add content and related docs for proposer role

This commit is contained in:
Anton Livaja 2024-12-20 12:12:31 -05:00
parent 3816a0dac6
commit c4ca2d3555
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
13 changed files with 212 additions and 15 deletions

View File

@ -63,6 +63,7 @@
* [Fixed-Location]() * [Fixed-Location]()
* [Provisioner](system-roles.md) * [Provisioner](system-roles.md)
* [Procure Equipment & Location](generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md) * [Procure Equipment & Location](generated-documents/level-2/fixed-location/provisioner/procure-equipment-and-location.md)
* [Ceremony Repository](generated-documents/level-2/fixed-location/provisioner/ceremonies-repository.md)
* [Proposer](system-roles.md) * [Proposer](system-roles.md)
* [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md) * [Propose Transaction](generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md)
* [Approver](system-roles.md) * [Approver](system-roles.md)
@ -71,3 +72,8 @@
* [PYTH-SLN - Sign Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md) * [PYTH-SLN - Sign Transaction](generated-documents/level-2/fixed-location/operator/coins/pyth-spl/sign-transaction.md)
* [Level 3]() * [Level 3]()
* [Level 4]() * [Level 4]()
* [Document Components]()
* [Git Commit Signing](./component-documents/git-commit-signing.md)
* [GUI Git Commit](./component-documents/gui-git-commit.md)
* [OpenPGP Setup](./component-documents/openpgp-setup.md)

View File

@ -0,0 +1,38 @@
/* ANCHOR: all */
# Ceremony Repository
// ANCHOR: content
This repository holds data pertaining to ceremonies. The primary data consists of:
* Transaction proposals
* Transaction approvals
* Tamper proofing evidence
* Policies (such as spending rules)
* Participants
## Directives
* MUST be private
* MUST be write protected, requiring approval from at least 1 individual other than one who opened the PR for merging
* MUST require signed commits
## Repository Structure
```
ceremonies/
/<date>
audit_log.txt
tamper_evidence/
transactions/
<tx_name>.tx.json
policies/
spending-policy.json
```
// ANCHOR_END: content
/* ANCHOR_END: all */

View File

@ -0,0 +1,35 @@
/* ANCHOR: all */
# Git Commit Signing
// ANCHOR: steps
1. Retrieve the value of your PGP key ID by using:
`gpg --list-keys`
1. Set up local `.gitconfig` file with desired PGP key:
```
[user]
name = <name>
email = <email>
signingKey = <pgp_key_id>
[commit]
gpgsign = true
merge = true
[core]
editor = "code --wait"
```
1. Set up environment variables for using smart cards
Open the `~/.bashrc` file and add the following content at the end:
```bash
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi
GPG_TTY=$(tty)
export GPG_TTY
```
// ANCHOR_END: steps
/* ANCHOR: all */

View File

@ -0,0 +1,55 @@
/* ANCHOR: all */
# Committing Using Git Graphical User Interface
The GitKraken tool can be used to produce commits with data.
# GitKraken Guide: Create a File, Edit in VS Code, and Commit
// ANCHOR: steps
1. Clone the Repository
* Launch the GitKraken application.
* Clone the ceremony repository:
* Click on the **"Clone"** button on the left sidebar.
* Enter the repository URL you want to clone.
* Choose a local directory where you want to save the repository.
* Click **"Clone the repo"**.
1. Create a new file
* **Navigate to the repository**: Make sure you are in the cloned repository in GitKraken.
* **Create a new file**:
* Right-click on the folder where you want to create the file in the left sidebar.
* Select **"New File"**.
* Name your file (e.g., `<file_name>`).
1. Open the File in Visual Studio Code
* **Open Visual Studio Code**:
* Right-click on the newly created file
* Select **"Open in External Editor"** (this should open the file in Visual Studio Code)
1. Add content to the file
* In Visual Studio Code, type a simple JSON blob. For example:
```json
{
"name": "Sample",
"version": "1.0.0",
"description": "This is a sample JSON blob."
}
```
* Save the file: Press `Ctrl + S` (or `Cmd + S` on Mac) to save the changes.
1. Stage the changes
* **Return to GitKraken**: Go back to GitKraken.
* **Stage the File**:
* In the left sidebar, you will see the file you just created under the **"Unstaged Files"** section.
* Click the checkbox next to `<file_name>` to stage the file.
1. Commit the Changes
* **Commit the Changes**:
* In the commit message box at the bottom, type a commit message (e.g., "Add <file_name> with sample JSON blob").
* Click the **"Commit changes"** button.
1. Push the Changes (if needed)
* Push to remote repository:
* If you want to push your changes to the remote repository, click the **"Push"** button in the top toolbar.
// ANCHOR_END: steps
/* ANCHOR_END: all */

View File

@ -0,0 +1 @@
# Keychain Repository

View File

@ -0,0 +1,16 @@
/* ANCHOR: all */
# OpenPGP Setup
Setting up a PGP key pair is necessary for a number of different aspects of QVS. The keys are a fundamental building block, and as such need to be set up in a manner that minimizes exposure risks.
## Procedure
// ANCHOR: steps
1. Secure an airgapped machine set up with AirgapOS
1. Use keyfork to generate a key and provision a card
1. Encrypt the mnemonic to the generated key
1. [OPTIONAL]: The operator key can be encrypted to the organization [Disaster Recovery Public Certificate](TODO).
// ANCHOR_END: steps
/* ANCHOR_END: all */

View File

@ -1,4 +1,5 @@
# Procure Hardware # Procure Hardware
- [ ] TODO update this doc so it listes a bunch of models that support pureboot, not just purism
1. Select a librem 14 laptop from https://puri.sm, and ensure: 1. Select a librem 14 laptop from https://puri.sm, and ensure:

View File

@ -5,15 +5,16 @@
## Requirements ## Requirements
* Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key) * Ensure both primary operators have their [Operator Keys](../../../../../../glossary.md#operator-key)
- [ ] TODO define guide for setting up operator keys
* Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object. * Both operators should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
* The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys * The operators should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys
* TODO: where do we refer to permitted PGP keys - [ ] TODO: where do we refer to permitted PGP keys
* Each operator should hash the `keychain` repository * Each operator should hash the `keychain` repository
- [ ] TODO define keychain repository setup
* `sha256sum keychain/` * `sha256sum keychain/`

View File

@ -4,7 +4,7 @@ The proposer is a fiduciary whose responsibility is to make sound financial deci
The proposer MUST clearly define, at a minimum: The proposer MUST clearly define, at a minimum:
* Token Name (SOL, PYTH-SPL, ETH, BTC etc.) * Token Name (SOL, PYTH-SPL, ETH, ETH-PYTH, BTC etc.)
* FROM address * FROM address
@ -12,17 +12,54 @@ The proposer MUST clearly define, at a minimum:
* Amount * Amount
* Date + Time
The proposer must combine these values into a single message, which can be a simple JSON file, and sign it using a well known PGP key. The proposer must combine these values into a single message, which can be a simple JSON file, and sign it using a well known PGP key.
## Requirements
* If necessary, provision a PGP key pair to a smart card using the guied in the [Appendix: Provisioning PGP Smart Card](#provisioning-pgp-smart-card)
* Ensure that the computer is configured to sign commits with the desired key. Refer to the [Appendix: Git Commit Signing Configuration](#git-commit-signing-configuration)
* Clone the [Ceremonies Repository](../../../../component-documents/ceremony-repository.md) for your organization to the machine
## Procedure
1. Define a new file "<date:time>-<currency>.tx.json", for example "16:40-PYTH-SPL.tx.json"
1. Create a new directory in the `ceremonies` repository for the date on which the ceremony for the transaction will take place if it doesn't already exist, for example `2024-01-01/`
1. Collect data for the transaction being sent, and structure it according to the template below, replacing values with valid ones. The values have to come from a organization approved list of values, for each field, except for `datetime` which is just the current date and time.
```json ```json
{ {
"token-name": "<name>",
"token-amount": "<amount>",
"from-address": "<address>", "from-address": "<address>",
"to-address": "<address>", "to-address": "<address>",
"token-name": "<name>", "datetime": "<date:time>"
"token-amount": "<amount>"
} }
``` ```
To sign use the command: Example data object:
```json
{
"token-name": "PYTH-SLN",
"token-amount": "42",
"from_address": "2Z72E62atYfpatQeqPvHZMaabmuz664xq5MRWv9xM5NX",
"to_address": "BNQr6T2UAuEPux1fuiygM6chrT5GkHKaMWeTTaRLmR7g",
"datetime": "<date:time>"
}
```
`gpg --clearsign <filename>` {{ #include ../../../../component-documents/gui-git-commit.md:steps}}
6. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool(TODO).
## Appendix
### Git Commit Signing Configuration
{{ #include ../../../../component-documents/git-commit-signing.md:steps }}
### Provisioning PGP Smart Card

View File

@ -0,0 +1,3 @@
# Ceremonies Repository
{{ #include ../../../../component-documents/ceremony-repository.md:content }}

View File

@ -0,0 +1,2 @@
# Trusted Keys Repository
todo

View File

@ -9,7 +9,7 @@ All steps of the provisioning process need to be completed under the supervision
The following steps must all be completed under the continued supervision and with the involvement of all parties present. It is instrumental that there is not a single moment where the device is left unsupervised, or under the supervision of only 1 individual. The following steps must all be completed under the continued supervision and with the involvement of all parties present. It is instrumental that there is not a single moment where the device is left unsupervised, or under the supervision of only 1 individual.
## Provisioning Hardware ## Provisioning Equipment
// ANCHOR: steps // ANCHOR: steps
1. Selecting a Purchase Location 1. Selecting a Purchase Location

View File

@ -1,5 +1,7 @@
# PureBoot Setup # PureBoot Setup
- [ ] TODO: fix this doc to use a different smart card for pureboot as the librem key, as the librem key doesn't have a physical switch
This guide walks the user through setting up a machine which relies on This guide walks the user through setting up a machine which relies on
[PureBoot](https://source.puri.sm/firmware/pureboot) to verify the authenticity [PureBoot](https://source.puri.sm/firmware/pureboot) to verify the authenticity
of the `.iso` image which is being booted, as well to ensure that firmware of of the `.iso` image which is being booted, as well to ensure that firmware of