Kyve: Create Transaction Payload
Requirements
-
-
The proposer should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.
-
The proposer should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the
vaultsrepo
-
-
Linux Workstation (online machine)
- Any internet connected computer with a Linux shell will suffice
-
Clone the Vaults Repository for your organization to the machine
Procedure
-
Turn on online linux workstation
-
Clone the
vaultsrepository if it's not available locally and get the latest changes:$ git clone <repository_git_url> $ git pull origin main -
Unseal the SD Card Pack
a. Retrieve digital/physical photographs of both sides of sealed bundle
b. Compare all photographs to object for differences
c. Proceed with unsealing the object if no differences are detected
-
Plug a fresh SD card into the online linux workstation
-
Look for your SD card device name (
<device_name>) in the output of thelsblkcommand. It will typically be listed as/dev/sdXor/dev/mmcblk<num>, where X is a letter (e.g.,/dev/sdb,/dev/sdc). You can identify it by its size or by checking if it has a partition (like/dev/sdX1)- Mount the device using:
sudo mount /dev/<your_device> /media
- Mount the device using:
-
Save the
vaultsrepo to the SD card, referred to as the Ceremony SD card$ cp -r ~/vaults/ /media -
Unplug the Ceremony SD card
-
Unseal the tamper proofed bundle
a. Retrieve digital/physical photographs of both sides of sealed bundle
b. Compare all photographs to object for differences
c. Proceed with unsealing the object if no differences are detected
-
Insert the AirgapOS SD card into the airgapped machine and turn it on
-
Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage
-
Plug in the Ceremony SD card
-
Copy the git repo locally from the Ceremony SD card and change to it
$ cp -r /media/vaults /root $ cd /root/vaults -
Create a new payloads directory in the
vaultsrepository for the date on which the ceremony for the transaction will take place if it doesn't already exist-
mkdir -p <namespace>/ceremonies/<date>/payloads -
e.g
mkdir -p acme-coin-01/ceremonies/2025-01-01/payloads
-
-
Use
icepick workflow --helpto list the available workflows and options -
Plug in the Operator smart card
-
Use icepick to generate and sign the payload by running one of the following available workflows:
There may be some difficulty broadcasting a transaction due to the amount of gas consumed, as each Cosmos chain may have different computation power available. The option
--gas-factormay be set to a number to multiply the gas by, such as1.2, to increase the amount of gas for a transaction. The default value is1, and may be omitted if desired. A value lower than 1 is not recommended.The option
--chain-namecan usekyve,kaon(testnet), andkorellia(devnet)Stake
Stake coins on the provided chain towards a validator operator's address.
$ icepick workflow cosmos stake --delegate-address <delegate-address> --validator-address <validator-address> --chain-name kyve --asset-name KYVE --asset-amount <asset-amount> --gas-factor <gas-factor> --export-for-quorum --signTransfer
Transfer coins on the cosmos blockchain.
$ icepick workflow cosmos transfer --from-address <from-address> --to-address <to-address> --chain-name kyve --asset-name <asset-name> --asset-amount <asset-amount> --export-for-quorum --signWithdraw
Withdraw staked coins from a validator. Staked coins may be held for an unbonding period, depending on the chain upon which they are staked.
$ icepick workflow cosmos withdraw --delegate-address <delegate-address> --validator-address <validator-address> --chain-name kyve --asset-name KYVE --gas-factor <gas-factor> --export-for-quorum-signWithdraw Rewards
Withdraw rewards gained from staking to a validator.
$ icepick workflow cosmos withdraw-rewards --delegate-address <delegate-address> --validator-address <validator-address> --chain-name kyve --gas-factor <gas-factor> --export-for-quorum-sign -
Copy the updated ceremonies repo to the SD card
$ cp -r /root/vaults /media -
Transfer the SD card from the air-gapped machine to the online machine
-
Look for your SD card device name (
<device_name>) in the output of thelsblkcommand. It will typically be listed as/dev/sdXor/dev/mmcblk<num>, where X is a letter (e.g.,/dev/sdb,/dev/sdc). You can identify it by its size or by checking if it has a partition (like/dev/sdX1)- Mount the device using:
sudo mount /dev/<your_device> /media
- Mount the device using:
-
Copy the updated repository locally and switch to it:
$ cp -r /media/vaults ~/ $ cd ~/vaults -
Stage, sign, commit and push the changes to the ceremonies repository:
$ git add <namespace>/ceremonies/<date>/payloads/* $ git commit -S -m "add payload signature for payload_<num>.json" $ git push origin main -
Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.
-
Tamper proof the AirgapOS and Air-gapped laptop
-
Insert object(s) into plastic sealing bag
-
Fill bag with enough plastic beads that most of the object is surrounded
-
Use vacuum sealer to remove air from the bag until the beads are no longer able to move
-
Take photographs of both sides of the sealed object using both the digital and polaroid camera
-
Date and sign the polaroid photographs and store them in a local lock box
-
Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.