Add signed custody roster workflow

2026-06-02 01:11:42 +02:00
parent 31e6d6660f
commit 0ab7c14ec9
5 changed files with 406 additions and 12 deletions
--- a/tools/security-bootstrap-console/README.md
+++ b/tools/security-bootstrap-console/README.md
@@ -223,9 +223,28 @@ make security-bootstrap-validate-t02
 ```

 The validator checks local non-secret metadata, the next independent quorum
-holder, the Audit Core retention/risk decision, and the Railiance restore and
-emergency-drill evidence validators. It fails until real evidence files exist
-and the remaining T02 metadata gates are recorded.
+roster, the Audit Core retention/risk decision, and the Railiance restore and
+emergency-drill evidence validators. It fails until real evidence files exist,
+the signed custody roster exists, and the remaining T02 metadata gates are
+recorded.
+
+Create and validate the local two-of-three custody roster:
+
+```bash
+make security-bootstrap-custody-roster-template \
+  > .local/custody-roster.json
+
+# Edit .local/custody-roster.json locally. It may contain real contact data,
+# so it is ignored by Git and must not be copied into State Hub or workplans.
+
+make security-bootstrap-sign-custody-roster
+make security-bootstrap-validate-custody-roster
+```
+
+The roster is tamper-evident through an SSH detached signature with namespace
+`netkingdom-custody-roster`. The default signer is
+`~/.ssh/id_custodian_agent`; the local allowed-signers file is written to
+`.local/custody-roster.allowed_signers`.

 OpenBao itself is operated from the Railiance runbook. Public ingress is
 disabled, so the live ceremony uses Railiance `make` targets, `kubectl exec`,