Release SecureDrop 1.8.0

[eloquence]

This is a tracking issue for the release of SecureDrop 1.8.0

Tentatively scheduled as follows:

String and feature freeze: 2021-02-23 String comment period: 2021-02-23 - 2021-02-26 Translation period: 2021-02-26 - 2021-03-08 Pre-release announcement: 2021-03-02 Release date: ~2021-03-09~ 2021-03-11

Release manager: @zenmonkeykstop Deputy release manager: @emkll Localization manager: @rmol Deputy localization manager: @emkll Communications manager:: @rocodes

SecureDrop maintainers and testers: As you QA 1.8.0, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 1.8.0 milestone for tracking (or ask a maintainer to do so).

Test debian packages will be posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.

QA Matrix for 1.8.0

Test Plan for 1.8.0

Supplementary notes for Xenial->Focal Migrations

Prepare release candidate (1.8.0~rc1)

• [ ] Link to latest version of Tails, including release candidates, to test against during QA
• [x] Prepare 1.8.0~rc1 release changelog
• [x] Branch off release/1.8.0 from develop https://github.com/freedomofpress/securedrop/tree/release/1.8.0
• [x] Prepare 1.8.0~rc1 https://github.com/freedomofpress/securedrop/tree/1.8.0-rc1
• [x] Build debs and put up 1.8.0~rc1 on test apt server: https://github.com/freedomofpress/securedrop-dev-packages-lfs/pull/94
• [x] Commit build logs to https://github.com/freedomofpress/build-logs/commit/0ce458d0ae607f1fd5e090568c24c77b8c404075

Prepare release candidate (1.8.0~rc2)

• [x] Prepare 1.8.0~rc2 release changelog
• [x] Prepare 1.8.0~rc2 https://github.com/freedomofpress/securedrop/tree/1.8.0-rc2
• [x] Build debs and put up 1.8.0~rc2 on test apt server: https://github.com/freedomofpress/securedrop-dev-packages-lfs/pull/96
• [x] Commit build logs to https://github.com/freedomofpress/build-logs/commit/33b894ba6d1cdd45f2381f422f45a119436cccad

After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and 1.8.0-specific testing below in comments to this ticket.

Final release

• [x] Ensure builder in release branch is updated and/or update builder image
• [x] Push signed tag https://github.com/freedomofpress/securedrop/releases/tag/1.8.0
• [x] Pre-Flight: Test updater logic in Tails (apt-qa tracks the release branch in the LFS repo)
• [x] Build final Debian packages for 1.8.0 (and preserve build logs)
• [x] Commit package build logs to https://github.com/freedomofpress/build-logs
• [x] Upload Debian packages to apt-qa server (including Tor 0.4.5.6 packages)
• [x] Pre-Flight: Test that install and upgrade from 1.7.1 to 1.8.0 works w/ prod repo debs (apt-qa.freedom.press polls the release branch in the LFS repo for the debs)
• [x] Flip apt QA server to prod status (merge to main in the LFS repo)
• [x] Merge Docs branch changes to main and verify new docs build in securedrop-docs repo
• [x] Prepare release messaging

Post release

• [x] Create GitHub release object https://github.com/freedomofpress/securedrop/releases/tag/1.8.0
• [x] Once release object is created, update versions in securedrop-docs and Wagtail
• [x] Build readthedocs and verify new docs show up on https://docs.securedrop.org
• [x] Publish announcements
• [x] Merge changelog back to develop
• [ ] Update upgrade testing boxes
• [x] Update roadmap wiki page: https://github.com/freedomofpress/securedrop/wiki/Development-Roadmap

[eloquence]

(Just a placeholder for now based on the last release, will likely need some fleshing out to account for the additional complexity of adding and testing support for Ubuntu 20.04.)

[kushaldas]

Initial testing on NUC5 hardware looks solid. I do have a few questions:

• Are we supposed to have -rw-rw-r-- permission on /var/ossec/.gnupg/pubring.kbx on the mon server?
• Why is there a /var/crash/_usr_bin_lscpu.1000.crash file on both the servers?
• Why do we have /libx32 and /lib32?

[kushaldas]

1.8.0 QA Checklist

Environment

• Install target: VM, Xenial
• Tails version: 4.15
• Test Scenario: update
• SSH over Tor: No
• Onion service version: v2+v3
• Release candidate: rc1

Command Line User Generation

• [x] Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• [x] JS warning bar does not appear when using Security Slider high
• [x] JS warning bar does appear when using Security Slider Low

First submission base cases

• [x] On generate page, refreshing codename produces a new 7-word codename
• [x] On submit page, empty submissions produce flashed message
• [x] On submit page, short message submitted successfully
• [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• [x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

• [x] Nonexistent codename cannot log in
• [x] Empty codename cannot log in
• [x] Legitimate codename can log in
• [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens
• [x] incorrect password cannot log in
• [x] invalid 2fa token cannot log in
• [x] 2fa immediate reuse cannot log in
• [x] Journalist account with HOTP can log in

Index base cases

• [x] Filter by codename works
• [x] Starring and unstarring works
• [x] Click select all selects all submissions
• [x] Selecting all and clicking "Download" works

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] You cannot submit an empty reply
• [x] Clicking "Delete Source And Submissions" and the source and docs are deleted
• [x] You can click on a document and successfully decrypt using application private key

1.8.0 release-specific changes (common)

• [ ] V2 SSH only configured when v2 services are enabled #5718

  • If SSH-over-Tor was enabled and v2 onion services were not enabled during installation:
  • [ ] the v2 onion service configuration in /var/lib/tor/services/ssh was not created on either the Application or Monitor Server
  • [ ] the file /etc/tor/torrc does not contain HiddenServiceVersion 2 on either the Application or Monitor Server
  • [ ] (optional) OSSEC alerts related to v2 onion services are not triggered

• [x] SSHd config updates #5666

  • [x] After installation, ssh access to both servers works without issue in either SSH-over-Tor or SSH-over-LAN (depending on chosen config)
  • [x] No OSSEC alerts are generated including the text Error: Unable to load host key: /etc/ssh/ssh_host_dsa_key (#5660)

• [x] Safe deletion #5770

  • [x] With Tor Browser's security setting at "standard", sources' files and messages can be deleted on the All Sources page :

  • log into the SI and submit multiple messages/files

  • log into the JI and click Delete on the All Sources page without selecting any sources' checkboxes

    • [x] a server call is not made, and a modal is displayed under the Delete button asking the user to select one or more checkboxes.

  • select the checkbox for the source created above in the "All Sources" page and Click Delete..:

    • [x] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel - the number of sources selected is also displayed.

  • click Cancel

    • [x] The source entry is present and its file/message counts are unchanged

  • ensure that the source is selected and click Delete.. again, then click Files and Messages

    • [x] A success flash message is displayed
    • [x] The source is still present and its file/message counts are both 0

  • in the SI, submit a message

    • [x] The message is submitted successfully
    • [x] in the JI, when the All Sources page is refreshed the message count is now 1.
    • [x] clicking on the source codename opens the source page, the message is listed and can be downloaded.
    • [x] on the source page, a reply can be successfully sent to the source

  • Return to the All Sources page, select the source, and choose Delete > Files and Messages

    • [x] The source is present and counts are 0
    • [x] clicking through to the source page works and no files/messages/replies are listed.
    • In the SI, submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.
    • In the JI, return to the All Sources page.
    • select two sources, choose Delete > Files and Messages
    • [x] both sources are present with zeroed file/message counts
    • [x] the third source is present and its counts are unchanged (and non-zero)

  • [x] With TBB security set to "standard", source accounts can be deleted with a double confirm on the All Sources page:

  • log into the SI, recording the source codename, and submit multiple messages/files

  • log into the JI and select the checkbox for the source created above in the "All Sources" page

  • Click Delete..:

    • [x] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel, the count of selected sources is also displayed

  • Click Source Accounts

    • [x] A second explanatory modal is displayed giving the option to cancel or delete source accounts

  • Click Yes, Delete Source Accounts

    • [x] a success flash message is displayed and the source account is removed from the listing
    • [x] the source's files are all queued for deletion on the server
    • [x] the source's database entry is deleted
    • [x] the sources' reply key is deleted.

  • return to the SI and attempt to log in as the source:

    • [x] the source codename is not found.
    • In the SI, log in with a new account submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.

  • return to the JI and open the All Sources page

  • select two sources, choose Delete > Source Accounts > Yes, Delete Source Accounts

    • [x] a success flash message is displayed
    • [x] the two sources selected are deleted from the All sources page and the server (store/db/reply key)
    • [x] the remaining source is unaffected.

  • [ ] With TBB security at "safest", the test cases above pass with the the following exceptions:

  • [ ] the selected source count is not displayed on the initial deletion modal when deleting files and messages or source accounts on the All Sources page

  • [ ] the modals are centered in the page, not displayed under the delete button on the All sources page

  • [ ] a flash error message is displayed instead of the error modal when the user clicks Delete on All Sources with nothing selected.

• [x] Empty files are no longer created for disconnected database entries #5724

  • Log in to the Source Interface as a new source. Submit one message.
  • Connect to the Application Server over SSH, navigate to the source's directory under /var/lib/securedrop/store and delete the file of the message you just submitted.
  • Back in the Source Interface, submit another two messages, waiting a few seconds between them.
  • [x] On the Application Server, verify that the source's directory only contains two files (2-... and 3-...) and that their timestamps are identical.

• [ ] Remove cloud-init package during installation #5771

  • [ ] When the command ssh app apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When command ssh mon apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.

ssh app apt list --installed | grep cloud-init

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

cloud-initramfs-copymods/now 0.27ubuntu1.6 all [installed,local]
cloud-initramfs-dyn-netconf/now 0.27ubuntu1.6 all [installed,local]
amnesia@amnesia:~/Persistent/securedrop$ ssh mon apt list --installed | grep cloud-init

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

cloud-initramfs-copymods/now 0.27ubuntu1.6 all [installed,local]
cloud-initramfs-dyn-netconf/now 0.27ubuntu1.6 all [installed,local]

• [x] Install release-upgrader in prepare-servers role (#5792)

  • [x] When the command ssh app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS) ubuntu-release-upgrader-core/now
  • [x] When the command mon app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)

• [x] Update Tor to 0.4.5.6 #5803

  • [x] When the command ssh app tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."
  • [x] When the command ssh mon tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."

• [x] LTS upgrade prompt is disabled #5786

  • [x] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [x] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal
  • [x] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [x] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal

• [x] Update and annotate Apache configuration #5797

  • Check the Source Interface headers from an Admin Workstation terminal using the command curl -I http://<onion>, where <onion> is the SI onion address. The response should include the following:
  • [x] X-Frame-Options: DENY
  • [x] Referrer-Policy: same-origin
  • [x] X-XSS-Protection: 1; mode=block
  • [x] Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';
  • [x] X-Download-Options: noopen
  • [x] Cache-Control: no-store
  • Repeat the command for the Journalist Interface onion address:
  • [x] The header values are the ame as for the SI with the exception of Referrer-policy, whose value should be no-referrer

• [ ] Check for updates before most securedrop-admin commands #5788

  • On an Admin Workstation with persistence unlocked and an admin password set:
  • Open a terminal and change directory to ~/Persistent/securedrop
  • [ ] Ensure the code is on the most recent 1.8.0 RC tag with git status, switching if necessary with , e.g., git checkout 1.8.0-rc1.
  • [ ] Run the command ./securedrop-admin logs. Verify that it does an update check, does not run the subcommand, prints an error, and exits with exit code 1 ( check with echo $?)
    • [ ] Verify that the error message above correctly reflects the state of the repository (latest version is 1.7.1) and your checkout (HEAD detached at 1.8.0-rc1).
  • Delete the most recent tags locally (git tag -d 1.8.0-rc1 && git tag -d 1.7.1). Retag your current HEAD as 1.7.1 with an annotated tag (git tag -a 1.7.1 -m 'TEST TAG ONLY'). This tells the updater that you are using the expected tag even though you are on 1.8.0-rc1.
  • [ ] Run ./securedrop-admin logs. Confirm that the command prints "All updates applied" and proceeds to fetch logs.
  • Delete your test tag with git tag -d 1.7.1, restore the tags from the server with git fetch --tags --all, and check out the latest RC again with, e.g., git checkout 1.8.0-rc1
  • [ ] Run ./securedrop-admin logs again, confirming that the error is displayed and the subcommand not run
  • [ ] Run ./securedrop-admin --force logs. Confirm that the version check is skipped and logs are fetched.
  • [ ] (Optional) Repeat the check for other ./securedrop-admin subcommands and verify that version checks are performed.

1.8.0 release-specific changes (Xenial only)

• [x] End-of-life messaging#5789

  • [x] When logged into the Journalist Interface, a banner is displayed with information on the April 30 date and a link to the blog advisory.
  • [x] When visiting the Source Interface, the interface is enabled
  • [x] If v2 is enabled, neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [x] When logged into the Journalist Interface, a banner is displayed informing you that the Source Interface is disabled and linking to the blog advisory.
  • [x] When visiting the Source Interface, a message is displayed saying that it is disabled, and you cannot log in or create a new source account.

• [x] IPv6 disabled in init in Focal only#5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [x] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [ ] sudo ip -6 addr: you may see address information, for localhost, ethernet, or both.
  • [x] sudo cat /proc/cmdline: you should NOT see "ipv6.disable=1" in the output.
  • [x] sudo ip6tables -S: a brief list of "DROP" policies. Each line you see should have "DROP", but no lines should have "ALLOW".
  • [x] Repeating the process above on the Monitor Server, you should see the same results.

1.8.0 release-specific changes (Focal only)

• [ ] Focal support added #4728

  • [ ] A fresh install using Focal as the base OS completed successfully
  • [ ] If a migration from an existing backup was performed as part of testing:
  • [ ] The data restoration was completed successfully, including data, submissions, and JI accounts
  • [ ] If the backup file included v2 onion service configurations, they were not carried over to the Focal install. #5677

• [ ] Update Kernel to 5.4.97 for Focal #5785

  • [ ] When the command ssh app uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop
  • [ ] When the command ssh mon uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop

• [ ] End-of-life messaging#5789

  • [ ] When logged into the Journalist Interface the EOL banner is not displayed.
  • [ ] When visiting the Source Interface, the interface is enabled
  • [ ] Neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [ ] When logged into the Journalist Interface the EOL banner is not displayed.
  • [ ] When visiting the Source Interface, the interface is enabled

• [ ] resolvconf is not present on focal #5809

  • [ ] When the command ssh app apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When the command ssh mon apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When the command ssh app dig freedom.press is run via an Admin Workstation terminal:
  • [ ] it should succeed.
  • [ ] The SERVER line at the bottom should contain the IP address of the DNS server configured via ./securedrop-admin sdconfig (e.g. 8.8.8.8)

• [ ] Remove aptitude and disable install-recommends #5793

  • [ ] When the command ssh app apt list --installed | grep aptitude is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh mon apt list --installed | grep aptitude is run via an Admin Workstation terminal, it should return an empty string
  • When the command ssh app sudo apt install vlc is run via an Admin Workstation terminal:
  • [ ] It should complete successfully
  • [ ] The subsequent command ssh app apt list --installed | grep vlc-l10n should return an empty string

• [ ] IPv6 disabled in init in Focal only #5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [ ] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [ ] sudo ip -6 addr: you should see no output.
  • [ ] sudo cat /proc/cmdline: you should see "ipv6.disable=1" in the output.
  • [ ] sudo ip6tables -S: you should see an error about functionality not being supported.
  • [ ] Repeating the process above on the Monitor Server, you should see the same results.

• [ ] replace ntp with systemd-timesyncd [#5806]()https://github.com/freedomofpress/securedrop/issue/5806)

  • [ ] Confirm that ntp and ntpdate are not installed on the Application Server with the Admin Workstation command ssh app apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • [ ] Confirm that ntp and ntpdate are not installed on the Monitor Server with the Admin Workstation command ssh mon apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • confirm that time has been synchronized to NTP servers on both machines:
  • [ ] ssh app timedatectl show and ssh mon timedatectl show should both contain NTPSynchronized=yes
  • [ ] ssh app timedatectl show-timesync and ssh mon timedatectl show should both contain ServerName=ntp.ubuntu.com, with an NTPMessage indicating that the server has been reached

• [ ] Use paxctld, not paxctl on Focal #5808

  • [ ] When the command ssh app apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh mon apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh app apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [ ] When the command ssh mon apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [ ] When the command ssh app systemctl status paxctld is run, its output should indicate that paxctld is active.

• [ ] Replace cron-apt with unattended-upgrades #5684 RC2 or later only

  • [ ] the Admin Workstation command ssh app unattended-upgrades --dry-run works without returning errors
  • [ ] the Admin Workstation command ssh app unattended-upgrades -d works without returning errors, and the Application Server log at /var/logs/unattended-upgrades.log contains no errors
  • [ ] If a later RC version was available overnight, it has been applied automatically
  • [ ] The system was rebooted automatically at or close to the time specified via `./securedrop-admin sdconfig

• [ ] v2 services cannot be installed on Focal #5819

  • run ./securedrop-admin sdconfig, choosing to enable v2 onion services but leaving all other settings unchanged.
  • [ ] When ./securedrop-admin install is run, it errors out immediately after the prepare-servers role with an message including Please run sdconfig again, disabling v2 services.

Preflight testing

Basic testing

• [ ] Install or upgrade occurs without error
• [ ] Source interface is available and version string indicates it is 1.8.0
• [ ] A message can be successfully submitted

Tails

• [ ] The updater GUI appears on boot
• [ ] The update successfully occurs to 1.8.0
• [ ] After reboot, updater GUI no longer appears

[zenmonkeykstop]

1.8.0 QA Checklist

Environment

• Install target: nuc8
• Server OS: Xenial
• Tails version: 4.14
• Test Scenario: cron-apt
• SSH over Tor: yes
• Onion service version: v2+v3
• Release candidate: rc1
• General notes: YOLO

Basic Server Testing

• [x] I can access both the source and journalist interfaces
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app
  • [x] 0 processes are running unconfined
• [x] AppArmor is loaded on mon
  • [x] 0 processes are running unconfined
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them
• [x] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• [x] QA Matrix checks pass

Command Line User Generation

• [x] Can successfully add admin user and login

Administration

• [x] I have backed up and successfully restored the app server following the backup documentation
• [x] If doing upgrade testing, make a backup on 1.7.1 and restore this backup on 1.8.0
• [x] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• [ ] Can successfully add journalist account with HOTP authentication not tested

Application Acceptance Testing

Source Interface

Landing page base cases

• [x] JS warning bar does not appear when using Security Slider high
• [x] JS warning bar does appear when using Security Slider Low

First submission base cases

• [x] On generate page, refreshing codename produces a new 7-word codename
• [x] On submit page, empty submissions produce flashed message
• [x] On submit page, short message submitted successfully
• [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• [x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

• [x] Nonexistent codename cannot log in
• [x] Empty codename cannot log in
• [x] Legitimate codename can log in
• [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens
• [x] incorrect password cannot log in
• [x] invalid 2fa token cannot log in
• [x] 2fa immediate reuse cannot log in
• [ ] Journalist account with HOTP can log in not tested

Index base cases

• [x] Filter by codename works
• [x] Starring and unstarring works
• [x] Click select all selects all submissions
• [x] Selecting all and clicking "Download" works

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] You cannot submit an empty reply
• [x] Clicking "Delete Source And Submissions" and the source and docs are deleted
• [x] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• [x] The Updater GUI appears on boot
• [x] Updating occurs without issue

1.8.0 release-specific changes (common)

• [ ] V2 SSH only configured when v2 services are enabled #5718 N/A

  • If SSH-over-Tor was enabled and v2 onion services were not enabled during installation:
  • [ ] the v2 onion service configuration in /var/lib/tor/services/ssh was not created on either the Application or Monitor Server
  • [ ] the file /etc/tor/torrc does not contain HiddenServiceVersion 2 on either the Application or Monitor Server
  • [ ] (optional) OSSEC alerts related to v2 onion services are not triggered

• [x] SSHd config updates #5666

  • [x] After installation, ssh access to both servers works without issue in either SSH-over-Tor or SSH-over-LAN (depending on chosen config)
  • [x] No OSSEC alerts are generated including the text Error: Unable to load host key: /etc/ssh/ssh_host_dsa_key (#5660)

• [x] Safe deletion #5770

  • [x] With Tor Browser's security setting at "standard", sources' files and messages can be deleted on the All Sources page :

  • log into the SI and submit multiple messages/files

  • log into the JI and click Delete on the All Sources page without selecting any sources' checkboxes

    • [x] a server call is not made, and a modal is displayed under the Delete button asking the user to select one or more checkboxes.

  • select the checkbox for the source created above in the "All Sources" page and Click Delete..:

    • [x] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel - the number of sources selected is also displayed.

  • click Cancel

    • [x] The source entry is present and its file/message counts are unchanged

  • ensure that the source is selected and click Delete.. again, then click Files and Messages

    • [x] A success flash message is displayed
    • [x] The source is still present and its file/message counts are both 0

  • in the SI, submit a message

    • [x] The message is submitted successfully
    • [x] in the JI, when the All Sources page is refreshed the message count is now 1.
    • [x] clicking on the source codename opens the source page, the message is listed and can be downloaded.
    • [x] on the source page, a reply can be successfully sent to the source

  • Return to the All Sources page, select the source, and choose Delete > Files and Messages

    • [x] The source is present and counts are 0
    • [x] clicking through to the source page works and no files/messages/replies are listed.
    • In the SI, submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.
    • In the JI, return to the All Sources page.
    • select two sources, choose Delete > Files and Messages
    • [x] both sources are present with zeroed file/message counts
    • [x] the third source is present and its counts are unchanged (and non-zero)

  • [x] With TBB security set to "standard", source accounts can be deleted with a double confirm on the All Sources page:

  • log into the SI, recording the source codename, and submit multiple messages/files

  • log into the JI and select the checkbox for the source created above in the "All Sources" page

  • Click Delete..:

    • [x] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel, the count of selected sources is also displayed

  • Click Source Accounts

    • [x] A second explanatory modal is displayed giving the option to cancel or delete source accounts

  • Click Yes, Delete Source Accounts

    • [x] a success flash message is displayed and the source account is removed from the listing
    • [x] the source's files are all queued for deletion on the server
    • [x] the source's database entry is deleted
    • [x] the sources' reply key is deleted.

  • return to the SI and attempt to log in as the source:

    • [x] the source codename is not found.
    • In the SI, log in with a new account submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.

  • return to the JI and open the All Sources page

  • select two sources, choose Delete > Source Accounts > Yes, Delete Source Accounts

    • [x] a success flash message is displayed
    • [x] the two sources selected are deleted from the All sources page and the server (store/db/reply key)
    • [x] the remaining source is unaffected.

  • [x] With TBB security at "safest", the test cases above pass with the the following exceptions:

  • [x] the selected source count is not displayed on the initial deletion modal when deleting files and messages or source accounts on the All Sources page

  • [x] the modals are centered in the page, not displayed under the delete button on the All sources page

  • [x] a flash error message is displayed instead of the error modal when the user clicks Delete on All Sources with nothing selected.

• [x] Empty files are no longer created for disconnected database entries #5724

  • Log in to the Source Interface as a new source. Submit one message.
  • Connect to the Application Server over SSH, navigate to the source's directory under /var/lib/securedrop/store and delete the file of the message you just submitted.
  • Back in the Source Interface, submit another two messages, waiting a few seconds between them.
  • [x] On the Application Server, verify that the source's directory only contains two files (2-... and 3-...) and that their timestamps are identical.

• [ ] Remove cloud-init package during installation #5771 *FAILED - but could be a test problem - 2 packages used for PXE boot match `clout-init`**

  • [ ] When the command ssh app apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When command ssh mon apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.

• [x] Install release-upgrader in prepare-servers role (#5792)

  • [x] When the command ssh app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)
  • [x] When the command mon app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)

• [x] Update Tor to 0.4.5.6 #5803

  • [x] When the command ssh app tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."
  • [x] When the command ssh mon tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."

• [x] LTS upgrade prompt is disabled #5786

  • [x] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [x] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal
  • [x] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [x] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal

• [x] Update and annotate Apache configuration #5797

  • Check the Source Interface headers from an Admin Workstation terminal using the command curl -I http://<onion>, where <onion> is the SI onion address. The response should include the following:
  • [x] X-Frame-Options: DENY
  • [x] Referrer-Policy: same-origin
  • [x] X-XSS-Protection: 1; mode=block
  • [x] Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';
  • [x] X-Download-Options: noopen
  • [x] Cache-Control: no-store
  • Repeat the command for the Journalist Interface onion address:
  • [x] The header values are the ame as for the SI with the exception of Referrer-policy, whose value should be no-referrer

• [x] Check for updates before most securedrop-admin commands #5788

  • On an Admin Workstation with persistence unlocked and an admin password set:
  • Open a terminal and change directory to ~/Persistent/securedrop
  • [x] Ensure the code is on the most recent 1.8.0 RC tag with git status, switching if necessary with , e.g., git checkout 1.8.0-rc1.
  • [x] Run the command ./securedrop-admin logs. Verify that it does an update check, does not run the subcommand, prints an error, and exits with exit code 1 ( check with echo $?)
    • [x] Verify that the error message above correctly reflects the state of the repository (latest version is 1.7.1) and your checkout (HEAD detached at 1.8.0-rc1).
  • Delete the most recent tags locally (git tag -d 1.8.0-rc1 && git tag -d 1.7.1). Retag your current HEAD as 1.7.1 with an annotated tag (git tag -a 1.7.1 -m 'TEST TAG ONLY'). This tells the updater that you are using the expected tag even though you are on 1.8.0-rc1.
  • [x] Run ./securedrop-admin logs. Confirm that the command prints "All updates applied" and proceeds to fetch logs.
  • Delete your test tag with git tag -d 1.7.1, restore the tags from the server with git fetch --tags --all, and check out the latest RC again with, e.g., git checkout 1.8.0-rc1
  • [x] Run ./securedrop-admin logs again, confirming that the error is displayed and the subcommand not run
  • [x] Run ./securedrop-admin --force logs. Confirm that the version check is skipped and logs are fetched.
  • [x] (Optional) Repeat the check for other ./securedrop-admin subcommands and verify that version checks are performed.

1.8.0 release-specific changes (Xenial only)

• [x] End-of-life messaging#5789

  • [x] When logged into the Journalist Interface, a banner is displayed with information on the April 30 date and a link to the blog advisory.
  • [x] When visiting the Source Interface, the interface is enabled
  • [x] If v2 is enabled, neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [x] When logged into the Journalist Interface, a banner is displayed informing you that the Source Interface is disabled and linking to the blog advisory.
  • [x] When visiting the Source Interface, a message is displayed saying that it is disabled, and you cannot log in or create a new source account.

• [x] IPv6 disabled in init in Focal only#5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [x] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [ ] sudo ip -6 addr: you may see address information, for localhost, ethernet, or both. no output
  • [x] sudo cat /proc/cmdline: you should NOT see "ipv6.disable=1" in the output.
  • [x] sudo ip6tables -S: a brief list of "DROP" policies. Each line you see should have "DROP", but no lines should have "ALLOW".
  • [x] Repeating the process above on the Monitor Server, you should see the same results.

1.8.0 release-specific changes (Focal only)

• [ ] Focal support added #4728

  • [ ] A fresh install using Focal as the base OS completed successfully
  • [ ] If a migration from an existing backup was performed as part of testing:
  • [ ] The data restoration was completed successfully, including data, submissions, and JI accounts
  • [ ] If the backup file included v2 onion service configurations, they were not carried over to the Focal install. #5677

• [ ] Update Kernel to 5.4.97 for Focal #5785

  • [ ] When the command ssh app uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop
  • [ ] When the command ssh mon uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop

• [ ] End-of-life messaging#5789

  • [ ] When logged into the Journalist Interface the EOL banner is not displayed.
  • [ ] When visiting the Source Interface, the interface is enabled
  • [ ] Neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [ ] When logged into the Journalist Interface the EOL banner is not displayed.
  • [ ] When visiting the Source Interface, the interface is enabled

• [ ] resolvconf is not present on focal #5809

  • [ ] When the command ssh app apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When the command ssh mon apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When the command ssh app dig freedom.press is run via an Admin Workstation terminal:
  • [ ] it should succeed.
  • [ ] The SERVER line at the bottom should contain the IP address of the DNS server configured via ./securedrop-admin sdconfig (e.g. 8.8.8.8)

• [ ] Remove aptitude and disable install-recommends #5793

  • [ ] When the command ssh app apt list --installed | grep aptitude is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh mon apt list --installed | grep aptitude is run via an Admin Workstation terminal, it should return an empty string
  • When the command ssh app sudo apt install vlc is run via an Admin Workstation terminal:
  • [ ] It should complete successfully
  • [ ] The subsequent command ssh app apt list --installed | grep vlc-l10n should return an empty string

• [ ] IPv6 disabled in init in Focal only #5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [ ] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [ ] sudo ip -6 addr: you should see no output.
  • [ ] sudo cat /proc/cmdline: you should see "ipv6.disable=1" in the output.
  • [ ] sudo ip6tables -S: you should see an error about functionality not being supported.
  • [ ] Repeating the process above on the Monitor Server, you should see the same results.

• [ ] replace ntp with systemd-timesyncd [#5806]()https://github.com/freedomofpress/securedrop/issue/5806)

  • [ ] Confirm that ntp and ntpdate are not installed on the Application Server with the Admin Workstation command ssh app apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • [ ] Confirm that ntp and ntpdate are not installed on the Monitor Server with the Admin Workstation command ssh mon apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • confirm that time has been synchronized to NTP servers on both machines:
  • [ ] ssh app timedatectl show and ssh mon timedatectl show should both contain NTPSynchronized=yes
  • [ ] ssh app timedatectl show-timesync and ssh mon timedatectl show should both contain ServerName=ntp.ubuntu.com, with an NTPMessage indicating that the server has been reached

• [ ] Use paxctld, not paxctl on Focal #5808

  • [ ] When the command ssh app apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh mon apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh app apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [ ] When the command ssh mon apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [ ] When the command ssh app systemctl status paxctld is run, its output should indicate that paxctld is active.

• [ ] Replace cron-apt with unattended-upgrades #5684 RC2 or later only

  • [ ] the Admin Workstation command ssh app unattended-upgrades --dry-run works without returning errors
  • [ ] the Admin Workstation command ssh app unattended-upgrades -d works without returning errors, and the Application Server log at /var/logs/unattended-upgrades.log contains no errors
  • [ ] If a later RC version was available overnight, it has been applied automatically
  • [ ] The system was rebooted automatically at or close to the time specified via `./securedrop-admin sdconfig

• [ ] v2 services cannot be installed on Focal #5819

  • run ./securedrop-admin sdconfig, choosing to enable v2 onion services but leaving all other settings unchanged.
  • [ ] When ./securedrop-admin install is run, it errors out immediately after the prepare-servers role with an message including Please run sdconfig again, disabling v2 services.

Preflight testing

Basic testing

• [ ] Install or upgrade occurs without error
• [ ] Source interface is available and version string indicates it is 1.8.0
• [ ] A message can be successfully submitted

Tails

• [ ] The updater GUI appears on boot
• [ ] The update successfully occurs to 1.8.0
• [ ] After reboot, updater GUI no longer appears

[emkll]

1.8.0-rc1 Mac minis install-and-restore on Focal (in progress)

Environment

• Install target: Mac Mini
• Server OS: Ubuntu 20.04 Focal
• Tails version: 4.16
• Test Scenario: backup-install-migrate
• SSH over Tor: Yes
• Onion service version: v2+v3 (backup), v3 install
• Release candidate: 1.8.0-rc1
• General notes:

Basic Server Testing

• [x] I can access both the source and journalist interfaces
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app
  • [x] 0 processes are running unconfined
• [x] AppArmor is loaded on mon
  • [x] 0 processes are running unconfined
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them
• [ ] :exclamation: see #5825 After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• [x] QA Matrix checks pass

Command Line User Generation

• [x] Can successfully add admin user and login

Administration

• [ ] I have backed up and successfully restored the app server following the backup documentation
• [ ] If doing upgrade testing, make a backup on 1.7.1 and restore this backup on this release candidate
• [ ] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• [ ] Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases

• [ ] JS warning bar does not appear when using Security Slider high
• [ ] JS warning bar does appear when using Security Slider Low

First submission base cases

• [ ] On generate page, refreshing codename produces a new 7-word codename
• [ ] On submit page, empty submissions produce flashed message
• [ ] On submit page, short message submitted successfully
• [ ] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• [ ] On submit page, file less than 500 MB submitted successfully

Returning source base cases

• [ ] Nonexistent codename cannot log in
• [ ] Empty codename cannot log in
• [ ] Legitimate codename can log in
• [ ] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• [ ] Can log in with 2FA tokens
• [ ] incorrect password cannot log in
• [ ] invalid 2fa token cannot log in
• [ ] 2fa immediate reuse cannot log in
• [ ] Journalist account with HOTP can log in

Index base cases

• [ ] Filter by codename works
• [ ] Starring and unstarring works
• [ ] Click select all selects all submissions
• [ ] Selecting all and clicking "Download" works

Individual source page

• [ ] You can submit a reply and a flashed message and new row appears
• [ ] You cannot submit an empty reply
• [ ] Clicking "Delete Source Account" and the source and docs are deleted
• [ ] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• [ ] The Updater GUI appears on boot
• [ ] Updating occurs without issue

1.8.0 release-specific changes (common)

• [ ] V2 SSH only configured when v2 services are enabled #5718

  • If SSH-over-Tor was enabled and v2 onion services were not enabled during installation:
  • [ ] the v2 onion service configuration in /var/lib/tor/services/ssh was not created on either the Application or Monitor Server
  • [ ] the file /etc/tor/torrc does not contain HiddenServiceVersion 2 on either the Application or Monitor Server
  • [ ] (optional) OSSEC alerts related to v2 onion services are not triggered

• [ ] SSHd config updates #5666

  • [ ] After installation, ssh access to both servers works without issue in either SSH-over-Tor or SSH-over-LAN (depending on chosen config)
  • [ ] No OSSEC alerts are generated including the text Error: Unable to load host key: /etc/ssh/ssh_host_dsa_key (#5660)

• [ ] Safe deletion #5770

  • [ ] With Tor Browser's security setting at "standard", sources' files and messages can be deleted on the All Sources page :

  • log into the SI and submit multiple messages/files

  • log into the JI and click Delete on the All Sources page without selecting any sources' checkboxes

    • [ ] a server call is not made, and a modal is displayed under the Delete button asking the user to select one or more checkboxes.

  • select the checkbox for the source created above in the "All Sources" page and Click Delete..:

    • [ ] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel - the number of sources selected is also displayed.

  • click Cancel

    • [ ] The source entry is present and its file/message counts are unchanged

  • ensure that the source is selected and click Delete.. again, then click Files and Messages

    • [ ] A success flash message is displayed
    • [ ] The source is still present and its file/message counts are both 0

  • in the SI, submit a message

    • [ ] The message is submitted successfully
    • [ ] in the JI, when the All Sources page is refreshed the message count is now 1.
    • [ ] clicking on the source codename opens the source page, the message is listed and can be downloaded.
    • [ ] on the source page, a reply can be successfully sent to the source

  • Return to the All Sources page, select the source, and choose Delete > Files and Messages

    • [ ] The source is present and counts are 0
    • [ ] clicking through to the source page works and no files/messages/replies are listed.
    • In the SI, submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.
    • In the JI, return to the All Sources page.
    • select two sources, choose Delete > Files and Messages
    • [ ] both sources are present with zeroed file/message counts
    • [ ] the third source is present and its counts are unchanged (and non-zero)

  • [ ] With TBB security set to "standard", source accounts can be deleted with a double confirm on the All Sources page:

  • log into the SI, recording the source codename, and submit multiple messages/files

  • log into the JI and select the checkbox for the source created above in the "All Sources" page

  • Click Delete..:

    • [ ] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel, the count of selected sources is also displayed

  • Click Source Accounts

    • [ ] A second explanatory modal is displayed giving the option to cancel or delete source accounts

  • Click Yes, Delete Source Accounts

    • [ ] a success flash message is displayed and the source account is removed from the listing
    • [ ] the source's files are all queued for deletion on the server
    • [ ] the source's database entry is deleted
    • [ ] the sources' reply key is deleted.

  • return to the SI and attempt to log in as the source:

    • [ ] the source codename is not found.
    • In the SI, log in with a new account submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.

  • return to the JI and open the All Sources page

  • select two sources, choose Delete > Source Accounts > Yes, Delete Source Accounts

    • [ ] a success flash message is displayed
    • [ ] the two sources selected are deleted from the All sources page and the server (store/db/reply key)
    • [ ] the remaining source is unaffected.

  • [ ] With TBB security at "safest", the test cases above pass with the the following exceptions:

  • [ ] the selected source count is not displayed on the initial deletion modal when deleting files and messages or source accounts on the All Sources page

  • [ ] the modals are centered in the page, not displayed under the delete button on the All sources page

  • [ ] a flash error message is displayed instead of the error modal when the user clicks Delete on All Sources with nothing selected.

• [ ] Empty files are no longer created for disconnected database entries #5724

  • Log in to the Source Interface as a new source. Submit one message.
  • Connect to the Application Server over SSH, navigate to the source's directory under /var/lib/securedrop/store and delete the file of the message you just submitted.
  • Back in the Source Interface, submit another two messages, waiting a few seconds between them.
  • [ ] On the Application Server, verify that the source's directory only contains two files (2-... and 3-...) and that their timestamps are identical.

• [ ] Remove cloud-init package during installation #5771

  • [ ] When the command ssh app apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When command ssh mon apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.

• [ ] Install release-upgrader in prepare-servers role (#5792)

  • [ ] When the command ssh app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)
  • [ ] When the command mon app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)

• [ ] Update Tor to 0.4.5.6 #5803

  • [ ] When the command ssh app tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."
  • [ ] When the command ssh mon tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."

• [ ] LTS upgrade prompt is disabled #5786

  • [ ] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [ ] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal
  • [ ] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [ ] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal

• [ ] Update and annotate Apache configuration #5797

  • Check the Source Interface headers from an Admin Workstation terminal using the command curl -I http://<onion>, where <onion> is the SI onion address. The response should include the following:
  • [ ] X-Frame-Options: DENY
  • [ ] Referrer-Policy: same-origin
  • [ ] X-XSS-Protection: 1; mode=block
  • [ ] Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';
  • [ ] X-Download-Options: noopen
  • [ ] Cache-Control: no-store
  • Repeat the command for the Journalist Interface onion address:
  • [ ] The header values are the ame as for the SI with the exception of Referrer-policy, whose value should be no-referrer

• [ ] Check for updates before most securedrop-admin commands #5788

  • On an Admin Workstation with persistence unlocked and an admin password set:
  • Open a terminal and change directory to ~/Persistent/securedrop
  • [ ] Ensure the code is on the most recent 1.8.0 RC tag with git status, switching if necessary with , e.g., git checkout 1.8.0-rc1.
  • [ ] Run the command ./securedrop-admin logs. Verify that it does an update check, does not run the subcommand, prints an error, and exits with exit code 1 ( check with echo $?)
    • [ ] Verify that the error message above correctly reflects the state of the repository (latest version is 1.7.1) and your checkout (HEAD detached at 1.8.0-rc1).
  • Delete the most recent tags locally (git tag -d 1.8.0-rc1 && git tag -d 1.7.1). Retag your current HEAD as 1.7.1 with an annotated tag (git tag -a 1.7.1 -m 'TEST TAG ONLY'). This tells the updater that you are using the expected tag even though you are on 1.8.0-rc1.
  • [ ] Run ./securedrop-admin logs. Confirm that the command prints "All updates applied" and proceeds to fetch logs.
  • Delete your test tag with git tag -d 1.7.1, restore the tags from the server with git fetch --tags --all, and check out the latest RC again with, e.g., git checkout 1.8.0-rc1
  • [ ] Run ./securedrop-admin logs again, confirming that the error is displayed and the subcommand not run
  • [ ] Run ./securedrop-admin --force logs. Confirm that the version check is skipped and logs are fetched.
  • [ ] (Optional) Repeat the check for other ./securedrop-admin subcommands and verify that version checks are performed.

1.8.0 release-specific changes (Xenial only)

• [ ] End-of-life messaging#5789

  • [ ] When logged into the Journalist Interface, a banner is displayed with information on the April 30 date and a link to the blog advisory.
  • [ ] When visiting the Source Interface, the interface is enabled
  • [ ] If v2 is enabled, neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [ ] When logged into the Journalist Interface, a banner is displayed informing you that the Source Interface is disabled and linking to the blog advisory.
  • [ ] When visiting the Source Interface, a message is displayed saying that it is disabled, and you cannot log in or create a new source account.

• [ ] IPv6 disabled in init in Focal only#5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [ ] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [ ] sudo ip -6 addr: you may see address information, for localhost, ethernet, or both.
  • [ ] sudo cat /proc/cmdline: you should NOT see "ipv6.disable=1" in the output.
  • [ ] sudo ip6tables -S: a brief list of "DROP" policies. Each line you see should have "DROP", but no lines should have "ALLOW".
  • [ ] Repeating the process above on the Monitor Server, you should see the same results.

1.8.0 release-specific changes (Focal only)

• [ ] Focal support added #4728

  • [ ] A fresh install using Focal as the base OS completed successfully
  • [ ] If a migration from an existing backup was performed as part of testing:
  • [ ] The data restoration was completed successfully, including data, submissions, and JI accounts
  • [ ] If the backup file included v2 onion service configurations, they were not carried over to the Focal install. #5677

• [ ] Update Kernel to 5.4.97 for Focal #5785

  • [ ] When the command ssh app uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop
  • [ ] When the command ssh mon uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop

• [ ] End-of-life messaging#5789

  • [ ] When logged into the Journalist Interface the EOL banner is not displayed.
  • [ ] When visiting the Source Interface, the interface is enabled
  • [ ] Neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [ ] When logged into the Journalist Interface the EOL banner is not displayed.
  • [ ] When visiting the Source Interface, the interface is enabled

• [ ] resolvconf is not present on focal #5809

  • [ ] When the command ssh app apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When the command ssh mon apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When the command ssh app dig freedom.press is run via an Admin Workstation terminal:
  • [ ] it should succeed.
  • [ ] The SERVER line at the bottom should contain the IP address of the DNS server configured via ./securedrop-admin sdconfig (e.g. 8.8.8.8)

• [ ] Remove aptitude and disable install-recommends #5793

  • [ ] When the command ssh app apt list --installed | grep aptitude is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh mon apt list --installed | grep aptitude is run via an Admin Workstation terminal, it should return an empty string
  • When the command ssh app sudo apt install vlc is run via an Admin Workstation terminal:
  • [ ] It should complete successfully
  • [ ] The subsequent command ssh app apt list --installed | grep vlc-l10n should return an empty string

• [ ] IPv6 disabled in init in Focal only #5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [ ] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [ ] sudo ip -6 addr: you should see no output.
  • [ ] sudo cat /proc/cmdline: you should see "ipv6.disable=1" in the output.
  • [ ] sudo ip6tables -S: you should see an error about functionality not being supported.
  • [ ] Repeating the process above on the Monitor Server, you should see the same results.

• [ ] replace ntp with systemd-timesyncd [#5806]()https://github.com/freedomofpress/securedrop/issue/5806)

  • [ ] Confirm that ntp and ntpdate are not installed on the Application Server with the Admin Workstation command ssh app apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • [ ] Confirm that ntp and ntpdate are not installed on the Monitor Server with the Admin Workstation command ssh mon apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • confirm that time has been synchronized to NTP servers on both machines:
  • [ ] ssh app timedatectl show and ssh mon timedatectl show should both contain NTPSynchronized=yes
  • [ ] ssh app timedatectl show-timesync and ssh mon timedatectl show should both contain ServerName=ntp.ubuntu.com, with an NTPMessage indicating that the server has been reached

• [ ] Use paxctld, not paxctl on Focal #5808

  • [ ] When the command ssh app apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh mon apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [ ] When the command ssh app apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [ ] When the command ssh mon apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [ ] When the command ssh app systemctl status paxctld is run, its output should indicate that paxctld is active.

• [ ] Replace cron-apt with unattended-upgrades #5684 RC2 or later only

  • [ ] the Admin Workstation command ssh app unattended-upgrades --dry-run works without returning errors
  • [ ] the Admin Workstation command ssh app unattended-upgrades -d works without returning errors, and the Application Server log at /var/logs/unattended-upgrades.log contains no errors
  • [ ] If a later RC version was available overnight, it has been applied automatically
  • [ ] The system was rebooted automatically at or close to the time specified via `./securedrop-admin sdconfig

• [ ] v2 services cannot be installed on Focal #5819

  • run ./securedrop-admin sdconfig, choosing to enable v2 onion services but leaving all other settings unchanged.
  • [ ] When ./securedrop-admin install is run, it errors out immediately after the prepare-servers role with an message including Please run sdconfig again, disabling v2 services.

Preflight testing

Basic testing

• [ ] Install or upgrade occurs without error
• [ ] Source interface is available and version string indicates it is 1.8.0
• [ ] A message can be successfully submitted

Tails

• [ ] The updater GUI appears on boot
• [ ] The update successfully occurs to 1.8.0
• [ ] After reboot, updater GUI no longer appears

[zenmonkeykstop]

v2+v3 Xenial to focal migrations:

Just completed a migration from a v2+v3 Xenial to a v3 Focal (using the branch in #5834 for the restore, as this is currently broken in RC1). Steps are as follows, starting in ~/Persistent on the same admin stick as was used for the Xenial install:

• backed up v2+v3 instance
• installed Focal on servers, set up ssh keys
• rename securedrop to sd.bak
• git clone a fresh securedrop
• copy site-specific, GPG keys, tor_v3_keys.json from sd.bak to the appropriate locations in securedrop
• move ~/.ssh/config and ~/.ssh/known_hosts out of ~/.ssh (or just delete them)
• in securedrop, flip fpf apt repo to apt-test.freedom.press as per regular QA process
• go through the usual fresh install process: setup -> sdconfig (disabling v2) -> install -> tailsconfig
• copy the backup from sd.bak/install_files/ansible-base to securedrop/install_files/ansible-base
• run the restore (which will fail on attempting to reload Tor)
• copy app*.auth_private, app-sourcev3-ths from sd.bak to securedrop/install_files/ansible-base
• run tailsconfig again

The v3 addresses and auth keys for the JI, SI, and ssh should match the ones in sd.bak. The mon ssh address will change but the key should be the same. All services should be accessible without any manual editing of the configuration. V2 services should not be present.

V3 Xenial to Focal migrations

The process should be identical to the v2+v3 case, except it should not be necessary to disable v2 in sdconfig (vbut step through sdconfig anyway

V2 Xenial to Focal migrations

As v2 onion services can't be migrated to Focal, this case should be easier (again, using #5834 if it's not merged and RCed yet):

• back up v2 instance
• install Focal on servers, set up ssh keys
• rename securedrop to sd.bak
• git clone a fresh securedrop
• move ~/.ssh/config and ~/.ssh/known_hosts out of ~/.ssh (or just delete them)
• in securedrop, flip fpf apt repo to apt-test.freedom.press as per regular QA process
• go through the usual fresh install process: setup -> sdconfig (disabling v2) -> install -> tailsconfig
• copy the backup from sd.bak/install_files/ansible-base to securedrop/install_files/ansible-base
• run the restore with the --preserve-tor-config flag - this should complete successfully
• party!

[kushaldas]

Tested RC2 for specially:

V2 Xenial to Focal migrations

As v2 onion services can't be migrated to Focal, this case should be easier (again, using #5834 if it's not merged and RCed yet):

• [x] back up v2 instance
• [x] install Focal on servers, set up ssh keys
• [x] rename securedrop to sd.bak
• [x] git clone a fresh securedrop
• [x] move ~/.ssh/config and ~/.ssh/known_hosts out of ~/.ssh (or just delete them)
• [x] in securedrop, flip fpf apt repo to apt-test.freedom.press as per regular QA process
• [x] go through the usual fresh install process: setup -> sdconfig (disabling v2) -> install -> tailsconfig
• [x] copy the backup from sd.bak/install_files/ansible-base to securedrop/install_files/ansible-base
• [x] run the restore with the --preserve-tor-config flag - this should complete successfully****

I can still do ssh, both source and journalist address work. I can also do standard application specific steps (source submission + decryption at the journalist end) following regular steps.

[kushaldas]

1.8.0 QA Checklist

Environment

• Install target: VM, Focal
• Tails version: 4.16
• Test Scenario: fresh
• SSH over Tor: No
• Onion service version: v3
• Release candidate: rc4

Command Line User Generation

• [x] Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• [x] JS warning bar does not appear when using Security Slider high
• [x] JS warning bar does appear when using Security Slider Low

First submission base cases

• [x] On generate page, refreshing codename produces a new 7-word codename
• [x] On submit page, empty submissions produce flashed message
• [x] On submit page, short message submitted successfully
• [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• [x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

• [x] Nonexistent codename cannot log in
• [x] Empty codename cannot log in
• [x] Legitimate codename can log in
• [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens
• [x] incorrect password cannot log in
• [x] invalid 2fa token cannot log in
• [x] 2fa immediate reuse cannot log in
• [x] Journalist account with HOTP can log in

Index base cases

• [x] Filter by codename works
• [x] Starring and unstarring works
• [x] Click select all selects all submissions
• [x] Selecting all and clicking "Download" works

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] You cannot submit an empty reply
• [x] Clicking "Delete Source And Submissions" and the source and docs are deleted
• [x] You can click on a document and successfully decrypt using application private key

1.8.0 release-specific changes (common)

• [x] SSHd config updates #5666

  • [x] After installation, ssh access to both servers works without issue in either SSH-over-Tor or SSH-over-LAN (depending on chosen config)
  • [x] No OSSEC alerts are generated including the text Error: Unable to load host key: /etc/ssh/ssh_host_dsa_key (#5660)

• [x] Safe deletion #5770

  • [x] With Tor Browser's security setting at "standard", sources' files and messages can be deleted on the All Sources page :

  • log into the SI and submit multiple messages/files

  • log into the JI and click Delete on the All Sources page without selecting any sources' checkboxes

    • [x] a server call is not made, and a modal is displayed under the Delete button asking the user to select one or more checkboxes.

  • select the checkbox for the source created above in the "All Sources" page and Click Delete..:

    • [x] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel - the number of sources selected is also displayed.

  • click Cancel

    • [x] The source entry is present and its file/message counts are unchanged

  • ensure that the source is selected and click Delete.. again, then click Files and Messages

    • [x] A success flash message is displayed
    • [x] The source is still present and its file/message counts are both 0

  • in the SI, submit a message

    • [x] The message is submitted successfully
    • [x] in the JI, when the All Sources page is refreshed the message count is now 1.
    • [x] clicking on the source codename opens the source page, the message is listed and can be downloaded.
    • [x] on the source page, a reply can be successfully sent to the source

  • Return to the All Sources page, select the source, and choose Delete > Files and Messages

    • [x] The source is present and counts are 0
    • [x] clicking through to the source page works and no files/messages/replies are listed.
    • In the SI, submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.
    • In the JI, return to the All Sources page.
    • select two sources, choose Delete > Files and Messages
    • [x] both sources are present with zeroed file/message counts
    • [x] the third source is present and its counts are unchanged (and non-zero)

  • [x] With TBB security set to "standard", source accounts can be deleted with a double confirm on the All Sources page:

  • log into the SI, recording the source codename, and submit multiple messages/files

  • log into the JI and select the checkbox for the source created above in the "All Sources" page

  • Click Delete..:

    • [x] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel, the count of selected sources is also displayed

  • Click Source Accounts

    • [x] A second explanatory modal is displayed giving the option to cancel or delete source accounts

  • Click Yes, Delete Source Accounts

    • [x] a success flash message is displayed and the source account is removed from the listing
    • [x] the source's files are all queued for deletion on the server
    • [x] the source's database entry is deleted
    • [x] the sources' reply key is deleted.

  • return to the SI and attempt to log in as the source:

    • [x] the source codename is not found.
    • In the SI, log in with a new account submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.

  • return to the JI and open the All Sources page

  • select two sources, choose Delete > Source Accounts > Yes, Delete Source Accounts

    • [x] a success flash message is displayed
    • [x] the two sources selected are deleted from the All sources page and the server (store/db/reply key)
    • [x] the remaining source is unaffected.

  • [ ] With TBB security at "safest", the test cases above pass with the the following exceptions:

  • [ ] the selected source count is not displayed on the initial deletion modal when deleting files and messages or source accounts on the All Sources page

  • [ ] the modals are centered in the page, not displayed under the delete button on the All sources page

  • [ ] a flash error message is displayed instead of the error modal when the user clicks Delete on All Sources with nothing selected.

• [x] Empty files are no longer created for disconnected database entries #5724

  • Log in to the Source Interface as a new source. Submit one message.
  • Connect to the Application Server over SSH, navigate to the source's directory under /var/lib/securedrop/store and delete the file of the message you just submitted.
  • Back in the Source Interface, submit another two messages, waiting a few seconds between them.
  • [x] On the Application Server, verify that the source's directory only contains two files (2-... and 3-...) and that their timestamps are identical.

• [x] Remove cloud-init package during installation #5771

  • [ ] When the command ssh app apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When command ssh mon apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.

• [x] Install release-upgrader in prepare-servers role (#5792)

  • [x] When the command ssh app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS) ubuntu-release-upgrader-core/now
  • [x] When the command mon app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)

• [x] Update Tor to 0.4.5.6 #5803

  • [x] When the command ssh app tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."
  • [x] When the command ssh mon tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."

• [x] LTS upgrade prompt is disabled #5786

  • [x] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [x] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal
  • [x] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [x] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal

• [x] Update and annotate Apache configuration #5797

  • Check the Source Interface headers from an Admin Workstation terminal using the command curl -I http://<onion>, where <onion> is the SI onion address. The response should include the following:
  • [x] X-Frame-Options: DENY
  • [x] Referrer-Policy: same-origin
  • [x] X-XSS-Protection: 1; mode=block
  • [x] Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';
  • [x] X-Download-Options: noopen
  • [x] Cache-Control: no-store
  • Repeat the command for the Journalist Interface onion address:
  • [x] The header values are the ame as for the SI with the exception of Referrer-policy, whose value should be no-referrer

• [ ] Check for updates before most securedrop-admin commands #5788

  • On an Admin Workstation with persistence unlocked and an admin password set:
  • Open a terminal and change directory to ~/Persistent/securedrop
  • [ ] Ensure the code is on the most recent 1.8.0 RC tag with git status, switching if necessary with , e.g., git checkout 1.8.0-rc1.
  • [ ] Run the command ./securedrop-admin logs. Verify that it does an update check, does not run the subcommand, prints an error, and exits with exit code 1 ( check with echo $?)
    • [ ] Verify that the error message above correctly reflects the state of the repository (latest version is 1.7.1) and your checkout (HEAD detached at 1.8.0-rc1).
  • Delete the most recent tags locally (git tag -d 1.8.0-rc1 && git tag -d 1.7.1). Retag your current HEAD as 1.7.1 with an annotated tag (git tag -a 1.7.1 -m 'TEST TAG ONLY'). This tells the updater that you are using the expected tag even though you are on 1.8.0-rc1.
  • [ ] Run ./securedrop-admin logs. Confirm that the command prints "All updates applied" and proceeds to fetch logs.
  • Delete your test tag with git tag -d 1.7.1, restore the tags from the server with git fetch --tags --all, and check out the latest RC again with, e.g., git checkout 1.8.0-rc1
  • [ ] Run ./securedrop-admin logs again, confirming that the error is displayed and the subcommand not run
  • [ ] Run ./securedrop-admin --force logs. Confirm that the version check is skipped and logs are fetched.
  • [ ] (Optional) Repeat the check for other ./securedrop-admin subcommands and verify that version checks are performed.

1.8.0 release-specific changes (Focal only)

• [x] Focal support added #4728

  • [x] A fresh install using Focal as the base OS completed successfully
  • [x] If a migration from an existing backup was performed as part of testing:
  • [x] The data restoration was completed successfully, including data, submissions, and JI accounts
  • [x] If the backup file included v2 onion service configurations, they were not carried over to the Focal install. #5677

• [x] Update Kernel to 5.4.97 for Focal #5785

  • [x] When the command ssh app uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop
  • [x] When the command ssh mon uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop

• [x] resolvconf is not present on focal #5809

  • [x] When the command ssh app apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [x] When the command ssh mon apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [x] When the command ssh app dig freedom.press is run via an Admin Workstation terminal:
  • [x] it should succeed.
  • [x] The SERVER line at the bottom should contain the IP address of the DNS server configured via ./securedrop Remove aptitude and disable install-recommends [#5793](https://github.com/fre When the commandssh app apt list --installed | grep aptitudeis run via an Admin Workstation terminal, When the commandssh mon apt list --installed | grep aptitude` is run via an Admin Workstation terminal, it should return an empty string
  • When the command ssh app sudo apt install vlc is run vi The subsequent command `ssh app apt list --installed | grep vlc-l1 IPv6 disabled in init in Focal only #5810
  • In an SSH session on the Application Server via ssh app, the commands sudo ip -4 addr: you should see two addresses, one for localhost sudo ip -6sudo cat /proc/cmdline: you should seesudo ip6tables -S`: you should see an error about fu Repeating the process above on the Monitor Server, you should see the same results.

• [x] replace ntp with systemd-timesyncd [#5806]()https://github.com/freedomofpress/securedrop/issue/5806)

  • [x] Confirm that ntp and ntpdate are not installed on the Application Server with the Admin Workstation command ssh app apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • [x] Confirm that ntp and ntpdate are not installed on the Monitor Server with the Admin Workstation command ssh mon apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • confirm that time has been synchronized to NTP servers on both machines:
  • [x] ssh app timedatectl show and ssh mon timedatectl show should both contain NTPSynchronized=yes
  • [x] ssh app timedatectl show-timesync and ssh mon timedatectl show should both contain ServerName=ntp.ubuntu.com, with an NTPMessage indicating that the server has been reached

• [x] Use paxctld, not paxctl on Focal #5808

  • [x] When the command ssh app apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [x] When the command ssh mon apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [x] When the command ssh app apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [x] When the command ssh mon apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [x] When the command ssh app systemctl status paxctld is run, its output should indicate that paxctld is active.

• [ ] Replace cron-apt with unattended-upgrades #5684 RC2 or later only

  • [ ] the Admin Workstation command ssh app unattended-upgrades --dry-run works without returning errors
  • [ ] the Admin Workstation command ssh app unattended-upgrades -d works without returning errors, and the Application Server log at /var/logs/unattended-upgrades.log contains no errors
  • [ ] If a later RC version was available overnight, it has been applied automatically
  • [ ] The system was rebooted automatically at or close to the time specified via `./securedrop-admin sdconfig

• [x] v2 services cannot be installed on Focal #5819

  • run ./securedrop-admin sdconfig, choosing to enable v2 onion services but leaving all other settings unchanged.
  • [x] When ./securedrop-admin install is run, it errors out immediately after the prepare-servers role with an message including Please run sdconfig again, disabling v2 services.

Preflight testing

Basic testing

• [ ] Install or upgrade occurs without error
• [ ] Source interface is available and version string indicates it is 1.8.0
• [ ] A message can be successfully submitted

Tails

• [ ] The updater GUI appears on boot
• [ ] The update successfully occurs to 1.8.0
• [ ] After reboot, updater GUI no longer appears

[emkll]

1.7.1->1.8.0-rc4 (VMs) In progress

Environment

• Install target: Xenial VMs
• Server OS: Ubuntu 16.04
• Tails version: 4.14
• Test Scenario: cron-apt upgrade
• SSH over Tor: Yes
• Onion service version: v3-only
• Release candidate: rc4
• General notes:

Basic Server Testing

• [x] I can access both the source and journalist interfaces
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app
  • [x] 0 processes are running unconfined
• [x] AppArmor is loaded on mon
  • [x] 0 processes are running unconfined
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them
• [x] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• [x] QA Matrix checks pass

Command Line User Generation

• [x] Can successfully add admin user and login

Administration

• [x] I have backed up and successfully restored the app server following the backup documentation
• [x] If doing upgrade testing, make a backup on 1.7.1 and restore this backup on this release candidate
• [x] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• [x] Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases

• [x] JS warning bar does not appear when using Security Slider high
• [x] JS warning bar does appear when using Security Slider Low

First submission base cases

• [x] On generate page, refreshing codename produces a new 7-word codename
• [x] On submit page, empty submissions produce flashed message
• [x] On submit page, short message submitted successfully
• [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• [x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

• [x] Nonexistent codename cannot log in
• [x] Empty codename cannot log in
• [x] Legitimate codename can log in
• [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• [x] Can log in with 2FA tokens
• [x] incorrect password cannot log in
• [x] invalid 2fa token cannot log in
• [x] 2fa immediate reuse cannot log in
• [x] Journalist account with HOTP can log in

Index base cases

• [x] Filter by codename works
• [x] Starring and unstarring works
• [x] Click select all selects all submissions
• [x] Selecting all and clicking "Download" works

Individual source page

• [x] You can submit a reply and a flashed message and new row appears
• [x] You cannot submit an empty reply
• [x] Clicking "Delete Source Account" and the source and docs are deleted
• [x] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• [ ] The Updater GUI appears on boot
• [ ] Updating occurs without issue

1.8.0 release-specific changes (common)

• [ ] V2 SSH only configured when v2 services are enabled #5718

  • If SSH-over-Tor was enabled and v2 onion services were not enabled during installation:
  • [ ] the v2 onion service configuration in /var/lib/tor/services/ssh was not created on either the Application or Monitor Server
  • [ ] the file /etc/tor/torrc does not contain HiddenServiceVersion 2 on either the Application or Monitor Server
  • [ ] (optional) OSSEC alerts related to v2 onion services are not triggered

• [ ] SSHd config updates #5666

  • [ ] After installation, ssh access to both servers works without issue in either SSH-over-Tor or SSH-over-LAN (depending on chosen config)
  • [ ] No OSSEC alerts are generated including the text Error: Unable to load host key: /etc/ssh/ssh_host_dsa_key (#5660)

• [ ] Safe deletion #5770

  • [ ] With Tor Browser's security setting at "standard", sources' files and messages can be deleted on the All Sources page :

  • log into the SI and submit multiple messages/files

  • log into the JI and click Delete on the All Sources page without selecting any sources' checkboxes

    • [ ] a server call is not made, and a modal is displayed under the Delete button asking the user to select one or more checkboxes.

  • select the checkbox for the source created above in the "All Sources" page and Click Delete..:

    • [ ] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel - the number of sources selected is also displayed.

  • click Cancel

    • [ ] The source entry is present and its file/message counts are unchanged

  • ensure that the source is selected and click Delete.. again, then click Files and Messages

    • [ ] A success flash message is displayed
    • [ ] The source is still present and its file/message counts are both 0

  • in the SI, submit a message

    • [ ] The message is submitted successfully
    • [ ] in the JI, when the All Sources page is refreshed the message count is now 1.
    • [ ] clicking on the source codename opens the source page, the message is listed and can be downloaded.
    • [ ] on the source page, a reply can be successfully sent to the source

  • Return to the All Sources page, select the source, and choose Delete > Files and Messages

    • [ ] The source is present and counts are 0
    • [ ] clicking through to the source page works and no files/messages/replies are listed.
    • In the SI, submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.
    • In the JI, return to the All Sources page.
    • select two sources, choose Delete > Files and Messages
    • [ ] both sources are present with zeroed file/message counts
    • [ ] the third source is present and its counts are unchanged (and non-zero)

  • [ ] With TBB security set to "standard", source accounts can be deleted with a double confirm on the All Sources page:

  • log into the SI, recording the source codename, and submit multiple messages/files

  • log into the JI and select the checkbox for the source created above in the "All Sources" page

  • Click Delete..:

    • [ ] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel, the count of selected sources is also displayed

  • Click Source Accounts

    • [ ] A second explanatory modal is displayed giving the option to cancel or delete source accounts

  • Click Yes, Delete Source Accounts

    • [ ] a success flash message is displayed and the source account is removed from the listing
    • [ ] the source's files are all queued for deletion on the server
    • [ ] the source's database entry is deleted
    • [ ] the sources' reply key is deleted.

  • return to the SI and attempt to log in as the source:

    • [ ] the source codename is not found.
    • In the SI, log in with a new account submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.

  • return to the JI and open the All Sources page

  • select two sources, choose Delete > Source Accounts > Yes, Delete Source Accounts

    • [ ] a success flash message is displayed
    • [ ] the two sources selected are deleted from the All sources page and the server (store/db/reply key)
    • [ ] the remaining source is unaffected.

  • [ ] With TBB security at "safest", the test cases above pass with the the following exceptions:

  • [ ] the selected source count is not displayed on the initial deletion modal when deleting files and messages or source accounts on the All Sources page

  • [ ] the modals are centered in the page, not displayed under the delete button on the All sources page

  • [ ] a flash error message is displayed instead of the error modal when the user clicks Delete on All Sources with nothing selected.

• [ ] Empty files are no longer created for disconnected database entries #5724

  • Log in to the Source Interface as a new source. Submit one message.
  • Connect to the Application Server over SSH, navigate to the source's directory under /var/lib/securedrop/store and delete the file of the message you just submitted.
  • Back in the Source Interface, submit another two messages, waiting a few seconds between them.
  • [ ] On the Application Server, verify that the source's directory only contains two files (2-... and 3-...) and that their timestamps are identical.

• [ ] Remove cloud-init package during installation #5771

  • [ ] When the command ssh app apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.
  • [ ] When command ssh mon apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.

• [ ] Install release-upgrader in prepare-servers role (#5792)

  • [ ] When the command ssh app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)
  • [ ] When the command mon app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)

• [ ] Update Tor to 0.4.5.6 #5803

  • [ ] When the command ssh app tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."
  • [ ] When the command ssh mon tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."

• [ ] LTS upgrade prompt is disabled #5786

  • [ ] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [ ] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal
  • [ ] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [ ] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal

• [ ] Update and annotate Apache configuration #5797

  • Check the Source Interface headers from an Admin Workstation terminal using the command curl -I http://<onion>, where <onion> is the SI onion address. The response should include the following:
  • [ ] X-Frame-Options: DENY
  • [ ] Referrer-Policy: same-origin
  • [ ] X-XSS-Protection: 1; mode=block
  • [ ] Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';
  • [ ] X-Download-Options: noopen
  • [ ] Cache-Control: no-store
  • Repeat the command for the Journalist Interface onion address:
  • [ ] The header values are the ame as for the SI with the exception of Referrer-policy, whose value should be no-referrer

• [ ] Check for updates before most securedrop-admin commands #5788

  • On an Admin Workstation with persistence unlocked and an admin password set:
  • Open a terminal and change directory to ~/Persistent/securedrop
  • [ ] Ensure the code is on the most recent 1.8.0 RC tag with git status, switching if necessary with , e.g., git checkout 1.8.0-rc1.
  • [ ] Run the command ./securedrop-admin logs. Verify that it does an update check, does not run the subcommand, prints an error, and exits with exit code 1 ( check with echo $?)
    • [ ] Verify that the error message above correctly reflects the state of the repository (latest version is 1.7.1) and your checkout (HEAD detached at 1.8.0-rc1).
  • Delete the most recent tags locally (git tag -d 1.8.0-rc1 && git tag -d 1.7.1). Retag your current HEAD as 1.7.1 with an annotated tag (git tag -a 1.7.1 -m 'TEST TAG ONLY'). This tells the updater that you are using the expected tag even though you are on 1.8.0-rc1.
  • [ ] Run ./securedrop-admin logs. Confirm that the command prints "All updates applied" and proceeds to fetch logs.
  • Delete your test tag with git tag -d 1.7.1, restore the tags from the server with git fetch --tags --all, and check out the latest RC again with, e.g., git checkout 1.8.0-rc1
  • [ ] Run ./securedrop-admin logs again, confirming that the error is displayed and the subcommand not run
  • [ ] Run ./securedrop-admin --force logs. Confirm that the version check is skipped and logs are fetched.
  • [ ] (Optional) Repeat the check for other ./securedrop-admin subcommands and verify that version checks are performed.

1.8.0 release-specific changes (Xenial only)

• [ ] End-of-life messaging#5789

  • [ ] When logged into the Journalist Interface, a banner is displayed with information on the April 30 date and a link to the blog advisory.
  • [ ] When visiting the Source Interface, the interface is enabled
  • [ ] If v2 is enabled, neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [ ] When logged into the Journalist Interface, a banner is displayed informing you that the Source Interface is disabled and linking to the blog advisory.
  • [ ] When visiting the Source Interface, a message is displayed saying that it is disabled, and you cannot log in or create a new source account.

• [ ] IPv6 disabled in init in Focal only#5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [ ] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [ ] sudo ip -6 addr: you may see address information, for localhost, ethernet, or both.
  • [ ] sudo cat /proc/cmdline: you should NOT see "ipv6.disable=1" in the output.
  • [ ] sudo ip6tables -S: a brief list of "DROP" policies. Each line you see should have "DROP", but no lines should have "ALLOW".
  • [ ] Repeating the process above on the Monitor Server, you should see the same results.

RC3/RC4 specific testing

• [ ] If Focal, the unattended-upgrades related timers work, see https://github.com/freedomofpress/securedrop/pull/5855 for test plan
• [ ] If Xenial, ensure timers do not exist in xenial, and cron-apt configuration still works

[zenmonkeykstop]

1.8.0-rc4 (NUC8+NUC7)

Environment

• Install target: Nuc8+Nuc7
• Server OS: Focal
• Tails version:4.14
• Test Scenario:install+migrate
• SSH over Tor:no
• Onion service version:v3
• Release candidate:rc4
• General notes:

Basic Server Testing

• [x] I can access both the source and journalist interfaces
• [x] I can SSH into both machines over Tor
• [x] AppArmor is loaded on app
  • [x] 0 processes are running unconfined
• [x] AppArmor is loaded on mon
  • [x] 0 processes are running unconfined
• [x] Both servers are running grsec kernels
• [x] iptables rules loaded
• [x] OSSEC emails begin to flow after install
• [x] OSSEC emails are decrypted to correct key and I am able to decrypt them
• [ ] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing: FAIL #5825
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• [x] QA Matrix checks pass

Command Line User Generation

• [x] Can successfully add admin user and login

Administration

• [x] I have backed up and successfully restored the app server following the backup documentation
• [x] If doing upgrade testing, make a backup on 1.7.0 and restore this backup on 1.8.0
• [x] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• [ ] Can successfully add journalist account with HOTP authentication not tested

Application Acceptance Testing SKIPPED

Source Interface

Landing page base cases

• [ ] JS warning bar does not appear when using Security Slider high
• [ ] JS warning bar does appear when using Security Slider Low

First submission base cases

• [ ] On generate page, refreshing codename produces a new 7-word codename
• [ ] On submit page, empty submissions produce flashed message
• [ ] On submit page, short message submitted successfully
• [ ] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• [ ] On submit page, file less than 500 MB submitted successfully

Returning source base cases

• [ ] Nonexistent codename cannot log in
• [ ] Empty codename cannot log in
• [ ] Legitimate codename can log in
• [ ] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• [ ] Can log in with 2FA tokens
• [ ] incorrect password cannot log in
• [ ] invalid 2fa token cannot log in
• [ ] 2fa immediate reuse cannot log in
• [ ] Journalist account with HOTP can log in

Index base cases

• [ ] Filter by codename works
• [ ] Starring and unstarring works
• [ ] Click select all selects all submissions
• [ ] Selecting all and clicking "Download" works

Individual source page

• [ ] You can submit a reply and a flashed message and new row appears
• [ ] You cannot submit an empty reply
• [ ] Clicking "Delete Source And Submissions" and the source and docs are deleted
• [ ] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• [x] The Updater GUI appears on boot
• [ ] Updating occurs without issue

1.8.0 release-specific changes (common)

• [x] V2 SSH only configured when v2 services are enabled #5718

  • If SSH-over-Tor was enabled and v2 onion services were not enabled during installation: not tested
  • [ ] the v2 onion service configuration in /var/lib/tor/services/ssh was not created on either the Application or Monitor Server
  • [ ] the file /etc/tor/torrc does not contain HiddenServiceVersion 2 on either the Application or Monitor Server
  • [ ] (optional) OSSEC alerts related to v2 onion services are not triggered

• [x] SSHd config updates #5666

  • [x] After installation, ssh access to both servers works without issue in either SSH-over-Tor or SSH-over-LAN (depending on chosen config)
  • [x] No OSSEC alerts are generated including the text Error: Unable to load host key: /etc/ssh/ssh_host_dsa_key (#5660)

• [x] Safe deletion #5770

  • [x] With Tor Browser's security setting at "standard", sources' files and messages can be deleted on the All Sources page :

  • log into the SI and submit multiple messages/files

  • log into the JI and click Delete on the All Sources page without selecting any sources' checkboxes

    • [x] a server call is not made, and a modal is displayed under the Delete button asking the user to select one or more checkboxes.

  • select the checkbox for the source created above in the "All Sources" page and Click Delete..:

    • [x] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel - the number of sources selected is also displayed.

  • click Cancel

    • [x] The source entry is present and its file/message counts are unchanged

  • ensure that the source is selected and click Delete.. again, then click Files and Messages

    • [x] A success flash message is displayed
    • [x] The source is still present and its file/message counts are both 0

  • in the SI, submit a message

    • [x] The message is submitted successfully
    • [x] in the JI, when the All Sources page is refreshed the message count is now 1.
    • [x] clicking on the source codename opens the source page, the message is listed and can be downloaded.
    • [x] on the source page, a reply can be successfully sent to the source

  • Return to the All Sources page, select the source, and choose Delete > Files and Messages

    • [x] The source is present and counts are 0
    • [x] clicking through to the source page works and no files/messages/replies are listed.
    • In the SI, submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.
    • In the JI, return to the All Sources page.
    • select two sources, choose Delete > Files and Messages
    • [x] both sources are present with zeroed file/message counts
    • [x] the third source is present and its counts are unchanged (and non-zero)

  • [x] With TBB security set to "standard", source accounts can be deleted with a double confirm on the All Sources page:

  • log into the SI, recording the source codename, and submit multiple messages/files

  • log into the JI and select the checkbox for the source created above in the "All Sources" page

  • Click Delete..:

    • [x] a modal is displayed under the delete button giving the option to delete files and messages, delete source accounts, or cancel, the count of selected sources is also displayed

  • Click Source Accounts

    • [x] A second explanatory modal is displayed giving the option to cancel or delete source accounts

  • Click Yes, Delete Source Accounts

    • [x] a success flash message is displayed and the source account is removed from the listing
    • [x] the source's files are all queued for deletion on the server
    • [x] the source's database entry is deleted
    • [x] the sources' reply key is deleted.

  • return to the SI and attempt to log in as the source:

    • [x] the source codename is not found.
    • In the SI, log in with a new account submit some more messages/files, then log out, create a new source account, and submit more messages. Repeat to create a total of 3 sources with submissions.

  • return to the JI and open the All Sources page

  • select two sources, choose Delete > Source Accounts > Yes, Delete Source Accounts

    • [x] a success flash message is displayed
    • [x] the two sources selected are deleted from the All sources page and the server (store/db/reply key)
    • [x] the remaining source is unaffected.

  • [x] With TBB security at "safest", the test cases above pass with the the following exceptions:

  • [x] the selected source count is not displayed on the initial deletion modal when deleting files and messages or source accounts on the All Sources page

  • [x] the modals are centered in the page, not displayed under the delete button on the All sources page

  • [x] a flash error message is displayed instead of the error modal when the user clicks Delete on All Sources with nothing selected.

• [x] Empty files are no longer created for disconnected database entries #5724

  • Log in to the Source Interface as a new source. Submit one message.
  • Connect to the Application Server over SSH, navigate to the source's directory under /var/lib/securedrop/store and delete the file of the message you just submitted.
  • Back in the Source Interface, submit another two messages, waiting a few seconds between them.
  • [x] On the Application Server, verify that the source's directory only contains two files (2-... and 3-...) and that their timestamps are identical.

• [x] Remove cloud-init package during installation #5771

  • [x] When the command ssh app apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.
  • [x] When command ssh mon apt list --installed | grep cloud-init is run via an Admin Workstation terminal, it returns an empty string.

• [x] Install release-upgrader in prepare-servers role (#5792)

  • [x] When the command ssh app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)
  • [x] When the command mon app apt list --installed | grep release-upgrader is run via an Admim Workstation terminal, it returns ubuntu-release-upgrader-core/{focal,xenial} (depending on the server OS)

• [x] Update Tor to 0.4.5.6 #5803

  • [x] When the command ssh app tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."
  • [x] When the command ssh mon tor --version is run via an Admim Workstation terminal, it returns "Tor Version 0.4.5.6."

• [x] LTS upgrade prompt is disabled #5786

  • [x] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [x] The command ssh app cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal
  • [x] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=never" | wc -l outputs 1 when run from the Adminm Workstation terminal
  • [x] The command ssh mon cat /etc/update-manager/release-upgrades | grep "Prompt=lts" | wc -l outputs 0 when run from the Adminm Workstation terminal

• [x] Update and annotate Apache configuration #5797

  • Check the Source Interface headers from an Admin Workstation terminal using the command curl -I http://<onion>, where <onion> is the SI onion address. The response should include the following:
  • [x] X-Frame-Options: DENY
  • [x] Referrer-Policy: same-origin
  • [x] X-XSS-Protection: 1; mode=block
  • [x] Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';
  • [x] X-Download-Options: noopen
  • [x] Cache-Control: no-store
  • Repeat the command for the Journalist Interface onion address:
  • [x] The header values are the ame as for the SI with the exception of Referrer-policy, whose value should be no-referrer

• [x] Check for updates before most securedrop-admin commands #5788

  • On an Admin Workstation with persistence unlocked and an admin password set:
  • Open a terminal and change directory to ~/Persistent/securedrop
  • [x] Ensure the code is on the most recent 1.8.0 RC tag with git status, switching if necessary with , e.g., git checkout 1.8.0-rc1.
  • [x] Run the command ./securedrop-admin logs. Verify that it does an update check, does not run the subcommand, prints an error, and exits with exit code 1 ( check with echo $?)
    • [x] Verify that the error message above correctly reflects the state of the repository (latest version is 1.7.1) and your checkout (HEAD detached at 1.8.0-rc1).
  • Delete the most recent tags locally (git tag -d 1.8.0-rc1 && git tag -d 1.7.1). Retag your current HEAD as 1.7.1 with an annotated tag (git tag -a 1.7.1 -m 'TEST TAG ONLY'). This tells the updater that you are using the expected tag even though you are on 1.8.0-rc1.
  • [x] Run ./securedrop-admin logs. Confirm that the command prints "All updates applied" and proceeds to fetch logs.
  • Delete your test tag with git tag -d 1.7.1, restore the tags from the server with git fetch --tags --all, and check out the latest RC again with, e.g., git checkout 1.8.0-rc1
  • [x] Run ./securedrop-admin logs again, confirming that the error is displayed and the subcommand not run
  • [x] Run ./securedrop-admin --force logs. Confirm that the version check is skipped and logs are fetched.
  • [ ] (Optional) Repeat the check for other ./securedrop-admin subcommands and verify that version checks are performed.

1.8.0 release-specific changes (Xenial only)

• [ ] End-of-life messaging#5789

  • [ ] When logged into the Journalist Interface, a banner is displayed with information on the April 30 date and a link to the blog advisory.
  • [ ] When visiting the Source Interface, the interface is enabled
  • [ ] If v2 is enabled, neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [ ] When logged into the Journalist Interface, a banner is displayed informing you that the Source Interface is disabled and linking to the blog advisory.
  • [ ] When visiting the Source Interface, a message is displayed saying that it is disabled, and you cannot log in or create a new source account.

• [ ] IPv6 disabled in init in Focal only#5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [ ] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [ ] sudo ip -6 addr: you may see address information, for localhost, ethernet, or both.
  • [ ] sudo cat /proc/cmdline: you should NOT see "ipv6.disable=1" in the output.
  • [ ] sudo ip6tables -S: a brief list of "DROP" policies. Each line you see should have "DROP", but no lines should have "ALLOW".
  • [ ] Repeating the process above on the Monitor Server, you should see the same results.

1.8.0 release-specific changes (Focal only)

• [x] Focal support added #4728

  • [x] A fresh install using Focal as the base OS completed successfully
  • [x] If a migration from an existing backup was performed as part of testing:
  • [x] The data restoration was completed successfully, including data, submissions, and JI accounts
  • [x] If the backup file included v2 onion service configurations, they were not carried over to the Focal install. #5677

• [x] Update Kernel to 5.4.97 for Focal #5785

  • [x] When the command ssh app uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop
  • [x] When the command ssh mon uname -r is run via the Admin Workstation terminal, it outputs 5.4.97-grsec-securedrop

• [x] End-of-life messaging#5789

  • [x] When logged into the Journalist Interface the EOL banner is not displayed.
  • [x] When visiting the Source Interface, the interface is enabled
  • [x] Neither the Source Interface nor the Journalist Interface display a v2-related warning banner.
  • on the Application Server, edit the file /var/www/securedrop/server_os.py, changing XENIAL_EOL_DATE value to date(2021,2,23), and restart Apache with the command sudo systemctl restart apache2
  • [x] When logged into the Journalist Interface the EOL banner is not displayed.
  • [x] When visiting the Source Interface, the interface is enabled

• [x] resolvconf is not present on focal #5809

  • [x] When the command ssh app apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [x] When the command ssh mon apt list --installed | grep resolvconf is run via an Admin Workstation terminal, it returns an empty string.
  • [x] When the command ssh app dig freedom.press is run via an Admin Workstation terminal:
  • [x] it should succeed.
  • [x] The SERVER line at the bottom should contain the IP address of the DNS server configured via ./securedrop-admin sdconfig (e.g. 8.8.8.8)

• [x] Remove aptitude and disable install-recommends #5793

  • [x] When the command ssh app apt list --installed | grep aptitude is run via an Admin Workstation terminal, it should return an empty string
  • [x] When the command ssh mon apt list --installed | grep aptitude is run via an Admin Workstation terminal, it should return an empty string
  • When the command ssh app sudo apt install vlc is run via an Admin Workstation terminal:
  • [x] It should complete successfully
  • [x] The subsequent command ssh app apt list --installed | grep vlc-l10n should return an empty string

• [x] IPv6 disabled in init in Focal only #5810

  • In an SSH session on the Application Server via ssh app, the commands below have the following output:
  • [x] sudo ip -4 addr: you should see two addresses, one for localhost and one for the ethernet device.
  • [x] sudo ip -6 addr: you should see no output.
  • [x] sudo cat /proc/cmdline: you should see "ipv6.disable=1" in the output.
  • [x] sudo ip6tables -S: you should see an error about functionality not being supported.
  • [x] Repeating the process above on the Monitor Server, you should see the same results.

• [x] replace ntp with systemd-timesyncd [#5806]()https://github.com/freedomofpress/securedrop/issue/5806)

  • [x] Confirm that ntp and ntpdate are not installed on the Application Server with the Admin Workstation command ssh app apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • [x] Confirm that ntp and ntpdate are not installed on the Monitor Server with the Admin Workstation command ssh mon apt list --installed | egrep (ntp|ntpdate) - it should not return any package listings
  • confirm that time has been synchronized to NTP servers on both machines:
  • [x] ssh app timedatectl show and ssh mon timedatectl show should both contain NTPSynchronized=yes
  • [x] ssh app timedatectl show-timesync and ssh mon timedatectl show should both contain ServerName=ntp.ubuntu.com, with an NTPMessage indicating that the server has been reached

• [x] Use paxctld, not paxctl on Focal #5808

  • [x] When the command ssh app apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [x] When the command ssh mon apt list --installed | grep paxctl/focal is run via an Admin Workstation terminal, it should return an empty string
  • [x] When the command ssh app apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [x] When the command ssh mon apt list --installed | grep paxctld/focal is run via an Admin Workstation terminal, it should return a listing for paxctld
  • [x] When the command ssh app systemctl status paxctld is run, its output should indicate that paxctld is active.

• [x] Replace cron-apt with unattended-upgrades #5684 RC2 or later only

  • [x] the Admin Workstation command ssh app unattended-upgrades --dry-run works without returning errors
  • [x] the Admin Workstation command ssh app unattended-upgrades -d works without returning errors, and the Application Server log at /var/logs/unattended-upgrades.log contains no errors
  • [ ] If a later RC version was available overnight, it has been applied automatically N/A
  • [ ] The system was rebooted automatically at or close to the time specified via `./securedrop-admin sdconfig N/A

• [x] v2 services cannot be installed on Focal #5819

  • run ./securedrop-admin sdconfig, choosing to enable v2 onion services but leaving all other settings unchanged.
  • [x] When ./securedrop-admin install is run, it errors out immediately after the prepare-servers role with an message including Please run sdconfig again, disabling v2 services.

Preflight testing

Basic testing

• [ ] Install or upgrade occurs without error
• [ ] Source interface is available and version string indicates it is 1.8.0
• [ ] A message can be successfully submitted

Tails

• [ ] The updater GUI appears on boot
• [ ] The update successfully occurs to 1.8.0
• [ ] After reboot, updater GUI no longer appears

[kushaldas]

The fresh VM I created yesterday on RC4 did get apply the RC5 update. Other than that the rest of the standard tests + focal based tests are good. I will post a detailed copy later in the evening.

[conorsch]

Update upgrade testing boxes

I took a quick stab at this on Friday, but was surprised to encounter https://github.com/freedomofpress/securedrop/issues/5781. Will need to adjust the box slightly, perhaps fall back to an older version, to get it to build. I can do that today if no one else is looking at it.

[conorsch]

Will need to adjust the box slightly, perhaps fall back to an older version, to get it to build.

Falling back to box version v202008.16.0 was enough to clear the problem. PR in #5870.

[eloquence]

1.8.0 was released on 2021-03-11; as usual we have left this ticket open until upgrade boxes for the next release are ready. Due to complications, this may be only done for Focal; tracked separately in #5512.