5 changed files with 132 additions and 115 deletions
--- a/2
+++ b/2
@ -16,7 +16,7 @@ out/qvs/index.json: out Containerfile.qvs $(shell find quorum-vault-system -type
 		. \
 	| tar -C out/qvs -mx
-.PHONY: serve-qvs
+.PHONY: serve
 serve-qvs: build-qvs
 	tar -C out/qvs -cf - . | docker load
 	docker run -p $(PORT):8080 git.distrust.co/public/docs-qvs
--- a/quorum-vault-system/src/component-documents/git-commit-signing.md
+++ b/quorum-vault-system/src/component-documents/git-commit-signing.md
@ -1,27 +1,35 @@
 /* ANCHOR: all */
 # Git Commit Signing
 // ANCHOR: steps
-1. Retrieve the value of your PGP key ID from smartcard
+1. Retrieve the value of your PGP key ID by using:
    * `gpg --list-keys`
 1. Set up local `.gitconfig` file with desired PGP key:
    ```
-    gpg --card-status
+    [user]
        name = <name>
        email = <email>
        signingKey = <pgp_key_id> 
    [commit]
        gpgsign = true
        merge = true
    [core]
        editor = "code --wait"
    ```
-1. Configure git to sign commits with smartcard
+1. Set up environment variables for using smart cards
    ```
    $ git config --global user.name <name>
    $ git config --global user.email <email>
    $ git config --global user.signingKey <pgp_key_id>
    $ git config --global commit.gpgsign = true
    $ git config --global commit.merge = true
    ```
-1. Configure ssh to authenticate with smartcard
+    Open the `~/.bashrc` file and add the following content at the end:
    ```bash
    if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
        export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
    fi
    GPG_TTY=$(tty)
    export GPG_TTY
    ```
    $ echo 'export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"' > ~/.bashrc
    $ source ~/.bashrc
    ```
    Note: If you use another shell such as zsh, adjust acccordingly
 // ANCHOR_END: steps
 /* ANCHOR: all */
--- a/quorum-vault-system/src/component-documents/openpgp-setup.md
+++ b/quorum-vault-system/src/component-documents/openpgp-setup.md
@ -8,59 +8,40 @@ as such need to be set up in a manner that minimizes exposure risks.
 ## Generating Keys using `keyfork` and `oct`
 // ANCHOR: steps-keyfork
 1. Insert an SD card into the system
 1. Change working directory to SD card mount location
    ```
    $ cd /media/TRANSFER
    ```
 1. Insert a smartcard into the system, and get its ID:
-	a. Set variable with card ID
+	* `smart_card_id="$(oct list -i | head -1)"`
    ```
    $ card_id="$(oct list -i | head -1)"`
    ```
 	b. Test the variable was set correctly
    ```
    $ echo $card_id` 
    ```
-1. Set the smart card to require touch for all operations
+	* You may test the variable was set correctly using `echo $smart_card_id` (tapping tab for auto-completion is helpful here)
-    ```
+1. Set the smart card to require touch for all operations (defau admin PIN is 12345678):
-    $ oct admin --card $card_id touch --key SIG --policy On
+
-    $ oct admin --card $card_id touch --key DEC --policy On
+	* `oct admin --card $smart_card_id touch --key SIG --policy On`
-    $ oct admin --card $card_id touch --key AUT --policy On
+	* `oct admin --card $smart_card_id touch --key DEC --policy On`
-    $ oct admin --card $card_id touch --key ATT --policy On
+	* `oct admin --card $smart_card_id touch --key AUT --policy On`
-    ```
+	* `oct admin --card $smart_card_id touch --key ATT --policy On`
    Note: default admin PIN is 12345678
 1. Generate a mnemonic, encrypting to a newly-generated key:
-	  ```
+	* `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"`
    $ keyfork mnemonic generate --encrypt-to-self public.asc,output=private.asc --provision openpgp-card,identifier="$card_id"
    ```
-	  Note: The PIN can't use sequential numbers, characters or repeated patterns.
+	* The PIN can't use sequential numbers, characters or repeated patterns. 
-1. Rename output to use key fingerprint:
+1. If additional smart cards are required, recover the Keyfork key from the encrypted mnemonic:
-    ```
+	* `gpg --import cert.asc`
    $ fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"
    $ mv public.asc "${fingerprint}.pub.asc"
    $ mv private.asc "${fingerprint}.prv.asc"
    ```
-1. Optional: Create duplicate smartcards.
+	* `gpg --decrypt encrypted-mnemonic.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon`
-    You can insert new smartcards and perform the following steps as needed:
+	* Remove your previous key, and plug in the new key.
-    ```
+	* `smart_card_id="$(oct list -i | head -1)"`
-    $ gpg --import *.pub.asc
+
-    $ gpg --decrypt *.prv.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon
+	* `keyfork provision openpgp-card --identifier "$smart_card_id" --account-id 0`
-    $ keyfork provision openpgp-card --identifier "$(oct list -i | head -1)" --account-id 0
+
-    ```
+1. Insert an SD card to contain the public certificate and the encrypted mnemonic.
 	* `cp cert.asc encrypted-mnemonic.asc /media`
 // ANCHOR_END: steps-keyfork
--- a/quorum-vault-system/src/component-documents/tamper-evidence-methods.md
+++ b/quorum-vault-system/src/component-documents/tamper-evidence-methods.md
@ -131,11 +131,15 @@ Sealing bags of standard size objects which need to be protected can fit in. The
 #### Unsealing
 // ANCHOR: vsbwf-procedure-unsealing
-    a. Retrieve digital/physical photographs of both sides of sealed bundle
+1. Retrieve photographs of the top and the bottom of the object which were taken of the sealed object
-    b. Compare all photographs to object for differences
+1. Compare printed photographs of object to the sealed object
-    c. Proceed with unsealing the object if no differences are detected
+1. (IF polaroid photographs are available): Compare polaroid to the current state of the sealed object
 1. (IF polaroid photographs are available): Compare polaroid to printed photographs
 1. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process according to organization's policies.
 // ANCHOR_END: vsbwf-procedure-unsealing
--- a/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md
+++ b/quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md
@ -2,73 +2,95 @@
 ## Requirements
 * Computer
    * Preferred: [AirGapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
    * Alternative: Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
 * [AirgapOS SD card](../level-2/fixed-location/provisioner/provision-airgapos.md)
  * Provided by [AirGapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
  * Alternative: Create your own from documentation in [AirgapOS Repository](https://git.distrust.co/public/airgap)
-* AirgapOS Laptop
+* 2+ new smart cards
  * Provided by [AirGapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
  * Alternative: Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
-* Linux Workstation
+* 2+ SD cards
  * Any internet connected Linux shell will suffice
-* 1 New Smart Card
+##  Generate OpenPGP Key
  * Nitrokey Pro 3+ or Yubikey 5+
-* 1 Transfer SD card
+1. If using AirGapped Bundle unseal first, otherwise proceed to step where AirgapOS SD card is inserted into computer
  * Document will assume volume label is TRANSFER
  * Brand and size does not matter
 ##  Process
 **Note: Most steps will simplified to a single command in a future iteration**
 **See: [keyfork#73](https://git.distrust.co/public/keyfork/issues/73), [keyfork#74](https://git.distrust.co/public/keyfork/issues/74), [keyfork#76](https://git.distrust.co/public/keyfork/issues/76), [keyfork#77](https://git.distrust.co/public/keyfork/issues/77), [keyfork#78](https://git.distrust.co/public/keyfork/issues/78)**
 1. If using pre-sealed Cold Bundle unseal as follows:
 {{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
-1. Boot AirgapOS Laptop
+1. Insert AirgapOS SD card into computer
 1. Boot to AirgapOS
    * Boot from the SD card by modifying the Boot Menu
    * [Disabling secure boot](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html) may be necessary
 {{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}
-1. Power down AirgapOS Laptop
+## Adding a OpenPGP Public Certificate to the Ceremony Repository
-1. Switch to Linux Workstation
+1. Switch to online machine
-1. Attach SD card from AirgapOS machine
+1. Open a terminal and navigate to the `vaults` repository or clone it:
-1. Attach smartcard provisioned with AirgapOS machine
+    * If already cloned: `cd ~/vaults`
-1. Import newly generated public key into local keychain
+    * If not, clone using: `cd ~ && git clone <vaults_repository_url>`
-    ```
+1. Ensure you are on the correct branch:
    $ gpg --import /media/transport/*.pub.asc
    ```
-{{ #include ../../component-documents/git-commit-signing.md:steps }}
+    * `git checkout main`
-1. Push new key material to Vaults repository
+1. Pull the latest ceremony repo changes
-	a. Clone repository (if not done previously)
+    * `git pull origin main`
-    ```
+
-    $ git clone <vaults_repository_url> ~/vaults
+1. Ensure you have the certificate copied locally. If on an SD card, plug in the SD card and use the following steps to copy certificate to online machine:
-    ```
+
-	b. Checkout main branch
+    * To copy from SD card:
-    ```
+
-    $ cd ~/vaults
+        {{ #include ../../component-documents/finding-device-name.md:content }}
-    $ git checkout main
+
-    $ git pull origin main
+    * `cp /media/cert.asc ~/vaults`
-    ```
+
-	b. Commit and push modifications
+1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html):
-    ```
+
-    $ cp /media/TRANSFER/*.asc keys/all
+
-    $ git add .
+	1. Obtain the fingerprint for the certificate:
-    $ git commit -S -m "add <name> pgp key"
+
-    $ git push origin main
+		* `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"`
-    ```
+
 	1. Copy the certificate to a name based on the keyring:
 		* `cp cert.asc "${fingerprint}.asc"`
 1. If exporting a certificate from GnuPG:
 	1. Find your key fingerprint:
 		* `gpg --list-keys`
 	1. Export your OpenPGP public certificate:
 		* `gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc`
 1. Place the file in `keys/all/<key_fingerprint>.asc`
    * `mv <key_fingerprint>.asc keys/all/`
 1. Stage the modified file:
    * `git add keys/all/<key_fingerprint>.asc`
 1. Create signed git commit:
    * `git commit -S -m "add <name> pgp key"`
 1. Push to the commit:
    * `git push origin main`
 1. Communicate your new key fingerprint to all other participants:
@ -76,7 +98,9 @@
    * Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
-1. Get confirmation they have imported your key to their keychains
+1. Get confirmation they have used `gpg --import <your_key_id>.asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo
-    * e.g. `gpg --import <your_key_id>.asc` 
+## Local Configurations for OpenPGP
-    * Confirm this is done for keyrings on workstations used to interact with the Vaults repository
+This configuration enables the use of smart cards for OpenPGP operations, and enforces git commit signing.
 {{ #include ../../component-documents/git-commit-signing.md:steps }}