Makefile

@@ -16,7 +16,7 @@ out/qvs/index.json: out Containerfile.qvs $(shell find quorum-vault-system -type
 		. \
 	| tar -C out/qvs -mx
 
-.PHONY: serve-qvs
+.PHONY: serve
 serve-qvs: build-qvs
 	tar -C out/qvs -cf - . | docker load
 	docker run -p $(PORT):8080 git.distrust.co/public/docs-qvs

quorum-vault-system/src/component-documents/git-commit-signing.md

@@ -1,27 +1,35 @@
 /* ANCHOR: all */
 # Git Commit Signing
 // ANCHOR: steps
-1. Retrieve the value of your PGP key ID from smartcard
+1. Retrieve the value of your PGP key ID by using:
 
+    * `gpg --list-keys`
+
+1. Set up local `.gitconfig` file with desired PGP key:
     ```
-    gpg --card-status
+    [user]
+        name = <name>
+        email = <email>
+        signingKey = <pgp_key_id> 
+
+    [commit]
+        gpgsign = true
+        merge = true
+    [core]
+        editor = "code --wait"
     ```
 
-1. Configure git to sign commits with smartcard
-    ```
-    $ git config --global user.name <name>
-    $ git config --global user.email <email>
-    $ git config --global user.signingKey <pgp_key_id>
-    $ git config --global commit.gpgsign = true
-    $ git config --global commit.merge = true
-    ```
+1. Set up environment variables for using smart cards
 
-1. Configure ssh to authenticate with smartcard
+    Open the `~/.bashrc` file and add the following content at the end:
 
+    ```bash
+    if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
+        export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+    fi
+
+    GPG_TTY=$(tty)
+    export GPG_TTY
     ```
-    $ echo 'export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"' > ~/.bashrc
-    $ source ~/.bashrc
-    ```
-    Note: If you use another shell such as zsh, adjust acccordingly
 // ANCHOR_END: steps
 /* ANCHOR: all */

quorum-vault-system/src/component-documents/openpgp-setup.md

@@ -8,59 +8,40 @@ as such need to be set up in a manner that minimizes exposure risks.
 ## Generating Keys using `keyfork` and `oct`
 // ANCHOR: steps-keyfork
 
-1. Insert an SD card into the system
-
-1. Change working directory to SD card mount location
-    ```
-    $ cd /media/TRANSFER
-    ```
-
 1. Insert a smartcard into the system, and get its ID:
 
-	a. Set variable with card ID
-    ```
-    $ card_id="$(oct list -i | head -1)"`
-    ```
-	b. Test the variable was set correctly
-    ```
-    $ echo $card_id` 
-    ```
+	* `smart_card_id="$(oct list -i | head -1)"`
 	
-1. Set the smart card to require touch for all operations
+	* You may test the variable was set correctly using `echo $smart_card_id` (tapping tab for auto-completion is helpful here)
 
-    ```
-    $ oct admin --card $card_id touch --key SIG --policy On
-    $ oct admin --card $card_id touch --key DEC --policy On
-    $ oct admin --card $card_id touch --key AUT --policy On
-    $ oct admin --card $card_id touch --key ATT --policy On
-    ```
-    Note: default admin PIN is 12345678
+1. Set the smart card to require touch for all operations (defau admin PIN is 12345678):
+
+	* `oct admin --card $smart_card_id touch --key SIG --policy On`
+	* `oct admin --card $smart_card_id touch --key DEC --policy On`
+	* `oct admin --card $smart_card_id touch --key AUT --policy On`
+	* `oct admin --card $smart_card_id touch --key ATT --policy On`
 
 1. Generate a mnemonic, encrypting to a newly-generated key:
         
-	  ```
-    $ keyfork mnemonic generate --encrypt-to-self public.asc,output=private.asc --provision openpgp-card,identifier="$card_id"
-    ```
+	* `keyfork mnemonic generate --size 256 --encrypt-to-self cert.asc,output=encrypted-mnemonic.asc --provision openpgp-card,identifier="$smart_card_id"`
 
-	  Note: The PIN can't use sequential numbers, characters or repeated patterns.
+	* The PIN can't use sequential numbers, characters or repeated patterns. 
 
-1. Rename output to use key fingerprint:
+1. If additional smart cards are required, recover the Keyfork key from the encrypted mnemonic:
 
-    ```
-    $ fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"
-    $ mv public.asc "${fingerprint}.pub.asc"
-    $ mv private.asc "${fingerprint}.prv.asc"
-    ```
+	* `gpg --import cert.asc`
 
-1. Optional: Create duplicate smartcards.
+	* `gpg --decrypt encrypted-mnemonic.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon`
 
-    You can insert new smartcards and perform the following steps as needed:
+	* Remove your previous key, and plug in the new key.
 
-    ```
-    $ gpg --import *.pub.asc
-    $ gpg --decrypt *.prv.asc | KEYFORK_PROMPT_TYPE=headless keyfork recover mnemonic --daemon
-    $ keyfork provision openpgp-card --identifier "$(oct list -i | head -1)" --account-id 0
-    ```
+	* `smart_card_id="$(oct list -i | head -1)"`
+
+	* `keyfork provision openpgp-card --identifier "$smart_card_id" --account-id 0`
+
+1. Insert an SD card to contain the public certificate and the encrypted mnemonic.
+
+	* `cp cert.asc encrypted-mnemonic.asc /media`
 
 // ANCHOR_END: steps-keyfork
 

quorum-vault-system/src/component-documents/tamper-evidence-methods.md

@@ -131,11 +131,15 @@ Sealing bags of standard size objects which need to be protected can fit in. The
 #### Unsealing
 // ANCHOR: vsbwf-procedure-unsealing
 
-    a. Retrieve digital/physical photographs of both sides of sealed bundle
+1. Retrieve photographs of the top and the bottom of the object which were taken of the sealed object
 
-    b. Compare all photographs to object for differences
+1. Compare printed photographs of object to the sealed object
 
-    c. Proceed with unsealing the object if no differences are detected
+1. (IF polaroid photographs are available): Compare polaroid to the current state of the sealed object
+
+1. (IF polaroid photographs are available): Compare polaroid to printed photographs
+
+1. If there is no noticeable difference, proceed with unsealing the object, otherwise initiate an incident response process according to organization's policies.
 
 // ANCHOR_END: vsbwf-procedure-unsealing
 

quorum-vault-system/src/generated-documents/all-levels/pgp-key-provisioning.md

@@ -2,73 +2,95 @@
 
 ## Requirements
 
+* Computer
+    * Preferred: [AirGapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
+    
+    * Alternative: Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
+
 * [AirgapOS SD card](../level-2/fixed-location/provisioner/provision-airgapos.md)
-  * Provided by [AirGapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
-  * Alternative: Create your own from documentation in [AirgapOS Repository](https://git.distrust.co/public/airgap)
 
-* AirgapOS Laptop
-  * Provided by [AirGapped Bundle](../level-2/fixed-location/provisioner/air-gapped-bundle.md)
-  * Alternative: Computer that can load AirgapOS ([compatibility reference](https://git.distrust.co/public/airgap#tested-models))
+* 2+ new smart cards
 
-* Linux Workstation
-  * Any internet connected Linux shell will suffice
+* 2+ SD cards
 
-* 1 New Smart Card
-  * Nitrokey Pro 3+ or Yubikey 5+
+##  Generate OpenPGP Key
 
-* 1 Transfer SD card
-  * Document will assume volume label is TRANSFER
-  * Brand and size does not matter
-
-##  Process
-
-**Note: Most steps will simplified to a single command in a future iteration**
-
-**See: [keyfork#73](https://git.distrust.co/public/keyfork/issues/73), [keyfork#74](https://git.distrust.co/public/keyfork/issues/74), [keyfork#76](https://git.distrust.co/public/keyfork/issues/76), [keyfork#77](https://git.distrust.co/public/keyfork/issues/77), [keyfork#78](https://git.distrust.co/public/keyfork/issues/78)**
-
-1. If using pre-sealed Cold Bundle unseal as follows:
+1. If using AirGapped Bundle unseal first, otherwise proceed to step where AirgapOS SD card is inserted into computer
 
 {{ #include ../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing }}
 
-1. Boot AirgapOS Laptop
+1. Insert AirgapOS SD card into computer
+
+1. Boot to AirgapOS
+
+    * Boot from the SD card by modifying the Boot Menu
+
+    * [Disabling secure boot](generated-documents/level-2/fixed-location/procurer/procure-tamper-proofing-equipment.html) may be necessary
 
 {{ #include ../../component-documents/openpgp-setup.md:steps-keyfork}}
 
-1. Power down AirgapOS Laptop
+## Adding a OpenPGP Public Certificate to the Ceremony Repository
 
-1. Switch to Linux Workstation
+1. Switch to online machine
 
-1. Attach SD card from AirgapOS machine
+1. Open a terminal and navigate to the `vaults` repository or clone it:
 
-1. Attach smartcard provisioned with AirgapOS machine
+    * If already cloned: `cd ~/vaults`
 
-1. Import newly generated public key into local keychain
+    * If not, clone using: `cd ~ && git clone <vaults_repository_url>`
 
-    ```
-    $ gpg --import /media/transport/*.pub.asc
-    ```
+1. Ensure you are on the correct branch:
 
-{{ #include ../../component-documents/git-commit-signing.md:steps }}
+    * `git checkout main`
 
-1. Push new key material to Vaults repository
+1. Pull the latest ceremony repo changes
 
-	a. Clone repository (if not done previously)
-    ```
-    $ git clone <vaults_repository_url> ~/vaults
-    ```
-	b. Checkout main branch
-    ```
-    $ cd ~/vaults
-    $ git checkout main
-    $ git pull origin main
-    ```
-	b. Commit and push modifications
-    ```
-    $ cp /media/TRANSFER/*.asc keys/all
-    $ git add .
-    $ git commit -S -m "add <name> pgp key"
-    $ git push origin main
-    ```
+    * `git pull origin main`
+
+1. Ensure you have the certificate copied locally. If on an SD card, plug in the SD card and use the following steps to copy certificate to online machine:
+
+    * To copy from SD card:
+
+        {{ #include ../../component-documents/finding-device-name.md:content }}
+
+    * `cp /media/cert.asc ~/vaults`
+
+1. If using a certificate from [Personal PGP Key Provisioning](/generated-documents/all-levels/pgp-key-provisioning.html):
+
+
+	1. Obtain the fingerprint for the certificate:
+
+		* `fingerprint="$(sq keyring cert.asc | awk '{ print $2 }')"`
+
+	1. Copy the certificate to a name based on the keyring:
+
+		* `cp cert.asc "${fingerprint}.asc"`
+
+1. If exporting a certificate from GnuPG:
+
+	1. Find your key fingerprint:
+
+		* `gpg --list-keys`
+
+	1. Export your OpenPGP public certificate:
+
+		* `gpg --export --armor <key_fingerprint> > <key_fingerprint>.asc`
+
+1. Place the file in `keys/all/<key_fingerprint>.asc`
+
+    * `mv <key_fingerprint>.asc keys/all/`
+
+1. Stage the modified file:
+
+    * `git add keys/all/<key_fingerprint>.asc`
+
+1. Create signed git commit:
+
+    * `git commit -S -m "add <name> pgp key"`
+
+1. Push to the commit:
+
+    * `git push origin main`
 
 1. Communicate your new key fingerprint to all other participants:
 
@@ -76,7 +98,9 @@
     
     * Fallback: via two logically distinct online communications methods (e.g. encrypted chat, and video call)
 
-1. Get confirmation they have imported your key to their keychains
+1. Get confirmation they have used `gpg --import <your_key_id>.asc` to import your key from the git repo to the keyrings on workstations they will use to interact with the ceremony repo
 
-    * e.g. `gpg --import <your_key_id>.asc` 
-    * Confirm this is done for keyrings on workstations used to interact with the Vaults repository
+## Local Configurations for OpenPGP
+This configuration enables the use of smart cards for OpenPGP operations, and enforces git commit signing.
+
+{{ #include ../../component-documents/git-commit-signing.md:steps }}