public
/
docs
5
0
Fork 0
Code Issues 14 Pull Requests 1 Packages Projects Releases Wiki Activity

update proposer and approver docs

This commit is contained in:
Anton Livaja 2025-01-28 10:07:47 -05:00
parent af202a9826
commit c44a75e26a
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
3 changed files with 93 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
quorum-key-management/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md
View File

@ -6,32 +6,70 @@ The approver is responsible for verifying a transaction proposed by a [proposer]
* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
* [Online Machine](TODO)
* [SD Card Pack](../provisioner/provision-sd-card.md)
* [Air-Gapped Bundle](../provisioner/air-gapped-bundle.md)
* The approver should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
* The approver should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
* Clone the [Ceremonies Repository](../provisioner/provision-ceremonies-repository.md) for your organization to the machine
## Procedure
1. Turn on online machine
1. Pull the latest changes from the `ceremonies` repository
1. Verify the PGP key of the Proposer is valid
1. Unseal the SD Card Pack
1. Verify that the commit with the tx data is properly signed by the key that was verified in the previous step
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Verify that the transaction is according to the defined policy, for the time being ensuring it's signed by safe-listed PGP keys (TODO: update this with a proper policy post-MVP)
1. Plug a fresh SD card into the online machine
1. Save the ceremonies repo to the SD card, referred to as the Ceremony SD card
1. Unplug the Ceremony SD card
1. Unseal the tamper proofed bundle
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Insert the AirgapOS SD card into the airgapped machine and turn it on
1. Once booted, unplug the AirgapOS SD card
1. Plug in the Ceremony SD card
1. Copy the git repo locally from the Ceremony SD card
1. Verify the PGP key of the Proposer is valid
1. Verify the detached sig for the payload
1. To sign the transaction payload and produce a detached signature use:
* `gpg --detach-sig <filename>`
1. Commit the detached signature alongside the tx
1. Copy the updated ceremonies repo to the SD card
1. Unplug the SD card from the air-gapped machine
1. Plug in the SD card into the online machine
1. Push the latest commit to the repository
1. Tamper proof the AirgapOS and Air-gapped laptop
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
## Appendix
### Git Commit Signing Configuration
{{ #include ../../../../component-documents/git-commit-signing.md:steps }}
### Generating PGP Keypair & Provisioning Smart Card
{{ #include ../../../../component-documents/openpgp-setup.md:steps-keyfork }}

6
quorum-key-management/src/generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md
View File

@ -22,15 +22,10 @@
1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage
### Unsealing Tamper Proofing
{{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Place all contents except for the laptop into High Visibility Storage
### Ceremony
#### Prepare Transaction: Online Machine
1. Turn on online machine
1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer
@ -43,7 +38,6 @@
* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine
#### Sign Transaction: Air-Gapped Machine
1. Retrieve AirgapOS SD card and plug it into the air-gapped machine
1. Boot the computer

47
quorum-key-management/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md
View File

@ -20,12 +20,46 @@ The proposer must combine these values into a single message, which can be a sim
* [Quorum PGP Key](../operator/quorum-entropy-ceremony.md)
* [Air-Gapped Bundle](../provisioner/air-gapped-bundle.md)
* The proposer should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
* The proposer should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo
* [Online Machine](TODO)
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
* Clone the [Ceremonies Repository](../provisioner/provision-ceremonies-repository.md) for your organization to the machine
## Procedure
1. Turn on online machine
1. Pull the latest changes from the `ceremonies` repository
1. Unseal the SD Card Pack
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Plug a fresh SD card into the online machine
1. Save the ceremonies repo to the SD card, referred to as the Ceremony SD card
1. Unplug the Ceremony SD card
1. Unseal the tamper proofed bundle
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}
1. Insert the AirgapOS SD card into the airgapped machine and turn it on
1. Once booted, unplug the AirgapOS SD card
1. Plug in the Ceremony SD card
1. Copy the git repo locally from the Ceremony SD card
1. Define a new file `payload_<num>.json`, for example `payload_1.json`
1. Create a new directory in the `ceremonies` repository for the date on which the ceremony for the transaction will take place if it doesn't already exist, for example `2024-01-01/`
@ -56,8 +90,21 @@ The proposer must combine these values into a single message, which can be a sim
* `gpg --detach-sig <file>`
1. Copy the updated ceremonies repo to the SD card
1. Unplug the SD card from the air-gapped machine
1. Plug in the SD card into the online machine
1. Push the latest commit to the repository
1. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.
1. Tamper proof the AirgapOS and Air-gapped laptop
{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}
## Appendix
### Git Commit Signing Configuration