docs/quorum-key-management/src/one-time-repository-setup.md

1.8 KiB

Repository Setup

Before the one time ceremony, a git repository should be set up which contains several items which will be relevant to the ceremony. Namely the following:

  • PGP public certificates of the Location Keys which will be used for the ceremony. The key ids of these certificates will be verified during the ceremony.

  • ceremony.sh a script which imports the PGP public certificates of the location keys, and displays their ids so that Operators can verify that they are the correct ones. This script will also execute the appropriate keyfork command with a desired threshold:

    #!/bin/sh
    
    read -p "Generate hardware interrupt entropy by typing randomly on keyboard" entropy
    
    mount
    
    read -p "Provide the path to PGP certificates which will be used for the ceremony: " absolute_path
    
    if [ ! -d "$absolute_path" ]; then
    echo "Directory does not exist. Please enter a valid absolute path."
    exit 1
    fi
    
    for file in "$absolute_path"/keys/*; do
    if [ -f "$file" ]; then
        echo "Processing file: $file"
        gpg --import --import-options import-show $file
    fi
    done
    
    read -p "Do the PGP key IDs match what you expect? (y/n): " matches_expectation
    
    if [ "$matches_expectation" != "y" ]; then
    echo "Ceasing ceremony as PGP key IDs don't match"
    exit 1
    fi
    
    keyfork wizard bottoms-up --threshold 2 --output-cert "$absolute_path"/cert --output-shardfile "$absolute_path"/shardfile --user-id "QKM Ceremony" "$absolute_path"/keys
    
  • The airgap.iso which is to be used during the ceremony

  • Each operator should produce Ceremony Notes which contain:

    • sha256sum of airgap.iso

    • The AirgapOS commit and date for the version that was used

    • sha256sum of ceremony.sh

    • Key ID of each PGP Public Certificate located in public-certificates in the ceremony repository