the keyring:
* `cp cert.asc "${fingerprint}.asc"`
1. If exporting a certificate from GnuPG:
1. Find your key fingerprint:
* `gpg --list-keys`
1. Export your OpenPGP public certificate:
* `gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc`
1. Place the file in `keys/all/<key_fingerprint>.asc`
1. Create signed git commit:
* `git commit -S -m "add <name> pgp key"`
1. Push to the commit:
* `git push origin main`
1. Communicate your new key fingerprint to all other participants:
* Preferred: In person
* Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
1. Get confirmation they have used `gpg --import <your_key_id>.asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo

View File

@ -1,4 +1,4 @@
# Operator - Sign PYTH-SPL Transaction # Operator - SPL Token Transfer
## Requirements ## Requirements
@ -70,7 +70,7 @@
1. Verify all signatures for the workflow data: 1. Verify all signatures for the workflow data:
* `for file in <payload.json>.*.sig; do echo "Verifying: $file"; gpg --verify "${file}.json" "$file"; done` * `for file in <payload.json>.*.sig; do echo "Verifying: $file"; gpg --verify "${file}" "<payload.json>"; done`
* Ensure that the script doesn't output any "WARNING" messages to the console. If it does, abort the ceremony and initiate incident response. * Ensure that the script doesn't output any "WARNING" messages to the console. If it does, abort the ceremony and initiate incident response.
@ -82,14 +82,14 @@
1. Follow on screen prompts 1. Follow on screen prompts
1. Unplug the Shard SD card and place it in High Visibility Storage
1. Run the `icepick` command with the transaction payload 1. Run the `icepick` command with the transaction payload
* `icepick workflow sol transfer-token --input-file=<(jq .values <payload.json>)` * `icepick workflow sol transfer-token --input-file=<(jq .values <payload.json>)`
* Follow on screen prompts * Follow on screen prompts
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Broadcast Transaction: Online Machine ### Broadcast Transaction: Online Machine
1. Retrieve Ceremony SD from High Visibility Storage and plug it into online machine 1. Retrieve Ceremony SD from High Visibility Storage and plug it into online machine
@ -98,6 +98,8 @@
1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository 1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository
1. Unplug the Ceremony SD card and place it in High Visibility Storage
### Repeat ### Repeat
1. You may repeat previous steps as many times as necessary to process all workflow payloads 1. You may repeat previous steps as many times as necessary to process all workflow payloads

View File

@ -32,7 +32,7 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile: 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile:
* `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shard_name>` * `keyfork mnemonic generate --size 256 --shard-to <path_to_input_shard>,output=<output_shardfile>`
1. Unseal an SD card pack 1. Unseal an SD card pack
@ -48,9 +48,15 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor
1. Each backup should be placed into High Visibility Storage after it's made 1. Each backup should be placed into High Visibility Storage after it's made
<!--
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command: 1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
* `keyfork recover shard --daemon /media/external/<shard_file_name>` * `keyfork recover shard --daemon /media/external/<shard_file_name>`
-->
1. Unplug the SD card and place it in High Visibility Storage
1. Label the SD card "Shardfile \[date\] \[namespace\]"
1. Gather all the original items that were in the air-gapped bundle: 1. Gather all the original items that were in the air-gapped bundle:

View File

@ -52,9 +52,11 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key
* `cp keyring.asc /media/<media_name>` * `cp keyring.asc /media/<media_name>`
<!--
1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command: 1. Optionally write an `autorun.sh` file to the Shardfile SD card containing the following command:
* `echo -e '#!/bin/bash\nkeyfork recover shard --daemon' > /media/<media_name>/autorun.sh` * `echo -e '#!/bin/bash\nkeyfork recover shard --daemon' > /media/<media_name>/autorun.sh`
-->
1. Unplug the SD card and place it in High Visibility Storage 1. Unplug the SD card and place it in High Visibility Storage

View File

@ -8,14 +8,14 @@ The proposer must combine these values into a JSON file, such as:
```json ```json
{ {
"workflow": ["cosmos", "withdraw"], "workflow": ["cosmos", "withdraw"],
"values": { "values": {
"delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer", "delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer",
"validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh", "validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh",
"asset_name": "KYVE", "asset_name": "KYVE",
"asset_amount": "0.4", "asset_amount": "0.4",
"chain_name": "korellia" "chain_name": "korellia"
}, },
"proposal_datetime": "2025-01-28T18:18:00" "proposal_datetime": "2025-01-28T18:18:00"
} }
``` ```
@ -75,39 +75,40 @@ The proposer must combine these values into a JSON file, such as:
1. Collect data for the transaction being sent, and structure it according to the template below, replacing values with valid ones. The values have to come from a organization approved list of values, for each field, except for `datetime` which is just the current date and time. 1. Collect data for the transaction being sent, and structure it according to the template below, replacing values with valid ones. The values have to come from a organization approved list of values, for each field, except for `datetime` which is just the current date and time.
```json ```json
{ {
"workflow": ["<workflow_namespace>", "<workflow_name>"], "workflow": ["<workflow_namespace>", "<workflow_name>"],
"values": { "values": {
"<workflow_field>": "<workflow_value>" "<workflow_field>": "<workflow_value>"
}, },
"proposal_datetime": "<datetime>" "proposal_datetime": "<datetime>"
} }
``` ```
Example data object: Example data object:
```json
{ ```json
"workflow": ["cosmos", "withdraw"], {
"values": { "workflow": ["cosmos", "withdraw"],
"delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer", "values": {
"validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh", "delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer",
"asset_name": "KYVE", "validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh",
"asset_amount": "0.4", "asset_name": "KYVE",
"chain_name": "korellia" "asset_amount": "0.4",
}, "chain_name": "korellia"
"proposal_datetime": "2025-01-28T18:18:00" },
} "proposal_datetime": "2025-01-28T18:18:00"
``` }
```
1. Import the keys relevant to the ceremony:
* `gpg --import keys/all/*.asc`
1. Sign the data in the CLI using `gpg` or another OpenPGP implementation: 1. Sign the data in the CLI using `gpg` or another OpenPGP implementation:
* `gpg --detach-sign <file> <file>.1.sig` * `gpg --detach-sign <file> <file>.1.sig`
1. Create a signed git commit:
* `git commit -S -m "add <name> pgp key"`
1. Copy the updated ceremonies repo to the SD card 1. Copy the updated ceremonies repo to the SD card
* `cp -r . /media/external/ceremonies` * `cp -r . /media/external/ceremonies`
@ -116,6 +117,10 @@ The proposer must combine these values into a JSON file, such as:
1. Plug in the SD card into the online machine 1. Plug in the SD card into the online machine
1. Create a signed git commit:
* `git commit -S -m "add <name> pgp key"`
1. Push the latest commit to the repository 1. Push the latest commit to the repository
1. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool. 1. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.