[ ] Copy the armored PGP key out of the .sources file and unindent it (and remove the . on the second line) and save it to a file, pubkey.asc.
[ ] Run sq inspect pubkey.asc, see output like:
Fingerprint: 2359E6538C0613E652955E6C188EDD3B7B22E6A3
Public-key algo: RSA
Public-key size: 4096 bits
Creation time: 2021-05-10 17:00:29 UTC
Expiration time: 2027-05-24 13:19:23 UTC (creation time + 6years 13days 8h 18m 54s)
Key flags: certification, signing
Subkey: 427C6B139395903BE9A252C66275A4BA4C71447A
Public-key algo: RSA
Public-key size: 4096 bits
Creation time: 2021-05-10 17:00:29 UTC
Expiration time: 2027-05-24 13:21:06 UTC (creation time + 6years 13days 8h 20m 37s)
Key flags: transport encryption, data-at-rest encryption
UserID: SecureDrop Release Signing Key <securedrop-release-key-2021@freedom.press>
[ ] bonus: run sq toolbox packet dump pubkey.asc, see that 2 new, SHA512 signatures were added on 2024-05-24, setting the expiry to 6 years since key creation (i.e. 2027)
Checklist
If these changes modify code paths involving cryptography, the opening of files in VMs or network (via the RPC service) traffic, Qubes testing in the staging environment is required. For fine tuning of the graphical user interface, testing in any environment in Qubes is required. Please check as applicable:
[ ] I have tested these changes in the appropriate Qubes environment
[ ] I do not have an appropriate Qubes OS workstation set up (the reviewer will need to test these changes)
[x] These changes should not need testing in Qubes
If these changes add or remove files other than client code, the AppArmor profile may need to be updated. Please check as applicable:
Status
Ready for review
Description
The release signing key's expiry has been extended 3 years, now expiring in 2027.
Fixes #2035. Refs https://github.com/freedomofpress/securedrop/issues/7162.
Test Plan
.sources
file and unindent it (and remove the . on the second line) and save it to a file,pubkey.asc
.[ ] Run
sq inspect pubkey.asc
, see output like:sq toolbox packet dump pubkey.asc
, see that 2 new, SHA512 signatures were added on 2024-05-24, setting the expiry to 6 years since key creation (i.e. 2027)Checklist
If these changes modify code paths involving cryptography, the opening of files in VMs or network (via the RPC service) traffic, Qubes testing in the staging environment is required. For fine tuning of the graphical user interface, testing in any environment in Qubes is required. Please check as applicable:
If these changes add or remove files other than client code, the AppArmor profile may need to be updated. Please check as applicable:
If these changes modify the database schema, you should include a database migration. Please check as applicable:
main
and confirmed that the migration is self-contained and applies cleanlymain
and would like the reviewer to do so