public
/
docs
5
0
Fork 0
Code Issues 9 Pull Requests 3 Packages Projects Releases Wiki Activity
docs/quorum-vault-system/src/generated-documents/level-2/fixed-location/approver/approve-transaction.md

3.0 KiB
Raw Blame History

Approver - Approve Transaction

The approver is responsible for verifying a transaction proposed by a proposer.

Requirements

  • Quorum PGP Key

  • Online Machine

  • SD Card Pack

  • Air-Gapped Bundle

    • The approver should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.

    • The approver should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the vaults repo

  • Clone the Vaults Repository for your organization to the machine

Procedure

  1. Turn on online machine

  2. Pull the latest changes from the vaults repository

  3. Unseal the SD Card Pack

{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}

  1. Plug a fresh SD card into the online machine

  2. Save the vaults repository to the SD card, referred to as the Ceremony SD card

  3. Unplug the Ceremony SD card

  4. Unseal the tamper proofed bundle

{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-unsealing}}

  1. Insert the AirgapOS SD card into the airgapped machine and turn it on

  2. Once booted, unplug the AirgapOS SD card

  3. Plug in the Ceremony SD card

  4. {{ #include ../../../../component-documents/finding-device-name.md:content }}

  5. Plug in the Operator smart card

  6. Set a local variable pgp_key_id to the smart card OpenPGP key id:

    • pgp_key_id="$(oct list -i | head -1)"

  7. Copy the git repo locally from the Ceremony SD card

    • cp -r /media/<device_name>/vaults /root/vaults

  8. Change directory to vaults

    • cd /root/vaults

  9. Verify the existing signatures and add your own signature:

    • icepick workflow --add-signature-to-file <namespace>/ceremonies/<date>/payload_<num>.json --keyring <namespace>/keyring.asc

  10. Stage the modified file:

    • git add <namespace>/ceremonies/<date>/payloads/*

  11. Create a signed git commit:

    • git commit -S -m "add payload signature for payload_<num>.json using $pgp_key_id"

  12. {{ #include ../../../../component-documents/finding-device-name.md:content }}

  13. Copy the updated vaults repo to the SD card

    • cp -r /root/vaults /media/<device_name>/vaults

  14. Unplug the SD card from the air-gapped machine

  15. Plug in the SD card into the online machine

  16. {{ #include ../../../../component-documents/finding-device-name.md:content }}

  17. Copy the updated repository locally:

    • cp -r /media/<device_name>/vaults ~/

  18. Change into locally copied directory

    • cd ~/vaults

  19. Push the latest commit to the repository

    • git push origin main

  20. Tamper proof the AirgapOS and Air-gapped laptop

{{ #include ../../../../component-documents/tamper-evidence-methods.md:vsbwf-procedure-sealing}}