Compare commits
	
		
			2 Commits
		
	
	
		
			2237d0cd21
			...
			2437eac516
		
	
	| Author | SHA1 | Date | 
|---|---|---|
|  | 2437eac516 | |
|  | 9b2eb36cbe | 
|  | @ -16,3 +16,4 @@ indent_size = 4 | ||||||
| [*] | [*] | ||||||
| end_of_line = lf | end_of_line = lf | ||||||
| insert_final_newline = true | insert_final_newline = true | ||||||
|  | trim_trailing_whitespace = true | ||||||
|  |  | ||||||
|  | @ -35,6 +35,10 @@ | ||||||
|                     * [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md) |                     * [Decrypt Namespace Secret](generated-documents/level-2/fixed-location/operator/decrypt-namespace-secret.md) | ||||||
|                     * [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md) |                     * [Encrypt Wallet To Namespace PGP Key](generated-documents/level-2/fixed-location/operator/encrypt-wallet-to-namespace-key.md) | ||||||
|                     * [Export Namespace Mnemonic](generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md) |                     * [Export Namespace Mnemonic](generated-documents/level-2/fixed-location/operator/export-namespace-mnemonic.md) | ||||||
|                 * [Coins - SOL]() |                 * [Coins]() | ||||||
|                     * [SOL - Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md) |                     * [Solana]() | ||||||
|                     * [SOL - Transfer Token](generated-documents/level-2/fixed-location/operator/coins/sol/transfer-token.md) |                         * [Generate Address](generated-documents/level-2/fixed-location/operator/coins/sol/generate-address.md) | ||||||
|  |                         * [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/sol/sign-and-broadcast-transaction.md) | ||||||
|  |                     * [Cosmos]() | ||||||
|  |                         * [Generate Address](generated-documents/level-2/fixed-location/operator/coins/cosmos/generate-address.md) | ||||||
|  |                         * [Sign and Broadcast Transaction](generated-documents/level-2/fixed-location/operator/coins/cosmos/sign-and-broadcast-transaction.md) | ||||||
|  |  | ||||||
|  | @ -1,12 +1,12 @@ | ||||||
| /* ANCHOR: all */ | /* ANCHOR: all */ | ||||||
| // ANCHOR: content | // ANCHOR: content | ||||||
| 1. Connect SD card to online machine | 1. Connect SD card to online linux workstation | ||||||
| 
 | 
 | ||||||
| 1. {{ #include finding-device-name.md:content }} | 1. {{ #include finding-device-name.md:content }} | ||||||
| 
 | 
 | ||||||
| 1. If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step | 1. If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step | ||||||
| 
 | 
 | ||||||
| 1. Copy the repository with updated files to an online machine, sign, commit and push to the `vaults` repository: | 1. Copy the repository with updated files to an online linux workstation, sign, commit and push to the `vaults` repository: | ||||||
|     ``` |     ``` | ||||||
|     $ cp -r /media/vaults ~/vaults/ |     $ cp -r /media/vaults ~/vaults/ | ||||||
|     $ cd ~/vaults |     $ cd ~/vaults | ||||||
|  |  | ||||||
|  | @ -114,7 +114,7 @@ Sealing bags of standard size objects which need to be protected can fit in. The | ||||||
| #### Sealing | #### Sealing | ||||||
| // ANCHOR: vsbwf-procedure-sealing | // ANCHOR: vsbwf-procedure-sealing | ||||||
| 
 | 
 | ||||||
| 1. Insert object(s) into plastic bag | 1. Insert object(s) into plastic sealing bag | ||||||
| 
 | 
 | ||||||
| 1. Fill bag with enough plastic beads that most of the object is surrounded | 1. Fill bag with enough plastic beads that most of the object is surrounded | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -6,7 +6,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] | ||||||
| 
 | 
 | ||||||
| * [Quorum PGP Key](../operator/quorum-entropy-ceremony.md) | * [Quorum PGP Key](../operator/quorum-entropy-ceremony.md) | ||||||
| 
 | 
 | ||||||
| * [Online Machine](TODO) | {{ #include ../../../../component-documents/linux-workstation.md:content }} | ||||||
| 
 | 
 | ||||||
| * [SD Card Pack](../provisioner/provision-sd-card.md) | * [SD Card Pack](../provisioner/provision-sd-card.md) | ||||||
| 
 | 
 | ||||||
|  | @ -20,7 +20,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] | ||||||
| 
 | 
 | ||||||
| ## Procedure | ## Procedure | ||||||
| 
 | 
 | ||||||
| 1. Turn on online machine  | 1. Turn on online linux workstation | ||||||
| 
 | 
 | ||||||
| 1. Pull the latest changes from the `vaults` repository | 1. Pull the latest changes from the `vaults` repository | ||||||
| 
 | 
 | ||||||
|  | @ -28,7 +28,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] | ||||||
| 
 | 
 | ||||||
| {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} | {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} | ||||||
| 
 | 
 | ||||||
| 1. Plug a fresh SD card into the online machine | 1. Plug a fresh SD card into the online linux workstation | ||||||
| 
 | 
 | ||||||
| 1. Save the `vaults` repository to the SD card, referred to as the Ceremony SD card | 1. Save the `vaults` repository to the SD card, referred to as the Ceremony SD card | ||||||
| 
 | 
 | ||||||
|  | @ -65,7 +65,7 @@ The approver is responsible for verifying a transaction proposed by a [proposer] | ||||||
| 
 | 
 | ||||||
| 1. Unplug the SD card from the air-gapped machine | 1. Unplug the SD card from the air-gapped machine | ||||||
| 
 | 
 | ||||||
| 1. Plug in the SD card into the online machine | 1. Plug in the SD card into the online linux workstation | ||||||
| 
 | 
 | ||||||
| 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -0,0 +1,43 @@ | ||||||
|  | # Cosmos: Generate Address | ||||||
|  | 
 | ||||||
|  | ## Requirements | ||||||
|  | 
 | ||||||
|  | {{ #include ../../../../operator-requirements.md:requirements }} | ||||||
|  | 
 | ||||||
|  | {{ #include ../../../../../../component-documents/linux-workstation.md:content }} | ||||||
|  | 
 | ||||||
|  | * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. | ||||||
|  | 
 | ||||||
|  | * [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair) | ||||||
|  | 
 | ||||||
|  | * [Ceremony SD card](../../../ceremony-sd-card-provisioning.md) | ||||||
|  | 
 | ||||||
|  | ## Procedure | ||||||
|  | 
 | ||||||
|  | 1. Enter the designated location with the quorum of operators and all required equipment | ||||||
|  | 
 | ||||||
|  | 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony | ||||||
|  | 
 | ||||||
|  | 1. Place Ceremony SD card in High Visibility Storage | ||||||
|  | 
 | ||||||
|  | 1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage | ||||||
|  | 
 | ||||||
|  | {{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} | ||||||
|  | 
 | ||||||
|  | 1. Place all contents except for the laptop into High Visibility Storage | ||||||
|  | 
 | ||||||
|  | ### Offline Machine: Generate Address | ||||||
|  | 
 | ||||||
|  | {{ #include ../template-gen-address-0.md:content }} | ||||||
|  | 
 | ||||||
|  | 1. Generate a new address: | ||||||
|  | 
 | ||||||
|  |     * `icepick workflow cosmos generate-address --account $account_id > $account_id.json` | ||||||
|  | 
 | ||||||
|  | {{ #include ../template-gen-address-1.md:content }} | ||||||
|  | 
 | ||||||
|  | ### Online Machine: Updating Vaults Repository | ||||||
|  | 
 | ||||||
|  | 1. Turn on online linux workstation | ||||||
|  | 
 | ||||||
|  | {{ #include ../../../../../../component-documents/git-basics.md:content }} | ||||||
|  | @ -0,0 +1,101 @@ | ||||||
|  | # Solana: Sign and Broadcast Transaction | ||||||
|  | 
 | ||||||
|  | ## Requirements | ||||||
|  | 
 | ||||||
|  | {{ #include ../../../../operator-requirements.md:requirements }} | ||||||
|  | 
 | ||||||
|  | {{ #include ../../../../../../component-documents/linux-workstation.md:content }} | ||||||
|  | 
 | ||||||
|  | * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. | ||||||
|  | 
 | ||||||
|  | * [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair) | ||||||
|  | 
 | ||||||
|  | * [Ceremony SD card](../../../ceremony-sd-card-provisioning.md) | ||||||
|  | 
 | ||||||
|  | ## Procedure | ||||||
|  | 
 | ||||||
|  | 1. Enter the designated location with the quorum of operators and all required equipment | ||||||
|  | 
 | ||||||
|  | 1. Lock access to the location - there should be no inflow or outflow of people during the ceremony | ||||||
|  | 
 | ||||||
|  | 1. Place Ceremony SD card in High Visibility Storage | ||||||
|  | 
 | ||||||
|  | 1. Retrieve sealed Air-Gapped bundle, polaroid of tamper evidence, and online laptop from locked storage | ||||||
|  | 
 | ||||||
|  | {{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} | ||||||
|  | 
 | ||||||
|  | 1. Place all contents except for the laptop into High Visibility Storage | ||||||
|  | 
 | ||||||
|  | ### Offline Machine: Create and Sign Transaction | ||||||
|  | 
 | ||||||
|  | 1. Retrieve AirgapOS SD card and plug it into the air-gapped machine | ||||||
|  | 
 | ||||||
|  | 1. Boot the computer | ||||||
|  | 
 | ||||||
|  | 1. Unplug the AirgapOS SD card and place it in High Visibility Storage | ||||||
|  | 
 | ||||||
|  | 1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine | ||||||
|  | 
 | ||||||
|  | 1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }} | ||||||
|  | 
 | ||||||
|  | 1. Start Keyfork using the relevant Shardfile: | ||||||
|  | 	``` | ||||||
|  | 	$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc | ||||||
|  | 	``` | ||||||
|  | 	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files. | ||||||
|  | 
 | ||||||
|  | 1. Follow on screen prompts | ||||||
|  | 
 | ||||||
|  | 1. Set `ICEPICK_DATA_DIRECTORY`: | ||||||
|  | 	``` | ||||||
|  | 	$ export ICEPICK_DATA_DIRECTORY=/media/<device_name> | ||||||
|  | 	``` | ||||||
|  | 1. Run the `icepick` command with the transaction payload | ||||||
|  | 
 | ||||||
|  | 	* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...) | ||||||
|  | 	``` | ||||||
|  | 	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc | ||||||
|  | 	``` | ||||||
|  | 	* Follow on screen prompts | ||||||
|  | 
 | ||||||
|  | 1. Unplug the Ceremony SD card and place it in High Visibility Storage | ||||||
|  | 
 | ||||||
|  | ### Broadcast Transaction: Online Machine | ||||||
|  | 
 | ||||||
|  | 1. Power on linux workstation | ||||||
|  | 
 | ||||||
|  | 1. Retrieve Ceremony SD from High Visibility Storage and plug it into linux workstation | ||||||
|  | 
 | ||||||
|  | 1. Run the broadcast command: | ||||||
|  | 	``` | ||||||
|  | 	$ keyfork workflow cosmos broadcast --input-file <payload.json> --nonce-address=<nonce_address> | ||||||
|  | 	``` | ||||||
|  | 	* The `<nonce_address>` is the principal or primary address | ||||||
|  | 
 | ||||||
|  | 1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository | ||||||
|  | 
 | ||||||
|  | 1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY` | ||||||
|  | 	``` | ||||||
|  | 	$ rm $ICEPICK_DATA_DIRECTORY/transaction.json | ||||||
|  | 	``` | ||||||
|  | 1. Unplug the Ceremony SD card and place it in High Visibility Storage | ||||||
|  | 
 | ||||||
|  | ### Repeat | ||||||
|  | 
 | ||||||
|  | 1. You may repeat previous steps as many times as necessary to process all workflow payloads | ||||||
|  | 
 | ||||||
|  | ## Finalization | ||||||
|  | 
 | ||||||
|  | 1. Shut down online linux workstation | ||||||
|  | 
 | ||||||
|  | 1. Shut down the air gapped machine | ||||||
|  | 
 | ||||||
|  | ### Sealing | ||||||
|  | 
 | ||||||
|  | 1. Gather all the original items that were in the air-gapped bundle: | ||||||
|  | 
 | ||||||
|  |     * Air-gapped computer | ||||||
|  | 
 | ||||||
|  |     * AirgapOS SD card | ||||||
|  | 
 | ||||||
|  | {{ #include ../../../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}} | ||||||
|  | @ -1,4 +1,4 @@ | ||||||
| # SOL - Generate Address | # Solana: Generate Address | ||||||
| 
 | 
 | ||||||
| ## Requirements | ## Requirements | ||||||
| 
 | 
 | ||||||
|  | @ -8,9 +8,9 @@ | ||||||
| 
 | 
 | ||||||
| * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. | * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. | ||||||
| 
 | 
 | ||||||
| * [Quorum PGP key pairs](../../key-types.md#quorum-pgp-keypair)  | * [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair) | ||||||
| 
 | 
 | ||||||
| * [Ceremony SD card](../../ceremony-sd-card-provisioning.md) | * [Ceremony SD card](../../../ceremony-sd-card-provisioning.md) | ||||||
| 
 | 
 | ||||||
| ## Procedure | ## Procedure | ||||||
| 
 | 
 | ||||||
|  | @ -28,87 +28,27 @@ | ||||||
| 
 | 
 | ||||||
| ### Offline Machine: Generate Address | ### Offline Machine: Generate Address | ||||||
| 
 | 
 | ||||||
| 1. Retrieve AirgapOS SD card and plug it into the air-gapped machine | {{ #include ../template-gen-address-0.md:content }} | ||||||
| 
 |  | ||||||
| 1. Turn on air-gapped machine |  | ||||||
| 
 |  | ||||||
| 1. Unplug the AirgapOS SD card and place it in High Visibility Storage |  | ||||||
| 
 |  | ||||||
| 1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine  |  | ||||||
| 
 |  | ||||||
| 1. Copy the `vaults` repository to the machine and switch to it |  | ||||||
|     ``` |  | ||||||
| 	$ cp -r /media/vaults /root/ |  | ||||||
| 	$ cd /root/vaults |  | ||||||
|     ``` |  | ||||||
| 
 |  | ||||||
| 1. Start Keyfork using the relevant Shardfile: |  | ||||||
| 
 |  | ||||||
| 	1. `keyfork recover shard --daemon <namespace>/shardfile.asc` |  | ||||||
| 
 |  | ||||||
|     1. Follow on screen prompts |  | ||||||
| 
 |  | ||||||
| 1. If the desired `<coin>` directory doesn't exist for the namespace, create it: |  | ||||||
| 
 |  | ||||||
|     * `mkdir -p <namespace>/<coin>` |  | ||||||
| 
 |  | ||||||
|     * e.g `mkdir -p vault_1/sol/` |  | ||||||
| 
 |  | ||||||
| 1. Connect to the appropriate coin directory: |  | ||||||
| 
 |  | ||||||
|     * `cd <namespace>/<coin>/` |  | ||||||
| 
 |  | ||||||
| 1. Check what the latest address account is: |  | ||||||
| 
 |  | ||||||
| 	* `ls -la .` |  | ||||||
| 
 |  | ||||||
| 1. Find what the latest number for the address is, and add 1 to it. This will be the new address account. |  | ||||||
| 
 |  | ||||||
| 	* For example if the latest address file is 42, the new account_id would be 43. The addresses should start at `0` |  | ||||||
| 
 |  | ||||||
| 	* Set an environment variable with the new account_id: |  | ||||||
| 
 |  | ||||||
| 		* `account_id=<num>`, e.g `account_id=43` |  | ||||||
| 
 | 
 | ||||||
| 1. Generate a new address: | 1. Generate a new address: | ||||||
|  | 	``` | ||||||
|  |     $ icepick workflow sol generate-address --account $account_id > $account_id.json | ||||||
|  | 	``` | ||||||
| 
 | 
 | ||||||
|     * `icepick workflow sol generate-address --account $account_id | jq -r .pubkey > $account_id.txt` | {{ #include ../template-gen-address-1.md:content }} | ||||||
|         * [38 removes need to use jq](https://git.distrust.co/public/icepick/issues/38) |  | ||||||
| 
 |  | ||||||
| 1. Sign the file using: |  | ||||||
| 
 |  | ||||||
|     * Import OpenPGP keys: |  | ||||||
| 
 |  | ||||||
|         * `gpg --import /media/<device_name>/vaults/keys/all/*.asc` |  | ||||||
| 
 |  | ||||||
|     * `gpg --detach-sign $account_id.txt` |  | ||||||
| 
 |  | ||||||
| 1. You may repeat the previous steps, starting at the step where the `account_id` is set. |  | ||||||
| 
 |  | ||||||
| 1. Once finished, copy the updated repository back to the Ceremony SD card: |  | ||||||
| 
 |  | ||||||
|     * `cp -rf /root/vaults /media/` |  | ||||||
| 
 |  | ||||||
| 1. Shut down the air gapped machine |  | ||||||
| 
 |  | ||||||
| 1. Unplug the Ceremony SD card and place it into High Visibility Storage |  | ||||||
| 
 | 
 | ||||||
| ### Online Machine: Generate Nonce Account | ### Online Machine: Generate Nonce Account | ||||||
| 
 | 
 | ||||||
| 1. Turn on online machine | 1. Turn on online machine | ||||||
| 
 | 
 | ||||||
| 1. Make sure `jq` is installed: |  | ||||||
| 
 |  | ||||||
|     * `sudo apt install jq` |  | ||||||
| 
 |  | ||||||
| 1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer | 1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer | ||||||
| 
 | 
 | ||||||
| 1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }} | 1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }} | ||||||
| 
 | 
 | ||||||
| 1. Copy the `vaults` repository from the Ceremony SD card: | 1. Copy the `vaults` repository from the Ceremony SD card: | ||||||
| 
 | 	``` | ||||||
|     * `cp -r /media/vaults ~/` |     $ cp -r /media/vaults ~/ | ||||||
| 
 | 	``` | ||||||
|     * If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step |     * If the `~/vaults/` repository already exists, ensure it doesn't have any changes that haven't been committed, then remove it using `sudo rm -rf ~/vaults` before re-running the previous step | ||||||
| 
 | 
 | ||||||
| 1. Ensure `keyfork` is available on the system: | 1. Ensure `keyfork` is available on the system: | ||||||
|  | @ -120,36 +60,37 @@ | ||||||
|     * Follow steps from [installation guide](TODO) |     * Follow steps from [installation guide](TODO) | ||||||
| 
 | 
 | ||||||
| 1. Set unsafe `keyfork` usage variable: | 1. Set unsafe `keyfork` usage variable: | ||||||
| 
 | 	``` | ||||||
|     * `export SHOOT_SELF_IN_FOOT=1` |     $ export INSECURE_HARDWARE_ALLOWED=1 | ||||||
| 
 | 	``` | ||||||
|  | 	* [Bug: user shouldn't have to set this insecure config. Issue #34 fixes this.](https://git.distrust.co/public/icepick/issues/34) | ||||||
| 1. Generate throwaway mnemonic to generate address which will be used for funding the creation of nonce account: | 1. Generate throwaway mnemonic to generate address which will be used for funding the creation of nonce account: | ||||||
| 
 | 	``` | ||||||
|     * `keyfork mnemonic generate | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon` |     $ keyfork mnemonic generate | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon | ||||||
| 
 | 	``` | ||||||
| 1. Change directory into the desired \<namespace>/\<coin> directory: | 1. Change directory into the desired \<namespace>/\<coin> directory: | ||||||
| 
 | 	``` | ||||||
|     * `cd ~/vaults/<namespace>/<coin>` |     $ cd ~/vaults/<namespace>/<coin> | ||||||
| 
 | 	``` | ||||||
| 1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory: | 1. Select which account you are creating the delegate address by viewing the appropriate \<namespace>/\<coin>/ directory: | ||||||
| 
 | 	``` | ||||||
|     * `ls -la .` |     $ ls -la . | ||||||
| 
 | 	``` | ||||||
| 1. Once you have selected the appropriate account, set the account_id variable: | 1. Once you have selected the appropriate account, set the account_id variable: | ||||||
| 
 | 	``` | ||||||
|     * `account_id=<num>` |     $ account_id=<num> | ||||||
| 
 | 	``` | ||||||
| 1. Use `icepick` to generate nonce account: | 1. Use `icepick` to generate nonce account: | ||||||
| 
 | 
 | ||||||
|     * The following command will need to be updated to use the appropriate \<cluster>, which can be `devnet`, `testnet` or `mainnet-beta` |     * The following command will need to be updated to use the appropriate \<cluster>, which can be `devnet`, `testnet` or `mainnet-beta` | ||||||
| 
 | 
 | ||||||
|     * Set `icepick` config file: |     * Set `icepick` config file: | ||||||
| 
 | 	``` | ||||||
|         * `export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml` |     $ export ICEPICK_CONFIG_FILE=<path_to_icepick_repositry>/icepick.toml` | ||||||
| 
 | 	``` | ||||||
|     * `icepick workflow sol generate-nonce-account  --authorization-address "$(cat $account_id.txt)" | jq -r .nonce_account > $account_id-na.txt` | 	``` | ||||||
|         * [38 removes he need to use jq and cat](https://git.distrust.co/public/icepick/issues/38) |     $ icepick workflow sol generate-nonce-account --authorization-address "$(cat $account_id.txt)" --input-file $account_id.json > $account_id-na.json | ||||||
| 
 | 	``` | ||||||
|     * Repeat command if returned message is "The transaction was possibly not received by the cluster." |     * Repeat command if returned message is "The transaction was possibly not received by the cluster." | ||||||
| 
 | 
 | ||||||
| 1. Airdrop the wallet displayed on-screen with 0.01 SOL | 1. Airdrop the wallet displayed on-screen with 0.01 SOL | ||||||
|  |  | ||||||
|  | @ -1,16 +1,16 @@ | ||||||
| # Operator - SPL Token Transfer | # Solana: Sign and Broadcast Transaction | ||||||
| 
 | 
 | ||||||
| ## Requirements | ## Requirements | ||||||
| 
 | 
 | ||||||
| {{ #include ../../../../operator-requirements.md:requirements }} | {{ #include ../../../../operator-requirements.md:requirements }} | ||||||
| 
 | 
 | ||||||
| * Online machine | {{ #include ../../../../../../component-documents/linux-workstation.md:content }} | ||||||
| 
 | 
 | ||||||
| * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. | * [High Visibility Storage](TODO): plastic container or bag that's used to keep items while not in use in a visible location like the middle of a desk. | ||||||
| 
 | 
 | ||||||
| * [Quorum PGP key pairs](../../key-types.md#quorum-pgp-keypair)  | * [Quorum PGP key pairs](../../../key-types.md#quorum-pgp-keypair) | ||||||
| 
 | 
 | ||||||
| * [Ceremony SD card](../../ceremony-sd-card-provisioning.md) | * [Ceremony SD card](../../../ceremony-sd-card-provisioning.md) | ||||||
| 
 | 
 | ||||||
| ## Procedure | ## Procedure | ||||||
| 
 | 
 | ||||||
|  | @ -28,7 +28,7 @@ | ||||||
| 
 | 
 | ||||||
| ### Online Machine: Acquire Nonce | ### Online Machine: Acquire Nonce | ||||||
| 
 | 
 | ||||||
| 1. Turn on online machine | 1. Turn on online linux workstation | ||||||
| 
 | 
 | ||||||
| 1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer | 1. Retrieve the Ceremony SD card from High Visibility Storage and plug it into the computer | ||||||
| 
 | 
 | ||||||
|  | @ -37,21 +37,24 @@ | ||||||
| 	* e.g `vaults/<namespace>/<coin>/0-na.txt` | 	* e.g `vaults/<namespace>/<coin>/0-na.txt` | ||||||
| 
 | 
 | ||||||
| 	* Set the nonce address variable: | 	* Set the nonce address variable: | ||||||
| 
 | 	``` | ||||||
| 		* `nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)"` | 	$ nonce_address="$(cat vaults/<namespace>/<coin>/<account_id>-na.txt)" | ||||||
| 
 | 	``` | ||||||
| 1. Set `ICEPICK_DATA_DIRECTORY`: | 1. Set `ICEPICK_DATA_DIRECTORY`: | ||||||
| 
 | 
 | ||||||
| 	{{ #include ../../../../../../component-documents/finding-device-name.md:content }} | 	{{ #include ../../../../../../component-documents/finding-device-name.md:content }} | ||||||
| 
 | 	``` | ||||||
| 	* `export ICEPICK_DATA_DIRECTORY=/media/external/` | 	$ export ICEPICK_DATA_DIRECTORY=/media/external/ | ||||||
|  | 	``` | ||||||
| 
 | 
 | ||||||
| 1. set `ICEPICK_CONFIG_FILE` | 1. set `ICEPICK_CONFIG_FILE` | ||||||
| 
 | 	``` | ||||||
| 	* `export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml` | 	$ export ICEPICK_CONFIG_FILE=<path_to_icepick_repo>/icepick.toml` | ||||||
| 
 | 	``` | ||||||
| 1. Run the command: `icepick workflow sol broadcast --nonce-address=$nonce_address` | 1. Run the command: | ||||||
| 
 | 	``` | ||||||
|  | 	$ icepick workflow sol broadcast --nonce-address=$nonce_address | ||||||
|  | 	``` | ||||||
| 	* Await completion message before removing Ceremony SD card | 	* Await completion message before removing Ceremony SD card | ||||||
| 
 | 
 | ||||||
| 	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine | 	* This command will set the computer into "awaiting mode", which will broadcast the signed transaction from the SD card once it's plugged back in after the workflow payloads are signed on the offline machine | ||||||
|  | @ -69,21 +72,24 @@ | ||||||
| 1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }} | 1. {{ #include ../../../../../../component-documents/finding-device-name.md:content }} | ||||||
| 
 | 
 | ||||||
| 1. Start Keyfork using the relevant Shardfile: | 1. Start Keyfork using the relevant Shardfile: | ||||||
| 
 | 	``` | ||||||
| 	* `keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc` | 	$ keyfork recover shard --daemon /media/<device_name>/vaults/<namespace>/shardfile.asc | ||||||
|  | 	``` | ||||||
| 
 | 
 | ||||||
| 	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files. | 	* The Shardfile may be named something else. Use `find /media/<device_name>/vaults -type f -name '*shardfile*.asc'` to list all files. | ||||||
| 
 | 
 | ||||||
| 1. Follow on screen prompts | 1. Follow on screen prompts | ||||||
| 
 | 
 | ||||||
| 1. Set `ICEPICK_DATA_DIRECTORY`: | 1. Set `ICEPICK_DATA_DIRECTORY`: | ||||||
| 
 | 	``` | ||||||
| 	* `export ICEPICK_DATA_DIRECTORY=/media/<device_name>` | 	$ export ICEPICK_DATA_DIRECTORY=/media/<device_name> | ||||||
| 
 | 	``` | ||||||
| 1. Run the `icepick` command with the transaction payload | 1. Run the `icepick` command with the transaction payload | ||||||
| 
 | 
 | ||||||
| 	* `icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc` | 	* The payload is located in the appropriate vault location (e.g /media/<device_name>/vaults/<namespace>/ceremonies/<date>...) | ||||||
| 
 | 	``` | ||||||
|  | 	$ icepick workflow --run-quorum <payload>.json --shardfile /media/<device_name>/vaults/<namespace>/shardfile.asc | ||||||
|  | 	``` | ||||||
| 	* Follow on screen prompts | 	* Follow on screen prompts | ||||||
| 
 | 
 | ||||||
| 1. Unplug the Ceremony SD card and place it in High Visibility Storage | 1. Unplug the Ceremony SD card and place it in High Visibility Storage | ||||||
|  | @ -97,10 +103,10 @@ | ||||||
| 1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository | 1. The url that's found in the response after a successful broadcast should be reviewed and committed to the ceremony repository | ||||||
| 
 | 
 | ||||||
| 1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY` | 1. Remove the transaction files in `ICEPICK_DATA_DIRECTORY` | ||||||
| 
 | 	``` | ||||||
|   * `rm $ICEPICK_DATA_DIRECTORY/transaction.json` | 	$ rm $ICEPICK_DATA_DIRECTORY/transaction.json | ||||||
| 
 | 	$ rm $ICEPICK_DATA_DIRECTORY/nonce.json | ||||||
|   * `rm $ICEPICK_DATA_DIRECTORY/nonce.json` | 	``` | ||||||
| 
 | 
 | ||||||
| 1. Unplug the Ceremony SD card and place it in High Visibility Storage | 1. Unplug the Ceremony SD card and place it in High Visibility Storage | ||||||
| 
 | 
 | ||||||
|  | @ -0,0 +1,42 @@ | ||||||
|  | /* ANCHOR: all */ | ||||||
|  | // ANCHOR: content | ||||||
|  | 1. Retrieve AirgapOS SD card and plug it into the air-gapped machine | ||||||
|  | 
 | ||||||
|  | 1. Turn on air-gapped machine | ||||||
|  | 
 | ||||||
|  | 1. Unplug the AirgapOS SD card and place it in High Visibility Storage | ||||||
|  | 
 | ||||||
|  | 1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine | ||||||
|  | 
 | ||||||
|  | 1. Copy the `vaults` repository to the machine and switch to it | ||||||
|  |     ``` | ||||||
|  | 	$ cp -r /media/vaults /root/ | ||||||
|  | 	$ cd /root/vaults | ||||||
|  |     ``` | ||||||
|  | 1. Start Keyfork using the relevant Shardfile: | ||||||
|  | 	``` | ||||||
|  | 	$ keyfork recover shard --daemon <namespace>/shardfile.asc | ||||||
|  | 	``` | ||||||
|  |     * Follow on screen prompts | ||||||
|  | 1. If the desired `<coin>` directory doesn't exist for the namespace, create it: | ||||||
|  | 	``` | ||||||
|  |     $ mkdir -p <namespace>/<coin> | ||||||
|  | 	``` | ||||||
|  | 1. Connect to the appropriate coin directory: | ||||||
|  | 	``` | ||||||
|  |     $ cd <namespace>/<coin>/ | ||||||
|  | 	``` | ||||||
|  | 1. Check what the latest address account is: | ||||||
|  | 	``` | ||||||
|  | 	$ ls -la . | ||||||
|  | 	``` | ||||||
|  | 1. Find what the latest number for the address is, and add 1 to it. This will be the new address account. | ||||||
|  | 
 | ||||||
|  | 	* For example if the latest address file is 42, the new account_id would be 43. The addresses should start at `0` | ||||||
|  | 
 | ||||||
|  | 	* Set an environment variable with the new account_id: | ||||||
|  | 		``` | ||||||
|  | 		$ account_id=<num> | ||||||
|  | 		``` | ||||||
|  | // ANCHOR_END: content | ||||||
|  | /* ANCHOR_END: all */ | ||||||
|  | @ -0,0 +1,22 @@ | ||||||
|  | 
 | ||||||
|  | /* ANCHOR: all */ | ||||||
|  | // ANCHOR: content | ||||||
|  | 1. Sign the file using: | ||||||
|  | 
 | ||||||
|  |     * Import OpenPGP keys: | ||||||
|  | 
 | ||||||
|  |         * `gpg --import /media/<device_name>/vaults/keys/all/*.asc` | ||||||
|  | 
 | ||||||
|  |     * `gpg --detach-sign $account_id.txt` | ||||||
|  | 
 | ||||||
|  | 1. You may repeat the previous steps, starting at the step where the `account_id` is set. | ||||||
|  | 
 | ||||||
|  | 1. Once finished, copy the updated repository back to the Ceremony SD card: | ||||||
|  | 
 | ||||||
|  |     * `cp -rf /root/vaults /media/` | ||||||
|  | 
 | ||||||
|  | 1. Shut down the air gapped machine | ||||||
|  | 
 | ||||||
|  | 1. Unplug the Ceremony SD card and place it into High Visibility Storage | ||||||
|  | // ANCHOR_END: content | ||||||
|  | /* ANCHOR_END: all */ | ||||||
|  | @ -19,15 +19,15 @@ | ||||||
|     * `cp -r /media/vaults /root/` |     * `cp -r /media/vaults /root/` | ||||||
| 
 | 
 | ||||||
| 1. Start `keyfork` using the relevant Shardfile: | 1. Start `keyfork` using the relevant Shardfile: | ||||||
| 
 | 	``` | ||||||
| 	* `keyfork recover shard --daemon /root/vaults/<namespace>/shardfile.asc` | 	$ keyfork recover shard --daemon /root/vaults/<namespace>/shardfile.asc | ||||||
| 
 | 	``` | ||||||
|     * Follow on screen prompts |     * Follow on screen prompts | ||||||
| 
 | 
 | ||||||
| 1. Derive the OpenPGP root certificate: | 1. Derive the OpenPGP root certificate: | ||||||
| 
 | 	``` | ||||||
|     * `keyfork derive openpgp > secret_key.asc` |     $ keyfork derive openpgp > secret_key.asc | ||||||
| 
 | 	``` | ||||||
| 1. Decrypt the secret material: | 1. Decrypt the secret material: | ||||||
| 
 | 
 | ||||||
|     * `sq decrypt --recipient-file secret_key.asc < encrypted.asc --output decrypted` |     * `sq decrypt --recipient-file secret_key.asc < encrypted.asc --output decrypted` | ||||||
|  |  | ||||||
|  | @ -21,8 +21,9 @@ This is a ceremony for generating and sharding entropy to a set of existing Quor | ||||||
| 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile: | 1. Run the command to generate new entropy and shard it to quorum of public certificates of the input shardfile: | ||||||
| 
 | 
 | ||||||
|     * Replace the values: <path_to_input_shard>, <pgp_user_id> |     * Replace the values: <path_to_input_shard>, <pgp_user_id> | ||||||
| 
 | 	``` | ||||||
|     * `keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc' |     $ keyfork mnemonic generate --shard-to <path_to_input_shard>,output=shardfile.asc --derive=openpgp --public "<pgp_user_id>" --output certificate.asc | ||||||
|  | 	``` | ||||||
| 
 | 
 | ||||||
| 1. Unseal an SD card pack | 1. Unseal an SD card pack | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -21,8 +21,9 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key | ||||||
| 1. Run the relevant keyfork operation to perform the ceremony: | 1. Run the relevant keyfork operation to perform the ceremony: | ||||||
| 
 | 
 | ||||||
|     * Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with appropriate values |     * Replace the following values: \<M>, \<N>, <number_of_smart_cards_per_operator>, <pgp_user_id> with appropriate values | ||||||
| 
 | 	``` | ||||||
| 	* `keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive='openpgp --public "<pgp_user_id>" --output certificate.asc'` | 	$ keyfork mnemonic generate --shard-to-self shardfile.asc,threshold=<M>,max=<N>,cards_per_shard=<number_of_smartcards_per_operator>,cert_output=keyring.asc --derive=openpgp --public "<pgp_user_id>" --output certificate.asc | ||||||
|  | 	``` | ||||||
| 
 | 
 | ||||||
| 1. Unseal an SD card pack by following tamper proofing steps: | 1. Unseal an SD card pack by following tamper proofing steps: | ||||||
| 
 | 
 | ||||||
|  | @ -54,7 +55,7 @@ This is a ceremony for generating entropy which is used to derive Quorum PGP key | ||||||
| 
 | 
 | ||||||
| 1. Power down the air-gapped machine | 1. Power down the air-gapped machine | ||||||
| 
 | 
 | ||||||
| 1. Transfer the ceremony artifacts to an online machine using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card  | 1. Transfer the ceremony artifacts to online linux workstation using one of the SD cards and commit the changes made to the `vaults` repository that's on the Ceremony SD card | ||||||
| 
 | 
 | ||||||
| {{ #include ../../../../component-documents/git-basics.md:content }} | {{ #include ../../../../component-documents/git-basics.md:content }} | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -36,7 +36,7 @@ The proposer must combine these values into a JSON file, such as: | ||||||
| 
 | 
 | ||||||
| ## Procedure | ## Procedure | ||||||
| 
 | 
 | ||||||
| 1. Turn on online machine  | 1. Turn on online linux workstation | ||||||
| 
 | 
 | ||||||
| 1. Clone the `vaults` repository if it's not available locally and get the latest changes: | 1. Clone the `vaults` repository if it's not available locally and get the latest changes: | ||||||
| 	``` | 	``` | ||||||
|  | @ -47,14 +47,14 @@ The proposer must combine these values into a JSON file, such as: | ||||||
| 
 | 
 | ||||||
| {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} | {{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}} | ||||||
| 
 | 
 | ||||||
| 1. Plug a fresh SD card into the online machine | 1. Plug a fresh SD card into the online linux workstation | ||||||
| 
 | 
 | ||||||
| 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | ||||||
| 
 | 
 | ||||||
| 1. Save the `vaults` repo to the SD card, referred to as the Ceremony SD card | 1. Save the `vaults` repo to the SD card, referred to as the Ceremony SD card | ||||||
| 
 | 	``` | ||||||
| 	* `cp -r ~/vaults/ /media` | 	$ cp -r ~/vaults/ /media | ||||||
| 
 | 	``` | ||||||
| 1. Unplug the Ceremony SD card | 1. Unplug the Ceremony SD card | ||||||
| 
 | 
 | ||||||
| 1. Unseal the tamper proofed bundle | 1. Unseal the tamper proofed bundle | ||||||
|  | @ -83,17 +83,17 @@ The proposer must combine these values into a JSON file, such as: | ||||||
| 1. Plug in the Operator smart card | 1. Plug in the Operator smart card | ||||||
| 
 | 
 | ||||||
| 1. Use icepick to generate and sign the payload: | 1. Use icepick to generate and sign the payload: | ||||||
|  | 	``` | ||||||
|  | 	$ icepick workflow <chain> <workflow> <--option value> <--option value> --export-for-quorum --sign > <output_file> | ||||||
|  | 	``` | ||||||
|  | 	* e.g `$ icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json` | ||||||
| 
 | 
 | ||||||
| 	* `icepick workflow <chain> <workflow> <--option value> <--option value> --export-for-quorum --sign > <output_file>` | 	* e.g `$ icepick workflow sol transfer --from-address "$(cat <namespace>/<coin>/0.txt)" --to-address "$(cat to_address.txt)" --amount <amount> --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json` | ||||||
| 
 |  | ||||||
| 	* e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json` |  | ||||||
| 
 |  | ||||||
| 	* e.g `icepick workflow sol transfer --from-address "$(cat <namespace>/<coin>/0.txt)" --to-address "$(cat to_address.txt)" --amount <amount> --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json` |  | ||||||
| 
 | 
 | ||||||
| 1. Copy the updated ceremonies repo to the SD card | 1. Copy the updated ceremonies repo to the SD card | ||||||
| 
 | 	``` | ||||||
| 	* `cp -r /root/vaults /media` | 	$ cp -r /root/vaults /media | ||||||
| 
 | 	``` | ||||||
| 1. Transfer the SD card from the air-gapped machine to the online machine | 1. Transfer the SD card from the air-gapped machine to the online machine | ||||||
| 
 | 
 | ||||||
| 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue