2.3 KiB
/* ANCHOR: all */
PureBoot Hash Verifying .iso Setup
If the SD card with AirgapOS is stored as part of a Air-Gapped bundle, then doing this secure boot sequence is only necessary the first time. Of course, it doesn't hurt to use this method as an additional precaution, reducing the risk that one of the operators can swap out the SD card for a different one during a ceremony.
This section can be completed on any machine.
AirgapOS has keyfork and icepick built into it for cryptographic operations such as key derivation and signing
// ANCHOR: steps
-
Build the software according to the readme in the repository.Use the
make reproducecommand. -
Verify the software according to this guide
-
Place signed .iso on a storage device
a. Import the public key for the PureBoot Smart Card from Initialize PureBoot Smart Card guide.
gpg --import <ID>.ascb. Get the GPG key ID using the command:
gpg --list-keysIt should look something like
6B61ECD76088748C70590D55E90A401336C8AAA9c. Sign the
airgap.isoimage using the "PureBoot Smart Card", which is set up in Initalize PureBoot Smart Card guide.gpg --detach-sign --armor --default-key <ID> airgap.iso -
Copy
airgap.isoand detached signature to a storage devicea. Select a new Storage Device which has no other files on it and plug it into the machine that has the
airgap.isofile and the detached GPG signature.b. Find the name of the Storage Device using this guide
d. Use the
mountcommand to mount the drivee. Copy both the
airgap.isoand detached signature to the drive. -
Lock the SD card using
sdtool -
Make sure to note the
sha256sumhash of theairgap.isoand write it down on a piece of paper. -
Multiple members of your team should build the
airgap.isoimage independently and usesha256sum airgap.isoin order to hash it, then record the value for later use. This value will be checked during Ceremonies before booting the ISO image to ensure it can be trusted.
// ANCHOR_END: steps /* ANCHOR_END: all */