public
/
docs
5
0
Fork 0
Code Issues 9 Pull Requests 3 Packages Projects Releases Wiki Activity
docs/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md

2.8 KiB
Raw Blame History

Approver - Approve Transaction

The approver is responsible for verifying a transaction proposed by a proposer.

Requirements

  • Quorum PGP Key

  • Online Machine

  • SD Card Pack

  • Air-Gapped Bundle

    • The approver should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.

    • The approver should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the "ceremonies" repo

  • Ensure that the computer is configured to sign commits with the desired key. Refer to the Appendix: Git Commit Signing Configuration

  • Clone the Ceremonies Repository for your organization to the machine

Procedure

  1. Turn on online machine

  2. Pull the latest changes from the ceremonies repository

  3. Unseal the SD Card Pack

{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}

  1. Plug a fresh SD card into the online machine

  2. Save the ceremonies repo to the SD card, referred to as the Ceremony SD card

  3. Unplug the Ceremony SD card

  4. Unseal the tamper proofed bundle

{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}

  1. Insert the AirgapOS SD card into the airgapped machine and turn it on

  2. Once booted, unplug the AirgapOS SD card

  3. Plug in the Ceremony SD card

  4. Copy the git repo locally from the Ceremony SD card

    • cp -r /media/external/ceremonies /root/ceremonies; cd /root/ceremonies

  5. Verify the detached signature for the payload

    • gpg --verify <filename> <filename>.1.sig

    • The filename will be of format: keys/ceremonies/<date>/payloads/payload_<number>.json

  6. Verify the key is authenticated:

    • sq-wot --gpg list "<their@email.co>"

    • Ensure the output of the command includes "fully authenticated"

  7. Sign the transaction payload:

    • gpg --detach-sign <filename> > <filename>.2.sig

  8. Create a signed git commit:

    • git commit -S -m "add <name> pgp key"

  9. Copy the updated ceremonies repo to the SD card

    • cp -r . /media/external/ceremonies

  10. Unplug the SD card from the air-gapped machine

  11. Plug in the SD card into the online machine

  12. Push the latest commit to the repository

  13. Tamper proof the AirgapOS and Air-gapped laptop

{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}

Appendix

Git Commit Signing Configuration

{{ #include ../../../../component-documents/git-commit-signing.md:steps }}