Approver - Approve Transaction

The approver is responsible for verifying a transaction proposed by a proposer.

Requirements

  • Quorum PGP Key

  • Linux Workstation (online machine)

    • Any internet connected computer with a Linux shell will suffice

  • SD Card Pack

  • Air-Gapped Bundle

    • The approver should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.

    • The approver should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the vaults repo

  • Clone the Vaults Repository for your organization to the machine

Procedure

  1. Turn on online linux workstation

  2. Pull the latest changes from the vaults repository

  3. Unseal the SD Card Pack

    Vacuum sealing based tamper proofing

    a. Retrieve digital/physical photographs of both sides of sealed bundle

    b. Compare all photographs to object for differences

    c. Proceed with unsealing the object if no differences are detected

    Safe based tamper proofing

    1. Inspect the safe for any signs of tampering

    2. Retrieve items from the safe

  4. Plug a fresh SD card into the online linux workstation

  5. Save the vaults repository to the SD card, referred to as the Trove SD card

  6. Unplug the Trove SD card

  7. Unseal the tamper proofed bundle

    Vacuum sealing based tamper proofing

    a. Retrieve digital/physical photographs of both sides of sealed bundle

    b. Compare all photographs to object for differences

    c. Proceed with unsealing the object if no differences are detected

    Safe based tamper proofing

    1. Inspect the safe for any signs of tampering

    2. Retrieve items from the safe

  8. Insert the AirgapOS SD card into the airgapped machine and turn it on

  9. Once booted, unplug the AirgapOS SD card

  10. Plug in the Trove SD card

  11. Look for the SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

    • Mount the device using: sudo mount /dev/<device_name> /media

  12. Copy the git repo locally from the Trove SD card and change into it

    $ cp -r /media/trove /root/vaults
$ cd /root/vaults

  13. Plug in the Operator smart card

  14. Verify the existing signatures and add your own signature:

    • icepick workflow --add-signature-to-quorum <namespace>/ceremonies/<date>/payload_<num>.json --shardfile <shardfile>.asc

  15. Look for the SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

    • Mount the device using: sudo mount /dev/<device_name> /media

  16. Copy the updated vaults repo to the SD card

    • cp -r /root/vaults /media

  17. Unplug the SD card from the air-gapped machine

  18. Plug in the SD card into the online linux workstation

  19. Look for the SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

    • Mount the device using: sudo mount /dev/<device_name> /media

  20. Copy the updated repository locally and change into it:

    $ cp -r /media/trove ~/
$ cd ~/trove

  21. Stage, sign, commit and push changes to the ceremonies repository:

    $ git add <namespace>/ceremonies/<date>/payloads/*
$ git commit -S -m "add payload signature for payload_<num>.json"
$ git push origin main

  22. Tamper proof the AirgapOS and Air-gapped laptop

    Vacuum sealing based tamper proofing

    1. Insert object(s) into plastic sealing bag

    2. Fill bag with enough plastic beads that most of the object is surrounded

    3. Use vacuum sealer to remove air from the bag until the beads are no longer able to move

    4. Take photographs of both sides of the sealed object using both the digital and polaroid camera

    5. Date and sign the polaroid photographs and store them in a local lock box

    6. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.

    Safe based tamper proofing

    1. Place items into safe

    2. Ensure the safe is properly locked