Closed eloquence closed 4 years ago
When reporting the results of ad-hoc tests against SecureDrop Workstation, please include the following information:
Confirming keyring updates in Debian-based VMs
Following test plan above
Success! Used the one-liner in the test plan above, and confirmed that all VMs listed had the new 2021 key expiry.
sudo apt-key finger securedrop-release-key
.
Proceeding with prod scenario next....
Tested on a 0.3.0-staging enviroment that I upgraded to 0.3.1-rc1; then I ran securedrop-admin --apply
to apply the configuration.
sudo apt-key finger securedrop-release-key
.
Detailed output from the very helpful one-liner here: https://gist.github.com/eloquence/e9b4da12fb9bfeca2606d2def1b67bb5
$ grep 2020 output.txt | wc -l
0
$ grep 2021 output.txt | wc -l
14
Confirming keyring updates for RPM-based components, i.e. dom0 & sys-firewall
Following test plan above for prod testing
:x: Test plan as described can't pass, needs to be rethought. The prod install logic references, naturally, the apt.freedom.press
for TemplateVMs, but the securedrop-keyring
package doesn't exist on apt.freedom.press
yet, so the first-time install fails.
Typically for rc testing we'd use the procedure described in https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-dom0-QA-testing#upgrade-install-testing, but that approach would clobber the test key, rendering local testing moot.
tl;dr: While the --apply
run threw errors as a result of the missing package, the critical portions of the test plan succeeded.
sudo dnf info securedrop-workstation-dom0-config
shows 0.3.0
in the version infogrep environment /usr/share/securedrop-workstation-dom0-config/config.json
shows prod
sudo dnf info securedrop-workstation-dom0-config
0.3.1
in the Version
field0.rc1.1.fc25
in the Release
fieldsecuredrop-admin --apply
to enforce the upgrade :x: Run failed, see run output heremkdir -m 700 /tmp/fake-gpg-rpm-home
gpg --homedir /tmp/fake-gpg-rpm-home --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
gpg --homedir /tmp/fake-gpg-rpm-home -k
qvm-run sys-firewall gnome-terminal
to open a terminal, then:mkdir -m 700 /tmp/fake-gpg-rpm-home
gpg --homedir /tmp/fake-gpg-rpm-home --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
gpg --homedir /tmp/fake-gpg-rpm-home -k
Sounds good, thanks for the clarity, and for pressing ahead with the pubkey verification steps despite the failure in the --apply
action, @eloquence. I'm able to confirm that the prod pubkey was added, despite the mismatch on the apt repository config leading to a failed task.
Make a timeboxed attempt to revise the test plan for prod to use apt-test for domUs, but prod repos for dom0, via the following patch:
--- /srv/salt/sd-default-config.yml 2020-06-10 15:35:57.000000000 -0700
+++ /tmp/sd-default-config.yml 2020-06-15 09:42:28.600644786 -0700
@@ -2,8 +2,10 @@
# Production variables, for use with real-world installs
prod:
dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25"
- apt_repo_url: "https://apt.freedom.press"
- signing_key_filename: "securedrop-release-signing-pubkey.asc"
+ #apt_repo_url: "https://apt.freedom.press"
+ #signing_key_filename: "securedrop-release-signing-pubkey.asc"
+ apt_repo_url: "https://apt-test.freedom.press"
+ signing_key_filename: "apt-test-pubkey.asc"
# Development variables, suited for use during local development
dev:
dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25"
Unfortunately that's also insufficient for testing here—while the securedrop-admin --apply
action completes without error, the gpg verification commands in the test plan show the test key for dom0, due to the patch on the signing_key_filename
specifically.
Given how thoroughly we've tested the various environments, I'm satisfied with results from rc1, and suggest proceeding with 0.3.1 final release. The OP has been updated with specific steps documenting the release workflow for 0.3.1.
This part is succeeded in my prod environment after applying updates, now that the prod deb packages are up (still using the RC1 RPM).
Release is live.
This is an issue to track the production release of the SecureDrop Workstation 0.3.1 RPM package, which ships the keyring update in #563.
RC preparation
Test plan:
https://github.com/freedomofpress/securedrop-workstation/wiki/0.3.1-Test-Plan
Release workflow
make dom0-rpm
from verified tag to create RPM - see full instructions herePKG_VERSION=0.1.4 make securedrop-keyring
PKG_VERSION=0.1.3 make securedrop-workstation-config