From d3a4ae7bf458d4b81b225192b1fc4a5f4f3b9c7b Mon Sep 17 00:00:00 2001 From: Anton Livaja Date: Tue, 11 Feb 2025 00:59:54 -0500 Subject: [PATCH] cleanup based on ryan's feedback --- .../component-documents/finding-device-name.md | 2 +- .../src/component-documents/openpgp-setup.md | 6 +++--- .../all-levels/pgp-key-provisioning.md | 2 ++ .../approver/approve-transaction.md | 12 ++++++------ .../operator/ceremony-sd-card-provisioning.md | 2 +- .../operator/coins/sol/transfer-token.md | 6 +++--- .../operator/decrypt-namespace-secret.md | 6 +----- .../operator/export-namespace-mnemonic.md | 4 +--- .../operator/namespace-entropy-ceremony.md | 12 ++++++++---- .../operator/quorum-entropy-ceremony.md | 12 ++++++++---- .../proposer/create-transaction-payload.md | 15 ++++++--------- .../provisioner/provision-airgapos.md | 2 -- 12 files changed, 40 insertions(+), 41 deletions(-) diff --git a/quorum-vault-system/src/component-documents/finding-device-name.md b/quorum-vault-system/src/component-documents/finding-device-name.md index f0e62d2..a7bd2b4 100644 --- a/quorum-vault-system/src/component-documents/finding-device-name.md +++ b/quorum-vault-system/src/component-documents/finding-device-name.md @@ -1,6 +1,6 @@ /* ANCHOR: all */ // ANCHOR: content Look for your SD card device name (``) in the output of the `lsblk` command. It will typically be listed as `/dev/sdX` or `/dev/mmcblk`, where X is a letter (e.g., `/dev/sdb`, `/dev/sdc`). You can identify it by its size or by checking if it has a partition (like `/dev/sdX1`) - * You may mount the device using: `sudo mount /dev/ media/` + * You may mount the device using: `sudo mount /dev/ /media` // ANCHOR_END: content /* ANCHOR_END: all */ \ No newline at end of file diff --git a/quorum-vault-system/src/component-documents/openpgp-setup.md b/quorum-vault-system/src/component-documents/openpgp-setup.md index 61da571..1fb8eeb 100644 --- a/quorum-vault-system/src/component-documents/openpgp-setup.md +++ b/quorum-vault-system/src/component-documents/openpgp-setup.md @@ -25,6 +25,8 @@ as such need to be set up in a manner that minimizes exposure risks. * `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"` + * The PIN can't use sequential numbers, characters or repeated patterns. + 1. If additional smart cards are required, recover the Keyfork key from the encrypted mnemonic: * `gpg --import cert.asc` @@ -39,9 +41,7 @@ as such need to be set up in a manner that minimizes exposure risks. 1. Insert an SD card to contain the public certificate and the encrypted mnemonic. - * {{ #include finding-device-name.md:content}} - - * `cp cert.asc encrypted-mnemonic.asc /media//` + * `cp cert.asc encrypted-mnemonic.asc /media` // ANCHOR_END: steps-keyfork diff --git a/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md b/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md index 5440de5..3e867fa 100644 --- a/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md +++ b/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md @@ -31,6 +31,8 @@ ## Adding a OpenPGP Public Certificate to the Ceremony Repository +1. Switch to online machine + 1. Ensure you are on the correct branch: * `git checkout main` diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md index 74592c0..5779ed7 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md @@ -46,25 +46,25 @@ The approver is responsible for verifying a transaction proposed by a [proposer] 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} -1. Plug in the Operator smart card - 1. Copy the git repo locally from the Ceremony SD card - * `cp -r /media//vaults /root/vaults` + * `cp -r /media/vaults /root/vaults` 1. Change directory to vaults * `cd /root/vaults` +1. Plug in the Operator smart card + 1. Verify the existing signatures and add your own signature: - * `icepick workflow --add-signature-to-file /ceremonies//payload_.json --shardfile .asc` + * `icepick workflow --add-signature-to-quorum /ceremonies//payload_.json --shardfile .asc` 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} 1. Copy the updated vaults repo to the SD card - * `cp -r /root/vaults /media//vaults` + * `cp -r /root/vaults /media` 1. Unplug the SD card from the air-gapped machine @@ -74,7 +74,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] 1. Copy the updated repository locally: - * `cp -r /media//vaults ~/` + * `cp -r /media/vaults ~/` 1. Change into locally copied directory diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md index 10ab8d2..dc79bdc 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/ceremony-sd-card-provisioning.md @@ -24,7 +24,7 @@ 1. Write the ceremony repo data to the SD card: - `cp -r vaults/ /media//` + `cp -r vaults/ /media` 1. Unplug the SD card diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md index 3ea24f8..9330278 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md @@ -52,15 +52,15 @@ 1. Start Keyfork using the relevant Shardfile: - * `keyfork recover shard --daemon /media/external/shard.asc` + * `keyfork recover shard --daemon /media/vaults//shardfile.asc` - * The Shardfile may be named something else. Use `find /media/external -type f -name '*shard*.asc'` to list all files. + * The Shardfile may be named something else. Use `find /media/vaults -type f -name '*shardfile*.asc'` to list all files. 1. Follow on screen prompts 1. Run the `icepick` command with the transaction payload - * `icepick workflow --run-quorum .json --shardfile /media/external/shard.asc` + * `icepick workflow --run-quorum .json --shardfile /media/vaults//shardfile.asc` * Follow on screen prompts diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md index 6c25753..7748563 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md @@ -16,11 +16,7 @@ 1. Copy the Ceremony SD Card contents to machine - * {{ #include ../../../../component-documents/finding-device-name.md:content }} - - * Copy the contents of the card to machine: - - * `cp -r /media//vaults /root/` + * `cp -r /media/vaults /root/` 1. Start `keyfork` using the relevant Shardfile: diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md index 4db0e00..bb72019 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md @@ -34,9 +34,7 @@ 1. Recover the mnemonic from an existing shardfile - * {{ #include ../../../../component-documents/finding-device-name.md:content }} - - * `keyfork shard combine /media//shard.asc | keyfork-mnemonic-from-seed > mnemonic.txt` + * `keyfork shard combine /media/vaults//shardfile.asc | keyfork-mnemonic-from-seed > mnemonic.txt` 1. Follow on screen prompts diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md index db5ab54..bc40e61 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/namespace-entropy-ceremony.md @@ -32,17 +32,21 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor 1. Back up the newly generated artifacts to any desired number of SD cards, and label each "Shardfile [unique_name] [date]" - 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} + 1. Plug in fresh SD card + + 1. If the namespace doesn't exist: + + `mkdir -p /media/vaults/` 1. Back up the output shardfile: - * `cp shardfile.new.asc /media//` + * `cp shardfile.new.asc /media/vaults//` + * `cp keyring.new.asc /media/vaults//keyring.asc` 1. Back up the root PGP certificate: - * `cp root_pgp_cert.asc /media//` + * `cp root_pgp_cert.asc /media/vaults//` 1. Each backup should be placed into High Visibility Storage after it's made diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md index 4279a6a..cbaf0f9 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/operator/quorum-entropy-ceremony.md @@ -31,19 +31,23 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key 1. Plug in SD cards one at a time and use following steps to back up ceremony artifacts - 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} + 1. Plug in fresh SD card + + 1. If the namepsace doesn't exist: + + * `mkdir -p /media/vaults/` 1. Back up the root OpenPGP certificate - * `cp encryption_cert.asc /media//` + * `cp encryption_cert.asc /media/vaults//` 1. Back up the `shardfile.asc` - * `cp shardfile.asc /media//` + * `cp shardfile.asc /media/vaults//` 1. Back up the `keyring.asc` - * `cp keyring.asc /media//` + * `cp keyring.asc /media/vaults/` 1. Unplug the SD card and place it in High Visibility Storage diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md index d540180..df44b67 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/proposer/create-transaction-payload.md @@ -56,7 +56,7 @@ The proposer must combine these values into a JSON file, such as: 1. Save the `vaults` repo to the SD card, referred to as the Ceremony SD card - * `cp -r ~/vaults/ /media//` + * `cp -r ~/vaults/ /media` 1. Unplug the Ceremony SD card @@ -70,13 +70,10 @@ The proposer must combine these values into a JSON file, such as: 1. Plug in the Ceremony SD card -1. {{ #include ../../../../component-documents/finding-device-name.md:content }} - -1. Plug in the Operator smart card 1. Copy the git repo locally from the Ceremony SD card - * `cp -r /media//vaults /root/vaults` + * `cp -r /media/vaults /root` 1. Change into the vaults directory: @@ -90,17 +87,17 @@ The proposer must combine these values into a JSON file, such as: 1. Use `icepick workflow --help` to list the available workflows and options +1. Plug in the Operator smart card + 1. Use icepick to generate and sign the payload: * `icepick workflow <--option value> <--option value> --export-for-quorum --sign > ` * e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > /ceremonies//payloads/payload_.json` -1. {{ #include ../../../../component-documents/finding-device-name.md:content }} - 1. Copy the updated ceremonies repo to the SD card - * `cp -r /root/vaults /media//vaults` + * `cp -r /root/vaults /media` 1. Unplug the SD card from the air-gapped machine @@ -110,7 +107,7 @@ The proposer must combine these values into a JSON file, such as: 1. Copy the updated repository locally: - * `cp -r /media//vaults ~/` + * `cp -r /media/vaults ~/` 1. Change into locally copied directory diff --git a/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md b/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md index c91d0a0..efb53b7 100644 --- a/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md +++ b/quorum-vault-system/src/generated-documents/level-2/fixed-location/provisioner/provision-airgapos.md @@ -42,8 +42,6 @@ 1. Once booted, the card needs to be locked using `sdtool` which is available in `AirgapOS`: - * {{ #include ../../../../component-documents/finding-device-name.md:content }} - * Note: the device will not mount as a proper block device on QubesOS so a different OS has to be used where the device appears as /dev/mmcblk 1. `./sdtool /dev/ permlock`