Solana: Create Transaction Payload

Requirements

  • Quorum PGP Key

  • Air-Gapped Bundle

    • The proposer should print photographic evidence from digital cameras which is stored in a PGP signed repository. The photographs should be of the top and underside of the vacuum sealed object.

    • The proposer should verify the commit signatures of the photographs they are printing against a list of permitted PGP keys found in the vaults repo

  • Linux Workstation (online machine)

    • Any internet connected computer with a Linux shell will suffice

  • Clone the Vaults Repository for your organization to the machine

Procedure

  1. Turn on online linux workstation

  2. Clone the vaults repository if it's not available locally and get the latest changes:

    $ git clone <repository_git_url>
$ git pull origin main

  3. Unseal the SD Card Pack

    a. Retrieve digital/physical photographs of both sides of sealed bundle

    b. Compare all photographs to object for differences

    c. Proceed with unsealing the object if no differences are detected

  4. Plug a fresh SD card into the online linux workstation

  5. Look for your SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

    • Mount the device using: sudo mount /dev/<your_device> /media

  6. Save the vaults repo to the SD card, referred to as the Ceremony SD card

    $ cp -r ~/vaults/ /media

  7. Unplug the Ceremony SD card

  8. Unseal the tamper proofed bundle

    a. Retrieve digital/physical photographs of both sides of sealed bundle

    b. Compare all photographs to object for differences

    c. Proceed with unsealing the object if no differences are detected

  9. Insert the AirgapOS SD card into the airgapped machine and turn it on

  10. Once booted, unplug the AirgapOS SD card and place it in High Visibility Storage

  11. Plug in the Ceremony SD card

  12. Copy the git repo locally from the Ceremony SD card and change to it

    $ cp -r /media/vaults /root
$ cd /root/vaults

  13. Create a new payloads directory in the vaults repository for the date on which the ceremony for the transaction will take place if it doesn't already exist

    • mkdir -p <namespace>/ceremonies/<date>/payloads

    • e.g mkdir -p acme-coin-01/ceremonies/2025-01-01/payloads

  14. Use icepick workflow --help to list the available workflows and options

  15. Plug in the Operator smart card

  16. Use icepick to generate and sign the payload by running one of the following available workflows:

    Transfer

    Transfer native Solana asset - SOL.

    $ icepick workflow sol transfer --to-address <to-address> --from-address <from-address> --amount <amount> --export-for-quorum --sign

    Transfer Token

    Transfer SPL tokens on Solana blockchain.

    The following SPL tokens, provided to --token-name, are supported:

    $ icepick workflow sol transfer-token --from-address <from-address> --to-address <to-address> --token-name <token-name> --token-amount <token-amount> --export-for-quorum --sign

  17. Copy the updated ceremonies repo to the SD card

    $ cp -r /root/vaults /media

  18. Transfer the SD card from the air-gapped machine to the online machine

  19. Look for your SD card device name (<device_name>) in the output of the lsblk command. It will typically be listed as /dev/sdX or /dev/mmcblk<num>, where X is a letter (e.g., /dev/sdb, /dev/sdc). You can identify it by its size or by checking if it has a partition (like /dev/sdX1)

    • Mount the device using: sudo mount /dev/<your_device> /media

  20. Copy the updated repository locally and switch to it:

    $ cp -r /media/vaults ~/
$ cd ~/vaults

  21. Stage, sign, commit and push the changes to the ceremonies repository:

    $ git add <namespace>/ceremonies/<date>/payloads/*
$ git commit -S -m "add payload signature for payload_<num>.json"
$ git push origin main

  22. Notify relevant individuals that there are new transactions queued up, and that a ceremony should be scheduled. This can be automated in the future so that when a commit is made or PR opened, others are notified, for example using a incident management tool.

  23. Tamper proof the AirgapOS and Air-gapped laptop

  24. Insert object(s) into plastic sealing bag

  25. Fill bag with enough plastic beads that most of the object is surrounded

  26. Use vacuum sealer to remove air from the bag until the beads are no longer able to move

  27. Take photographs of both sides of the sealed object using both the digital and polaroid camera

  28. Date and sign the polaroid photographs and store them in a local lock box

  29. Take the SD card to an online connected device, ensuring continued dual custody, and commit the tamper evidence photographs to a repository. If two individuals are present, have one create a PR with a signed commit, and the other do a signed merge commit.