Commit graph

658 commits

Author SHA1 Message Date
Matt Borja
e4f6e9c59d
Merge bc9a7a8954 into ece9752967 2025-05-23 11:48:19 +08:00
Matt Borja
bc9a7a8954
Update verbiage for read flow (“obtained in advance”) 2025-05-23 02:49:49 +00:00
Matt Borja
7e3f6f7647
Add missing closing parenthesis 2025-05-23 02:47:52 +00:00
Matt Borja
454cf8e0bf
Include recommendation for sourcing offline copy of gpg.conf to avert needing an Internet connection in post 2025-05-23 02:47:09 +00:00
Matt Borja
fbc9d4f517
- Use dedicated section headings for Abstract and Disclaimer
- Include MIT disclaimer and add copyright
- Clarify use of tightly coupled process intended for offline package installation (bootable images already presumed to be verified through via external documentation)
- Specify appropriate use of secure imaging host (imaging purposes only)
- Provide link to Tails installation guide
- Cleanup verbiage throughout using more direct procedural language
- Rearrange paragraphs as needed to address disparities in logical flow of procedures, as in C/CD Considerations
- Clarify hardware requirements for devices elected for air-gap use (e.g. SD card)
- Reiterate verification requirements for Alpine Linux, citing both official sources and additional evidence sources
- Add callout (3b) to fetch additional packages required for offlnie work in the air-gapped environment and thus rename gpg-bundle-* to airgap-bundle-*
- Add explicit step to visually inspect and note SHA256 checksum of air-gap bundle before continuing (required for later verification)
- Parameterize device paths when referencing use of removable storage medium
-  Note alternate use of repeating section 1.2.1 over current SD card (used for offline package retrieval)
- Cleanup additional post-installation setup tasks introduced elsewhere in, else considered outside the scope of this document
- Demonstrate use of `&&` for requiring SHA256 to be valid before allowing air-gap bundle to be extracted and installed
- Include sample command for listing key certifications during GPG environment verification (--list-sigs)
2025-05-19 17:43:14 +00:00
Matt Borja
67e63f5e40
Cleanup Stage 1 introductory paragraph and rearrange "clean plate" analogy for logical flow 2025-05-19 07:46:47 +00:00
Matt Borja
8536df9cfc
Rework Purpose section as Abstract and cleanup
Align heading for procedure verbiage: Establish a Secure Imaging Host
2025-05-19 07:37:10 +00:00
Matt Borja
dc2221e7de
Add notes for restarting gpg-agent if connection to HSM is lost between $GNUPGHOME directories
Cleanup heading with procedure verbiage:
- Install Offline Packages for GnuPG
- Verify the Environment
2025-05-19 02:29:37 +00:00
Matt Borja
0d709dd9ba
Update instructions for installing offline packages from removable storage after booting into the secure environment 2025-05-19 02:24:13 +00:00
Matt Borja
bd96779276
Cleanup remaining extraneous sections
- 1.3 Building the Secure Environment

Cleanup CI/CD Considerations paragraph
2025-05-19 02:18:47 +00:00
Matt Borja
8f31080af9
Merge branch 'guide-secenv' into guide-secure-environment to sign last commit with current key only recognized by GitHub due to email field. 2025-05-19 02:09:11 +00:00
Matt Borja
1a7bc2ccf6
Rework section introductory paragraphs for readability
Begin reworking user stories as more procedural for brevity and procedural specificity (clarity)
- Establishing a Secure Image Host
- Use Tails OS as an Intermediary
- Use the target OS to download packages
- Acquire the target image
- Boot the target image and download OS packages

The "clean plate" analogy is becoming more prominent (recurring), potentially indicating an accessible codename suitable for this document.
2025-05-19 02:08:14 +00:00
Matt Borja
acdbd14f8d
Rework section introductory paragraphs for readability
Begin reworking user stories as more procedural for brevity and procedural specificity (clarity)
- Establishing a Secure Image Host
- Use Tails OS as an Intermediary
- Use the target OS to download packages
- Acquire the target image
- Boot the target image and download OS packages

The "clean plate" analogy is becoming more prominent (recurring), potentially indicating an accessible codename suitable for this document.
2025-05-19 01:58:01 +00:00
Matt Borja
3cc423037b
Fix minor spelling/grammar issues 2025-05-14 08:11:40 +00:00
Matt Borja
ae6cac57f1
Update headings:
- Fix heading level for Stage 3
- Assign sub-headings

Link "working with GPG" to existing guide
2025-05-14 08:04:29 +00:00
Matt Borja
c0690e1c4c
Import and cleanup notes for distribution 2025-05-14 07:51:20 +00:00
drduh
ece9752967
Merge pull request #501 from drduh/wip-09may25
script key generation
2025-05-11 23:56:11 +00:00
drduh
7473d2e0d8 reuse key list for id/fp 2025-05-10 17:59:19 -07:00
drduh
04dbdf35c3 label each step 2025-05-10 17:47:40 -07:00
drduh
d66ac5381f delint and print id strings 2025-05-10 17:25:26 -07:00
drduh
f48c9fa3ee finish by printing certify and encrypt passphrases 2025-05-10 17:08:04 -07:00
drduh
e457f04982 set passphrases function 2025-05-10 16:57:30 -07:00
drduh
1064d2e742 print configured id/key attributes 2025-05-10 16:45:23 -07:00
drduh
4fe4b8c157 temp dir and label functions 2025-05-10 16:40:00 -07:00
drduh
cbd39ffbb0 save mats functions 2025-05-10 16:31:51 -07:00
drduh
1ab20d5fea gen key functions 2025-05-10 16:27:14 -07:00
drduh
f2c4ca3e68 get pass function 2025-05-10 16:21:48 -07:00
drduh
4624d096a8 script generate commands 2025-05-09 17:01:19 -07:00
drduh
a7b9a972c5
Merge pull request #497 from mattborja/readme-gpgsign
Update instructions for commit signing
2025-05-06 23:55:03 +00:00
Matt Borja
0c30e143bf
Update instructions for commit signing
- Using a SSH key for signing
- Snippet demonstrating configuring the Git user identity
- Enabling commit and tag signing by default
2025-05-05 04:37:26 +00:00
drduh
b822d411aa
Merge pull request #493 from drduh/wip-24apr25
passphrase options, note double quotes in id string, tidy formatting and grammar
2025-04-27 23:45:17 +00:00
drduh
a42d48cf68 a few more formatting fixes 2025-04-24 20:07:41 -07:00
drduh
d7bb1a39e0 mention how to wrap double quotes to fix #492 2025-04-24 19:47:29 -07:00
drduh
97cd88bf3f more grammar and alignment formatting 2025-04-24 19:39:29 -07:00
drduh
dc9a0eb903 tidy formatting, align table 2025-04-24 19:21:56 -07:00
drduh
6552e8946d options to modify passphrase length, group size and delimiter 2025-04-24 19:07:21 -07:00
drduh
3912fc0f20
Merge pull request #490 from drduh/wip-20apr25
update nix readme reference to fix #486
2025-04-22 00:30:37 +00:00
drduh
7d83cf9f13 update config refs 2025-04-20 13:08:55 -07:00
drduh
08cb724eab update nix readme reference to fix #486 2025-04-20 13:03:49 -07:00
drduh
65f8efca51
Merge pull request #488 from drduh/wip-19apr25
required card attribute and windows agent option
2025-04-20 19:00:25 +00:00
drduh
a2dd896d5c login card attr appears mandatory, fix #461 2025-04-19 09:16:03 -07:00
drduh
f92fdd5a2e include windows gpg-agent option to fix #455 2025-04-19 09:09:57 -07:00
drduh
8c4d80d4af
Merge pull request #485 from drduh/wip-13apr25
collapse more uids details, prefer explicit expirations
2025-04-15 03:01:42 +00:00
drduh
f22d1c7e78 update and prefer explicit expiration dates 2025-04-13 16:42:40 -07:00
drduh
4f1dc6239f collapse additional uids details 2025-04-13 16:37:26 -07:00
drduh
5bce454a4c
Merge pull request #484 from drduh/wip-12apr25
organize root structure
2025-04-13 23:00:14 +00:00
drduh
f008766778 move revocation cert to footnotes 2025-04-12 10:50:18 -07:00
drduh
2cc0c10777 update gpg conf refs 2025-04-12 10:31:37 -07:00
drduh
5fb7799f21 include gpg configs 2025-04-12 10:27:19 -07:00
drduh
d7428c1290 organize nixos files 2025-04-12 10:22:46 -07:00