diff --git a/.circleci/config.yml b/.circleci/config.yml index 4baa9d1d..b49e4fd5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -175,6 +175,16 @@ common-steps: echo $PKG_NAME > ~/packaging/sd_package_name echo 'export PKG_NAME=$(cat ~/packaging/sd_package_name)' >> $BASH_ENV + - &setsdkeyringname + run: + name: Set package name to securedrop-keyring + command: | + mkdir ~/packaging + export PKG_NAME="securedrop-keyring" + # Enable access to this env car in subsequent run steps + echo $PKG_NAME > ~/packaging/sd_package_name + echo 'export PKG_NAME=$(cat ~/packaging/sd_package_name)' >> $BASH_ENV + - &setmetapackageversion run: name: Get metapackage version via distribution changelog @@ -437,6 +447,16 @@ jobs: - *setmetapackageversion - *builddebianpackage + build-buster-securedrop-keyring: + docker: + - image: circleci/python:3.7-buster + steps: + - checkout + - *installdeps + - *setsdkeyringname + - *setmetapackageversion + - *builddebianpackage + workflows: build-packages: jobs: @@ -448,6 +468,7 @@ workflows: - build-buster-securedrop-log - build-buster-securedrop-workstation-grsec - build-buster-securedrop-workstation-config + - build-buster-securedrop-keyring - make-dom0-rpm # Nightly jobs for each package are run in series to ensure there are no diff --git a/Makefile b/Makefile index 32a0c0a2..826e9c8b 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,10 @@ securedrop-export: ## Builds Debian package for Qubes Workstation export scripts securedrop-log: ## Builds Debian package for Qubes Workstation securedrop-log scripts PKG_NAME="securedrop-log" ./scripts/build-debianpackage +.PHONY: securedrop-keyring +securedrop-keyring: ## Builds Debian package containing the release key + PKG_NAME="securedrop-keyring" ./scripts/build-debianpackage + .PHONY: install-deps install-deps: ## Install initial Debian packaging dependencies ./scripts/install-deps diff --git a/pubkeys/release_key.pub b/pubkeys/release_key.pub index 1912a587..7c1f70d5 100644 --- a/pubkeys/release_key.pub +++ b/pubkeys/release_key.pub @@ -11,33 +11,33 @@ ZZKLSApWXbB32ug5WNoGaQmq+hye1i40zu3fx8MRYefkpSSatNuIbrwLLnq0NR+k qXcP1SPgtoy/EnW0oa/NDiT/rSh1PuAjG7oOpiNdQdmnA+xIYGreeNoPtuh7gJRc XYrtWI5zzsGwrFE0LMMPw6SVGONfM5M4Efc+oUn3cIn7gQITm31JNTbRpnwT7bMo Hy+MrILJITj6Rwi8EGyeTBVolM/L0W3WpjJuj6yhcRZURkBMA01aSUG3yQARAQAB -tEVTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs -ZWFzZS1rZXlAZnJlZWRvbS5wcmVzcz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsF -FgIDAQACHgECF4AWIQQiJFyB47rrQTizYGExD1YSAPStdwUCXRqEkwUJBvMLKgAK -CRAxD1YSAPStd3YjD/4hT5+Q1ZVobUh9Psuv1XYaHTnqJvVxXjheXns9SGqSsvFC -+2O1RVfse+fKaY9lRaG179toKEOEcoyydCpdInlCkhx8Ny9O+pyiH5TawnaKVpRW -j/9JJGW+Ceaipr1rawOzuG67MplButBFGmA1jPkeH38wcvep+PIUU5ZJ+aXbdrKT -uWBwKjzjiF2LMsh9Pnn9XN/T5Ph39WR6utsd/wdbb8xdpq4tivUDWV7W7ztG1No9 -exYfftnn6nLF74dLayhHxESE/yUilxR/XDQxvYbcjNAS9OZVKnkrq8o+8bLBKLV1 -le4168rdyVBxrhLCG3wXaWqO4AaECMHSfZR2Lvb/d1wIyMtEcWbRlDwmTDFOQ1XU -RCR0coeemYeAzt2hF6/tIrrCGmCKllQNN+JegH2MbXG7SjnCbWwWxAWtccf6L7Ht -BYDe3RWK0VyMwsHVuTakMKzIoH++e8XnmEKf3JFMz27RcgXRFN1Wo4/iRIq/zM+i -l/wTfN9l3yzojKmwZQvvICITCkeh/1sEspEkzmg74inJVpTEHQCWQ41c5ugPqjHd -kvpjxZML4B0+9nN9WQvqhRgmjCKnN+PvYw/mBaEfgA36E8pkcyNwnw+VrFgQyQ1R -FH0yg6P2Y6zaSKLEHkpjzWaCc3sOA/qMFuTw5aUkPj7Go1DMEV/z/xl6tDlM2bQe -U2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5iQJXBBMBCgBBAhsDBQsJCAcD -BRUKCQgLBRYCAwEAAh4BAheABQkG8wsqFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcF -Al0ah20CGQEACgkQMQ9WEgD0rXcqpA//ZD481Wytd1ZXiXIee8I4ekIGpq0UVJuL -g8Bh0hhH2LTqIMuMVIVQM7/k/xxHBd+kxpAv/sUhJKrY16XBkGzz7v1Rcl29uWUR -GSPiLl2OehlT8Ahf60Dv4czhlvBdT3lWtYwM2zciOe4Y5mPwqzEgkrxRD2V9XnmO -8X3giZyaTDz/iiTQ+WMSvjIgVNGBe38tzoofSCSxNk8KfAWtchZhZgR0ZsYRWlUa -7dT4Syi0KutEXjRfZFneNPWnqfhQZlxsjw5gzTgV792MPDbZAm/1eziGCvPgX01W -f2eadxSYuJRLtmOBggwo/vC04MWWQbmYgJfOjL8DDWS17cdfLa8IjUYV8MDStWY6 -PDg1gaA5s3UroFh/nOCipoGvq51iSUF/GYd2OJAUd20SjMR+TQgK3lPuX4hMtVId -4x/xrkoY4q0MZJmrB6ysbpeHhl/HA+ofwScNtyKL3iQHN6oQ8llBoMuF9xFm4xX8 -fn8WHrd+hD0S8hnBkTJ2ckSqJDxzGFu4+6NBhEWtcigzn9iD7HUWljXAUkEfN39I -jdgaxjrwE3FagE+RCEbdRXDpHYWlyo91YYqFedcT2v/l73twyFw7p3zYskW8pjRZ -F0Lqvn7fiOzxNi98tVYHqs4L17BOWFQt8MhQr9f590jtGQ/+ufhAb33/E9JFQXUg -cIYqWzBX7dw= -=ZsUE +tB5TZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXmJAlcEEwEKAEECGwMFCwkI +BwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQQiJFyB47rrQTizYGExD1YSAPStdwUC +XsZBhAUJCNOEJQAKCRAxD1YSAPStd+ovD/4+jLGlwlLmBpgvohrbiC7xCioVW+Ik +18j+uUSyYBNhvDOZugY+/Z6X99PHvjgjRbTle2NvAx5itdZfiooGSZ8cuiPRbDkQ +xpmZqOdkpN+5/B5dh/bd+P/K2Ggxqkyb80b+xoDviLh6OmIDPILTbz9ACkwu5jdH +0wo0UEt5C+GT8lvBmVXii6vGlTvsv86/yLShvBq6mEJ+7nazWMOShJy3bvyrJRMg +3dZfQSB6WlVCRO9EDBlvTW9Xedva7VDu6Up1BSD+enpXWRLTbqWvxmS7QQ2Usw58 +D7CCoJDA+8zL6UkJFrVxTiXQWbOvttkOA9++aJp4IbXsqTyrIkxNRjlKdyET9xbB +HGSgJhhgGUNVZNBxHVZFHvHurXDX0OyfWaYY9ET/EjqMCjUbWh0vh2c6/M3rDh+J +nH+tZUjJ9mM/AJ0hcORPVv3wbWdsfWq9r3t1Q7wlphal7RzgNqPymekj+1ndTs4y +jfsWgLmxYF8knP1+EipoL1Q7vm1JdO0VOb4IyhF+6VUTkjrDy6uHwXc3fMGHEAeU +nZvhVzZSx8h8HVsfnppM2RjNZKPwNQ43he8HllLqsRFsumg6gbBNRgrsVEBjRzxf +OKESJqxVZ5iHUvWPQPuGjuh83HiUxPN4yjZXUVNXv0Alevv1By3ALeVAmaQVw/KA +/sNu9p74VRggjrRFU2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxzZWN1 +cmVkcm9wLXJlbGVhc2Uta2V5QGZyZWVkb20ucHJlc3M+iQJUBBMBCgA+AhsDBQsJ +CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcFAl7G +QZQFCQjThCUACgkQMQ9WEgD0rXcWVg/+JJT7J0ycCd2Rl7A2K4YQfJcf6TV05HDf +/sxc+JGs1hh/CFgR5Nt1TDPg7dQfCumQWI+e4A8NSFllIKGEajgxdAg/uszO9UQL +9iVtyNFY69/gfWeNVyOoioYxRSlaIyKUD2PINeHi5KYDe3dkh9aXDA/X4sB8k7Dt +mvDXqNX4/85P9M9JUjWahHqG3giYW9nyvvlMeV82K4BPPhwwqwbRRaIVNcdytDIi +LvXxOZf/TjX3xHbwTHYghclZZX3ZCiZ8OTD+yLkCqTJsT9GVfIlO/algc+7ezz7B +acsSuTa77/+8vy78dA5k9JM6rSZzfl/8T3LOmDLq+RE+DCUXx8ZJ+qnrr5aSruPB +BSlu7S/26NIAtB6LyKtSBpX39y66/9lYCaQWZDcNraq5PWInv0kQqXEc6C8Vi25q +BFE3a4Lt45bZMGCREYvLWXRxzH9rESVVekxZVZEjgmldh94OLRuXRvU8nlu2fq4G +YH0a+Oy/87LemKv7q2IZX6s7uTZg5xMBTaPqFsE/AGQWQfHvj1EWthcaeoIasfxE +lsWi9qHE4N+Jg/L+XC90S0kogDWGdyS+mKf0dE6jq4ioKf29zRJ4629id6VYHeib +i3df/KOdUeeth5X9ann6/KNncX7Us16rV4a6Tl1OLoV7xkwh2Hy8MfClDkTYeoHc +Y6V2vWAk0Rc= +=LOAb -----END PGP PUBLIC KEY BLOCK----- diff --git a/securedrop-keyring/debian/changelog-buster b/securedrop-keyring/debian/changelog-buster new file mode 100644 index 00000000..2b3427f4 --- /dev/null +++ b/securedrop-keyring/debian/changelog-buster @@ -0,0 +1,5 @@ +securedrop-keyring (0.1.4+buster) unstable; urgency=medium + + * Initial release for securedrop workstation + + -- SecureDrop Team Fri, 22 May 2020 11:18:05 -0400 diff --git a/securedrop-keyring/debian/compat b/securedrop-keyring/debian/compat new file mode 100644 index 00000000..ec635144 --- /dev/null +++ b/securedrop-keyring/debian/compat @@ -0,0 +1 @@ +9 diff --git a/securedrop-keyring/debian/control b/securedrop-keyring/debian/control new file mode 100644 index 00000000..8a5bad8b --- /dev/null +++ b/securedrop-keyring/debian/control @@ -0,0 +1,12 @@ +Source: securedrop-keyring +Section: web +Priority: optional +Maintainer: SecureDrop Team +Build-Depends: debhelper (>= 9), +Standards-Version: 3.9.8 +Homepage: https://github.com/freedomofpress/securedrop-debian-packaging + +Package: securedrop-keyring +Architecture: all +Depends: gnupg +Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt. diff --git a/securedrop-keyring/debian/copyright b/securedrop-keyring/debian/copyright new file mode 100644 index 00000000..4830b78b --- /dev/null +++ b/securedrop-keyring/debian/copyright @@ -0,0 +1,7 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: securedrop-keyring +Source: https://github.com/freedomofpress/securedrop-debian-packaging + +Files: * +Copyright: 2020 Freedom of the Press Foundation +License: GPLv3+ diff --git a/securedrop-keyring/debian/postinst b/securedrop-keyring/debian/postinst new file mode 100644 index 00000000..b0d171a5 --- /dev/null +++ b/securedrop-keyring/debian/postinst @@ -0,0 +1,39 @@ +#!/bin/sh +# postinst script for securedrop-workstation-grsec +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * `configure' +# * `abort-upgrade' +# * `abort-remove' `in-favour' +# +# * `abort-remove' +# * `abort-deconfigure' `in-favour' +# `removing' +# +# for details, see https://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +case "$1" in + configure) + chown -R root:root /etc/apt/trusted.gpg.d/ + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/securedrop-keyring/debian/preinst b/securedrop-keyring/debian/preinst new file mode 100644 index 00000000..ed2b31ea --- /dev/null +++ b/securedrop-keyring/debian/preinst @@ -0,0 +1,33 @@ +#!/bin/bash + +set -e + +# Solution adapted from DKG's work on `deb.torproject.org-keyring` and +# the securedrop core keyring package. +# In SecureDrop Workstation versions before 0.3.0, the salt provisioning +# logic uses pkgrepo.managed, which writes the key to `/etc/apt/trusted.gpg`. +# It's cleaner to use the trusted.gpg.d subdirectory, since we can +# update that trivially in future versions of the keyring package. +# +# Therefore let's clean up prior versions of the key installed +# to the general apt keyring, to ensure we only have one signing key +# installed for authenticating securedrop-related packages. + +if [ -e /etc/apt/trusted.gpg ] && which gpg >/dev/null; then + ( + h="$(mktemp -d)" + trap "rm -rf '$h'" EXIT + + if gpg --homedir="$h" \ + --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \ + --list-key 0x22245C81E3BAEB4138B36061310F561200F4AD77 > /dev/null 2>&1 ; then + gpg --homedir="$h" \ + --batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \ + --no-auto-check-trustdb \ + --delete-key 0x22245C81E3BAEB4138B36061310F561200F4AD77 || true + fi + ) +fi + +#DEBHELPER# + diff --git a/securedrop-keyring/debian/rules b/securedrop-keyring/debian/rules new file mode 100755 index 00000000..abde6ef2 --- /dev/null +++ b/securedrop-keyring/debian/rules @@ -0,0 +1,5 @@ +#!/usr/bin/make -f + +%: + dh $@ + diff --git a/securedrop-keyring/debian/securedrop-keyring.install b/securedrop-keyring/debian/securedrop-keyring.install new file mode 100644 index 00000000..34a62562 --- /dev/null +++ b/securedrop-keyring/debian/securedrop-keyring.install @@ -0,0 +1 @@ +securedrop-keyring.gpg etc/apt/trusted.gpg.d/ diff --git a/securedrop-keyring/securedrop-keyring.gpg b/securedrop-keyring/securedrop-keyring.gpg new file mode 100644 index 00000000..8921305f Binary files /dev/null and b/securedrop-keyring/securedrop-keyring.gpg differ diff --git a/securedrop-workstation-config/debian/changelog-buster b/securedrop-workstation-config/debian/changelog-buster index d82cb6a1..2f49a3c8 100644 --- a/securedrop-workstation-config/debian/changelog-buster +++ b/securedrop-workstation-config/debian/changelog-buster @@ -1,3 +1,9 @@ +securedrop-workstation-config (0.1.3+buster) unstable; urgency=medium + + * Adds securedrop-keyring to list of dependencies + + -- SecureDrop Team Fri, 22 May 2020 12:02:57 -0400 + securedrop-workstation-config (0.1.2+buster) unstable; urgency=medium * Bump securedrop-workstation-config to 0.1.2 diff --git a/securedrop-workstation-config/debian/control b/securedrop-workstation-config/debian/control index 67c529a1..2f2dec6b 100644 --- a/securedrop-workstation-config/debian/control +++ b/securedrop-workstation-config/debian/control @@ -8,6 +8,6 @@ Homepage: https://github.com/freedomofpress/securedrop-workstation-config Package: securedrop-workstation-config Architecture: all -Depends: nautilus, gvfs-bin +Depends: nautilus, gvfs-bin, securedrop-keyring Description: This is the SecureDrop workstation template configuration package. This package provides dependencies and configuration for the Qubes SecureDrop workstation VM Templates.