generated from coulomb/repo-seed
Add signed custody roster workflow
This commit is contained in:
35
Makefile
35
Makefile
@@ -9,6 +9,11 @@ SECURITY_BOOTSTRAP_PORT ?= $(if $(PORT),$(PORT),8876)
|
||||
OPENBAO_RESTORE_EVIDENCE ?= /tmp/netkingdom-openbao-restore-drill/evidence.json
|
||||
OPENBAO_EMERGENCY_EVIDENCE ?= /tmp/netkingdom-openbao-emergency-drill/evidence.json
|
||||
RAILIANCE_PLATFORM_PATH ?= ../railiance-platform
|
||||
CUSTODY_ROSTER ?= .local/custody-roster.json
|
||||
CUSTODY_ROSTER_SIGNATURE ?= .local/custody-roster.json.sig
|
||||
CUSTODY_ROSTER_ALLOWED_SIGNERS ?= .local/custody-roster.allowed_signers
|
||||
CUSTODY_ROSTER_SIGNING_KEY ?= $(HOME)/.ssh/id_custodian_agent
|
||||
CUSTODY_ROSTER_SIGNING_PRINCIPAL ?= platform-custodian
|
||||
|
||||
# ── Help ──────────────────────────────────────────────────────────────────────
|
||||
help: ## Show this help
|
||||
@@ -181,7 +186,32 @@ security-bootstrap-validate-t02: ## Validate NET-WP-0017-T02 OpenBao audit/recov
|
||||
validate-t02 \
|
||||
--railiance-path "$(RAILIANCE_PLATFORM_PATH)" \
|
||||
--restore-evidence "$(OPENBAO_RESTORE_EVIDENCE)" \
|
||||
--emergency-evidence "$(OPENBAO_EMERGENCY_EVIDENCE)"
|
||||
--emergency-evidence "$(OPENBAO_EMERGENCY_EVIDENCE)" \
|
||||
--custody-roster "$(CUSTODY_ROSTER)" \
|
||||
--custody-roster-signature "$(CUSTODY_ROSTER_SIGNATURE)" \
|
||||
--custody-roster-allowed-signers "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)"
|
||||
|
||||
security-bootstrap-custody-roster-template: ## Print a non-secret two-of-three custody roster template
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py custody-roster-template
|
||||
|
||||
security-bootstrap-validate-custody-roster: ## Validate and verify the signed local custody roster
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
||||
validate-custody-roster \
|
||||
--roster "$(CUSTODY_ROSTER)" \
|
||||
--signature "$(CUSTODY_ROSTER_SIGNATURE)" \
|
||||
--allowed-signers "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)"
|
||||
|
||||
security-bootstrap-sign-custody-roster: ## Sign the ignored local custody roster with an SSH signing key
|
||||
@mkdir -p "$$(dirname "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)")"
|
||||
@printf '%s ' "$(CUSTODY_ROSTER_SIGNING_PRINCIPAL)" > "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)"
|
||||
@cat "$(CUSTODY_ROSTER_SIGNING_KEY).pub" >> "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)"
|
||||
ssh-keygen -Y sign \
|
||||
-f "$(CUSTODY_ROSTER_SIGNING_KEY)" \
|
||||
-n netkingdom-custody-roster \
|
||||
"$(CUSTODY_ROSTER)"
|
||||
@if [[ "$(CUSTODY_ROSTER_SIGNATURE)" != "$(CUSTODY_ROSTER).sig" ]]; then \
|
||||
cp "$(CUSTODY_ROSTER).sig" "$(CUSTODY_ROSTER_SIGNATURE)"; \
|
||||
fi
|
||||
|
||||
security-bootstrap-approve-custody: ## Approve custody mode metadata: make security-bootstrap-approve-custody ARGS="--mfa-enrolled-confirmed --mfa-enrollment-source identity-provider --recovery-confirmed --custody-packet-prepared --no-secret-capture-confirmed"
|
||||
python3 tools/security-bootstrap-console/security_bootstrap_console.py \
|
||||
@@ -224,6 +254,9 @@ security-bootstrap-ui: security-bootstrap-metadata-init ## Serve local custody a
|
||||
iam-profile-conformance-test playbook-contract-test \
|
||||
security-bootstrap-console security-bootstrap-king-kit \
|
||||
security-bootstrap-validate-kit security-bootstrap-validate-t02 \
|
||||
security-bootstrap-custody-roster-template \
|
||||
security-bootstrap-validate-custody-roster \
|
||||
security-bootstrap-sign-custody-roster \
|
||||
security-bootstrap-approve-custody \
|
||||
security-bootstrap-custody-packet security-bootstrap-openbao-preflight \
|
||||
security-bootstrap-metadata-init security-bootstrap-ui
|
||||
|
||||
Reference in New Issue
Block a user