Compare commits
	
		
			5 Commits
		
	
	
		
			9ad10d3817
			...
			1472b7c608
		
	
	| Author | SHA1 | Date | 
|---|---|---|
|  | 1472b7c608 | |
|  | 1ece3b4d8d | |
|  | a41d9d7917 | |
|  | 2f9dd52d54 | |
|  | 923828a3b8 | 
|  | @ -48,10 +48,6 @@ The approver is responsible for verifying a transaction proposed by a [proposer] | ||||||
| 
 | 
 | ||||||
| 1. Plug in the Operator smart card | 1. Plug in the Operator smart card | ||||||
| 
 | 
 | ||||||
| 1. Set a local variable `pgp_key_id` to the smart card OpenPGP key id: |  | ||||||
|      |  | ||||||
|     * `pgp_key_id="$(oct list -i | head -1)"` |  | ||||||
| 
 |  | ||||||
| 1. Copy the git repo locally from the Ceremony SD card | 1. Copy the git repo locally from the Ceremony SD card | ||||||
| 
 | 
 | ||||||
| 	* `cp -r /media/<device_name>/vaults /root/vaults` | 	* `cp -r /media/<device_name>/vaults /root/vaults` | ||||||
|  | @ -60,31 +56,9 @@ The approver is responsible for verifying a transaction proposed by a [proposer] | ||||||
| 
 | 
 | ||||||
| 	* `cd /root/vaults` | 	* `cd /root/vaults` | ||||||
| 
 | 
 | ||||||
| 1. Verify the detached signature for the payload | 1. Verify the existing signatures and add your own signature: | ||||||
| 
 | 
 | ||||||
| 	* `gpg --verify <payload>.<num>.json <payload>.<num>.<key_id>.sig` | 	* `icepick workflow --add-signature-to-file <namespace>/ceremonies/<date>/payload_<num>.json --shardfile <shardfile>.asc` | ||||||
| 
 |  | ||||||
| 	* The filename will be of format: `/<namespace>/ceremonies/<date>/payloads/payload_<number>.json` |  | ||||||
| 
 |  | ||||||
| 1. Verify the key is authenticated: |  | ||||||
| 
 |  | ||||||
| 	* `sq-wot --gpg list "<their@email.co>"` |  | ||||||
| 
 |  | ||||||
| 	* Ensure the output of the command includes "fully authenticated" |  | ||||||
| 
 |  | ||||||
| 1. Sign the transaction payload: |  | ||||||
| 
 |  | ||||||
|     * `gpg --detach-sign <namespace>/ceremonies/<date>/payloads/payload_<num>.json > <namespace>/ceremonies/<date>/payloads/payload_<num>_$pgp_key_id.sig` |  | ||||||
| 
 |  | ||||||
| 	* e.g `gpg --detach-sign solana-01/ceremonies/2025-01-01/payloads/payload_1.json > solana-01/ceremonies/2025-01-01/payloads/payload_1_F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D.sig` |  | ||||||
| 
 |  | ||||||
| 1. Stage the modified file: |  | ||||||
| 
 |  | ||||||
|     * `git add <namespace>/ceremonies/<date>/payloads/payload_<num>_$pgp_key_id.sig` |  | ||||||
| 
 |  | ||||||
| 1. Create a signed git commit: |  | ||||||
| 
 |  | ||||||
| 	* `git commit -S -m "add payload signature for payload_<num>.json using $pgp_key_id"` |  | ||||||
| 
 | 
 | ||||||
| 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | ||||||
| 
 | 
 | ||||||
|  | @ -106,6 +80,14 @@ The approver is responsible for verifying a transaction proposed by a [proposer] | ||||||
| 
 | 
 | ||||||
| 	* `cd ~/vaults` | 	* `cd ~/vaults` | ||||||
| 
 | 
 | ||||||
|  | 1. Stage the modified file: | ||||||
|  | 
 | ||||||
|  |     * `git add <namespace>/ceremonies/<date>/payloads/*` | ||||||
|  | 
 | ||||||
|  | 1. Create a signed git commit: | ||||||
|  | 
 | ||||||
|  | 	* `git commit -S -m "add payload signature for payload_<num>.json"` | ||||||
|  | 
 | ||||||
| 1. Push the latest commit to the repository | 1. Push the latest commit to the repository | ||||||
| 	 | 	 | ||||||
| 	* `git push origin main` | 	* `git push origin main` | ||||||
|  |  | ||||||
|  | @ -50,30 +50,6 @@ | ||||||
| 
 | 
 | ||||||
| 1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine  | 1. Retrieve Ceremony SD card from High Visibility Storage and plug it into the air-gapped machine  | ||||||
| 
 | 
 | ||||||
| 1. Verify keyring data from the Ceremony SD card: |  | ||||||
| 
 |  | ||||||
| 	1. Import keys into the system |  | ||||||
| 
 |  | ||||||
| 		* `gpg --import keys/all/*.asc` |  | ||||||
| 
 |  | ||||||
| 	1. Plug in the operator's smartcard, and ensure it is loaded: |  | ||||||
| 
 |  | ||||||
| 		* `gpg --card-status` |  | ||||||
| 
 |  | ||||||
| 	1. Print the list of trusted keys: |  | ||||||
| 
 |  | ||||||
| 		* `sq-wot --gpg list` |  | ||||||
| 
 |  | ||||||
| 	1. Repeat for every operator, ensuring all keys are cross-trusted. |  | ||||||
| 
 |  | ||||||
| 	1. Terminate `gpg-agent`: `killall gpg-agent` |  | ||||||
| 
 |  | ||||||
| 1. Verify all signatures for the workflow data: |  | ||||||
| 
 |  | ||||||
| 	* `for file in <payload.json>.*.sig; do echo "Verifying: $file"; gpg --verify "${file}" "<payload.json>"; done` |  | ||||||
| 
 |  | ||||||
| 	* Ensure that the script doesn't output any "WARNING" messages to the console. If it does, abort the ceremony and initiate incident response. |  | ||||||
| 
 |  | ||||||
| 1. Start Keyfork using the relevant Shardfile: | 1. Start Keyfork using the relevant Shardfile: | ||||||
| 
 | 
 | ||||||
| 	* `keyfork recover shard --daemon /media/external/shard.asc` | 	* `keyfork recover shard --daemon /media/external/shard.asc` | ||||||
|  | @ -84,7 +60,7 @@ | ||||||
| 
 | 
 | ||||||
| 1. Run the `icepick` command with the transaction payload | 1. Run the `icepick` command with the transaction payload | ||||||
| 
 | 
 | ||||||
| 	* `icepick workflow sol transfer-token --input-file=<(jq .values <payload.json>)`  | 	* `icepick workflow --run-quorum <payload>.json --shardfile /media/external/shard.asc` | ||||||
| 
 | 
 | ||||||
| 	* Follow on screen prompts | 	* Follow on screen prompts | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -74,10 +74,6 @@ The proposer must combine these values into a JSON file, such as: | ||||||
| 
 | 
 | ||||||
| 1. Plug in the Operator smart card | 1. Plug in the Operator smart card | ||||||
| 
 | 
 | ||||||
| 1. Set a local variable `smart_card_id` to the smart card OpenPGP key id: |  | ||||||
| 	 |  | ||||||
| 	* `smart_card_id="$(oct list -i | head -1)"` |  | ||||||
| 
 |  | ||||||
| 1. Copy the git repo locally from the Ceremony SD card | 1. Copy the git repo locally from the Ceremony SD card | ||||||
| 
 | 
 | ||||||
| 	* `cp -r /media/<device_name>/vaults /root/vaults` | 	* `cp -r /media/<device_name>/vaults /root/vaults` | ||||||
|  | @ -92,58 +88,13 @@ The proposer must combine these values into a JSON file, such as: | ||||||
| 
 | 
 | ||||||
| 	* e.g `mkdir -p solana-01/ceremonies/2025-01-01/payloads` | 	* e.g `mkdir -p solana-01/ceremonies/2025-01-01/payloads` | ||||||
| 
 | 
 | ||||||
| 1. Create a new file `payload_<num>.json`, for example `payload_1.json` | 1. Use `icepick workflow --help` to list the available workflows and options | ||||||
| 
 | 
 | ||||||
| 	* `touch <namespace>/ceremonies/<date>/payloads/payload_<num>.json` | 1. Use icepick to generate and sign the payload: | ||||||
| 
 | 
 | ||||||
| 	* e.g `touch solana-01/ceremonies/2025-01-01/payloads/payload_1.json` | 	* `icepick workflow <chain> <workflow> <--option value> <--option value> --export-for-quorum --sign > <output_file>` | ||||||
| 
 | 
 | ||||||
| 1. Collect data for the transaction being sent, and structure it according to the template below, replacing values with valid ones. The values have to come from a organization approved list of values, for each field, except for `datetime` which is just the current date and time. | 	* e.g `icepick workflow cosmos withdraw-rewards --delegate-address kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer --validator-address kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh --chain-name korellia --export-for-quorum --sign > <namespace>/ceremonies/<date>/payloads/payload_<num>.json` | ||||||
| 
 |  | ||||||
| 	* Write the data to the file: `vim <namespace>/ceremonies/<date>/payloads/payload_<num>.json` |  | ||||||
| 
 |  | ||||||
| 	```json |  | ||||||
| 	{ |  | ||||||
| 		"workflow": ["<workflow_namespace>", "<workflow_name>"], |  | ||||||
| 		"values": { |  | ||||||
| 			"<workflow_field>": "<workflow_value>" |  | ||||||
| 		}, |  | ||||||
| 		"proposal_datetime": "<datetime>" |  | ||||||
| 	} |  | ||||||
| 	``` |  | ||||||
| 
 |  | ||||||
| 	Example data object: |  | ||||||
| 
 |  | ||||||
| 	```json |  | ||||||
| 	{ |  | ||||||
| 		"workflow": ["cosmos", "withdraw"], |  | ||||||
| 		"values": { |  | ||||||
| 			"delegate_address": "kyve1q9w3nar74up6mxnwd428wpr5nffcw3360tkxer", |  | ||||||
| 			"validator_address": "kyvevaloper1ghpmzfuggm7vcruyhfzrczl4aczy8gas8guslh", |  | ||||||
| 			"asset_name": "KYVE", |  | ||||||
| 			"asset_amount": "0.4", |  | ||||||
| 			"chain_name": "korellia" |  | ||||||
| 		}, |  | ||||||
| 		"proposal_datetime": "2025-01-28T18:18:00" |  | ||||||
| 	} |  | ||||||
| 	``` |  | ||||||
| 1. Import the keys relevant to the ceremony: |  | ||||||
| 
 |  | ||||||
| 	* `gpg --import <namespace>/keyring.asc` |  | ||||||
| 
 |  | ||||||
| 1. Sign the data in the CLI using `gpg` or another OpenPGP implementation: |  | ||||||
| 
 |  | ||||||
| 	* `gpg --detach-sign <namespace>/ceremonies/<date>/payloads/<payload>_<num>.json > <namespace>/ceremonies/<date>/payloads/payload_<num>_$smart_card_id.sig` |  | ||||||
| 
 |  | ||||||
| 	* e.g `gpg --detach-sign solana-01/ceremonies/2025-01-01/payloads/payload_1.json > solana-01/ceremonies/2025-01-01/payloads/payload_1_F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D.sig` |  | ||||||
| 
 |  | ||||||
| 1. Stage the new file: |  | ||||||
| 
 |  | ||||||
| 	* `git add <namespace>/ceremonies/<date>/payloads/<payload>.<num>.$smart_card_id.sig` |  | ||||||
| 
 |  | ||||||
| 1. Create a signed git commit: |  | ||||||
| 
 |  | ||||||
| 	* `git commit -S -m "add payload signature for payload_<num>.sig using $smart_card_id"` |  | ||||||
| 
 | 
 | ||||||
| 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | 1. {{ #include ../../../../component-documents/finding-device-name.md:content }} | ||||||
| 
 | 
 | ||||||
|  | @ -165,6 +116,14 @@ The proposer must combine these values into a JSON file, such as: | ||||||
| 
 | 
 | ||||||
| 	* `cd ~/vaults` | 	* `cd ~/vaults` | ||||||
| 
 | 
 | ||||||
|  | 1. Stage the modified file: | ||||||
|  | 
 | ||||||
|  |     * `git add <namespace>/ceremonies/<date>/payloads/*` | ||||||
|  | 
 | ||||||
|  | 1. Create a signed git commit: | ||||||
|  | 
 | ||||||
|  | 	* `git commit -S -m "add payload signature for payload_<num>.json"` | ||||||
|  | 
 | ||||||
| 1. Push the latest commit to the repository | 1. Push the latest commit to the repository | ||||||
| 	 | 	 | ||||||
| 	* `git push origin main` | 	* `git push origin main` | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue