Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add securedrop-keyring package #171

Merged
merged 5 commits into from
Jun 5, 2020
Merged

Add securedrop-keyring package #171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9cb1f69
Update SecureDrop release key
emkll May 22, 2020
55b2605
Create securedrop-keyring package
emkll May 22, 2020
d7a3c3c
CI: Add CI job for securedrop-keyring
emkll May 22, 2020
021bd56
Adds securedrop-keyring to list of dependencies for securedrop-workst…
emkll May 22, 2020
a4f12d4
Delete release key from /etc/apt/trusted.gpg
emkll May 22, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .circleci/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,16 @@ common-steps:
echo $PKG_NAME > ~/packaging/sd_package_name
echo 'export PKG_NAME=$(cat ~/packaging/sd_package_name)' >> $BASH_ENV

- &setsdkeyringname
run:
name: Set package name to securedrop-keyring
command: |
mkdir ~/packaging
export PKG_NAME="securedrop-keyring"
# Enable access to this env car in subsequent run steps
echo $PKG_NAME > ~/packaging/sd_package_name
echo 'export PKG_NAME=$(cat ~/packaging/sd_package_name)' >> $BASH_ENV

- &setmetapackageversion
run:
name: Get metapackage version via distribution changelog
Expand Down Expand Up @@ -437,6 +447,16 @@ jobs:
- *setmetapackageversion
- *builddebianpackage

build-buster-securedrop-keyring:
docker:
- image: circleci/python:3.7-buster
steps:
- checkout
- *installdeps
- *setsdkeyringname
- *setmetapackageversion
- *builddebianpackage

workflows:
build-packages:
jobs:
Expand All @@ -448,6 +468,7 @@ workflows:
- build-buster-securedrop-log
- build-buster-securedrop-workstation-grsec
- build-buster-securedrop-workstation-config
- build-buster-securedrop-keyring
- make-dom0-rpm

# Nightly jobs for each package are run in series to ensure there are no
Expand Down
4 changes: 4 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,10 @@ securedrop-export: ## Builds Debian package for Qubes Workstation export scripts
securedrop-log: ## Builds Debian package for Qubes Workstation securedrop-log scripts
PKG_NAME="securedrop-log" ./scripts/build-debianpackage

.PHONY: securedrop-keyring
securedrop-keyring: ## Builds Debian package containing the release key
PKG_NAME="securedrop-keyring" ./scripts/build-debianpackage

.PHONY: install-deps
install-deps: ## Install initial Debian packaging dependencies
./scripts/install-deps
Expand Down
58 changes: 29 additions & 29 deletions pubkeys/release_key.pub
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,33 +11,33 @@ ZZKLSApWXbB32ug5WNoGaQmq+hye1i40zu3fx8MRYefkpSSatNuIbrwLLnq0NR+k
qXcP1SPgtoy/EnW0oa/NDiT/rSh1PuAjG7oOpiNdQdmnA+xIYGreeNoPtuh7gJRc
XYrtWI5zzsGwrFE0LMMPw6SVGONfM5M4Efc+oUn3cIn7gQITm31JNTbRpnwT7bMo
Hy+MrILJITj6Rwi8EGyeTBVolM/L0W3WpjJuj6yhcRZURkBMA01aSUG3yQARAQAB
tEVTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs
ZWFzZS1rZXlAZnJlZWRvbS5wcmVzcz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsF
FgIDAQACHgECF4AWIQQiJFyB47rrQTizYGExD1YSAPStdwUCXRqEkwUJBvMLKgAK
CRAxD1YSAPStd3YjD/4hT5+Q1ZVobUh9Psuv1XYaHTnqJvVxXjheXns9SGqSsvFC
+2O1RVfse+fKaY9lRaG179toKEOEcoyydCpdInlCkhx8Ny9O+pyiH5TawnaKVpRW
j/9JJGW+Ceaipr1rawOzuG67MplButBFGmA1jPkeH38wcvep+PIUU5ZJ+aXbdrKT
uWBwKjzjiF2LMsh9Pnn9XN/T5Ph39WR6utsd/wdbb8xdpq4tivUDWV7W7ztG1No9
exYfftnn6nLF74dLayhHxESE/yUilxR/XDQxvYbcjNAS9OZVKnkrq8o+8bLBKLV1
le4168rdyVBxrhLCG3wXaWqO4AaECMHSfZR2Lvb/d1wIyMtEcWbRlDwmTDFOQ1XU
RCR0coeemYeAzt2hF6/tIrrCGmCKllQNN+JegH2MbXG7SjnCbWwWxAWtccf6L7Ht
BYDe3RWK0VyMwsHVuTakMKzIoH++e8XnmEKf3JFMz27RcgXRFN1Wo4/iRIq/zM+i
l/wTfN9l3yzojKmwZQvvICITCkeh/1sEspEkzmg74inJVpTEHQCWQ41c5ugPqjHd
kvpjxZML4B0+9nN9WQvqhRgmjCKnN+PvYw/mBaEfgA36E8pkcyNwnw+VrFgQyQ1R
FH0yg6P2Y6zaSKLEHkpjzWaCc3sOA/qMFuTw5aUkPj7Go1DMEV/z/xl6tDlM2bQe
U2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5iQJXBBMBCgBBAhsDBQsJCAcD
BRUKCQgLBRYCAwEAAh4BAheABQkG8wsqFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcF
Al0ah20CGQEACgkQMQ9WEgD0rXcqpA//ZD481Wytd1ZXiXIee8I4ekIGpq0UVJuL
g8Bh0hhH2LTqIMuMVIVQM7/k/xxHBd+kxpAv/sUhJKrY16XBkGzz7v1Rcl29uWUR
GSPiLl2OehlT8Ahf60Dv4czhlvBdT3lWtYwM2zciOe4Y5mPwqzEgkrxRD2V9XnmO
8X3giZyaTDz/iiTQ+WMSvjIgVNGBe38tzoofSCSxNk8KfAWtchZhZgR0ZsYRWlUa
7dT4Syi0KutEXjRfZFneNPWnqfhQZlxsjw5gzTgV792MPDbZAm/1eziGCvPgX01W
f2eadxSYuJRLtmOBggwo/vC04MWWQbmYgJfOjL8DDWS17cdfLa8IjUYV8MDStWY6
PDg1gaA5s3UroFh/nOCipoGvq51iSUF/GYd2OJAUd20SjMR+TQgK3lPuX4hMtVId
4x/xrkoY4q0MZJmrB6ysbpeHhl/HA+ofwScNtyKL3iQHN6oQ8llBoMuF9xFm4xX8
fn8WHrd+hD0S8hnBkTJ2ckSqJDxzGFu4+6NBhEWtcigzn9iD7HUWljXAUkEfN39I
jdgaxjrwE3FagE+RCEbdRXDpHYWlyo91YYqFedcT2v/l73twyFw7p3zYskW8pjRZ
F0Lqvn7fiOzxNi98tVYHqs4L17BOWFQt8MhQr9f590jtGQ/+ufhAb33/E9JFQXUg
cIYqWzBX7dw=
=ZsUE
tB5TZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXmJAlcEEwEKAEECGwMFCwkI
BwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQQiJFyB47rrQTizYGExD1YSAPStdwUC
XsZBhAUJCNOEJQAKCRAxD1YSAPStd+ovD/4+jLGlwlLmBpgvohrbiC7xCioVW+Ik
18j+uUSyYBNhvDOZugY+/Z6X99PHvjgjRbTle2NvAx5itdZfiooGSZ8cuiPRbDkQ
xpmZqOdkpN+5/B5dh/bd+P/K2Ggxqkyb80b+xoDviLh6OmIDPILTbz9ACkwu5jdH
0wo0UEt5C+GT8lvBmVXii6vGlTvsv86/yLShvBq6mEJ+7nazWMOShJy3bvyrJRMg
3dZfQSB6WlVCRO9EDBlvTW9Xedva7VDu6Up1BSD+enpXWRLTbqWvxmS7QQ2Usw58
D7CCoJDA+8zL6UkJFrVxTiXQWbOvttkOA9++aJp4IbXsqTyrIkxNRjlKdyET9xbB
HGSgJhhgGUNVZNBxHVZFHvHurXDX0OyfWaYY9ET/EjqMCjUbWh0vh2c6/M3rDh+J
nH+tZUjJ9mM/AJ0hcORPVv3wbWdsfWq9r3t1Q7wlphal7RzgNqPymekj+1ndTs4y
jfsWgLmxYF8knP1+EipoL1Q7vm1JdO0VOb4IyhF+6VUTkjrDy6uHwXc3fMGHEAeU
nZvhVzZSx8h8HVsfnppM2RjNZKPwNQ43he8HllLqsRFsumg6gbBNRgrsVEBjRzxf
OKESJqxVZ5iHUvWPQPuGjuh83HiUxPN4yjZXUVNXv0Alevv1By3ALeVAmaQVw/KA
/sNu9p74VRggjrRFU2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxzZWN1
cmVkcm9wLXJlbGVhc2Uta2V5QGZyZWVkb20ucHJlc3M+iQJUBBMBCgA+AhsDBQsJ
CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcFAl7G
QZQFCQjThCUACgkQMQ9WEgD0rXcWVg/+JJT7J0ycCd2Rl7A2K4YQfJcf6TV05HDf
/sxc+JGs1hh/CFgR5Nt1TDPg7dQfCumQWI+e4A8NSFllIKGEajgxdAg/uszO9UQL
9iVtyNFY69/gfWeNVyOoioYxRSlaIyKUD2PINeHi5KYDe3dkh9aXDA/X4sB8k7Dt
mvDXqNX4/85P9M9JUjWahHqG3giYW9nyvvlMeV82K4BPPhwwqwbRRaIVNcdytDIi
LvXxOZf/TjX3xHbwTHYghclZZX3ZCiZ8OTD+yLkCqTJsT9GVfIlO/algc+7ezz7B
acsSuTa77/+8vy78dA5k9JM6rSZzfl/8T3LOmDLq+RE+DCUXx8ZJ+qnrr5aSruPB
BSlu7S/26NIAtB6LyKtSBpX39y66/9lYCaQWZDcNraq5PWInv0kQqXEc6C8Vi25q
BFE3a4Lt45bZMGCREYvLWXRxzH9rESVVekxZVZEjgmldh94OLRuXRvU8nlu2fq4G
YH0a+Oy/87LemKv7q2IZX6s7uTZg5xMBTaPqFsE/AGQWQfHvj1EWthcaeoIasfxE
lsWi9qHE4N+Jg/L+XC90S0kogDWGdyS+mKf0dE6jq4ioKf29zRJ4629id6VYHeib
i3df/KOdUeeth5X9ann6/KNncX7Us16rV4a6Tl1OLoV7xkwh2Hy8MfClDkTYeoHc
Y6V2vWAk0Rc=
=LOAb
-----END PGP PUBLIC KEY BLOCK-----
5 changes: 5 additions & 0 deletions securedrop-keyring/debian/changelog-buster
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
securedrop-keyring (0.1.4+buster) unstable; urgency=medium

* Initial release for securedrop workstation

-- SecureDrop Team <[email protected]> Fri, 22 May 2020 11:18:05 -0400
1 change: 1 addition & 0 deletions securedrop-keyring/debian/compat
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
9
12 changes: 12 additions & 0 deletions securedrop-keyring/debian/control
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
Source: securedrop-keyring
Section: web
Priority: optional
Maintainer: SecureDrop Team <[email protected]>
Build-Depends: debhelper (>= 9),
Standards-Version: 3.9.8
Homepage: https://github.com/freedomofpress/securedrop-debian-packaging

Package: securedrop-keyring
Architecture: all
Depends: gnupg
Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.
7 changes: 7 additions & 0 deletions securedrop-keyring/debian/copyright
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: securedrop-keyring
Source: https://github.com/freedomofpress/securedrop-debian-packaging

Files: *
Copyright: 2020 Freedom of the Press Foundation <[email protected]>
License: GPLv3+
39 changes: 39 additions & 0 deletions securedrop-keyring/debian/postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
#!/bin/sh
# postinst script for securedrop-workstation-grsec
#
# see: dh_installdeb(1)

set -e

# summary of how this script can be called:
# * <postinst> `configure' <most-recently-configured-version>
# * <old-postinst> `abort-upgrade' <new version>
# * <conflictor's-postinst> `abort-remove' `in-favour' <package>
# <new-version>
# * <postinst> `abort-remove'
# * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
# <failed-install-package> <version> `removing'
# <conflicting-package> <version>
# for details, see https://www.debian.org/doc/debian-policy/ or
# the debian-policy package

case "$1" in
configure)
chown -R root:root /etc/apt/trusted.gpg.d/
;;

abort-upgrade|abort-remove|abort-deconfigure)
;;

*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac

# dh_installdeb will replace this with shell code automatically
# generated by other debhelper scripts.

#DEBHELPER#

exit 0
33 changes: 33 additions & 0 deletions securedrop-keyring/debian/preinst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
#!/bin/bash

set -e

# Solution adapted from DKG's work on `deb.torproject.org-keyring` and
# the securedrop core keyring package.
# In SecureDrop Workstation versions before 0.3.0, the salt provisioning
# logic uses pkgrepo.managed, which writes the key to `/etc/apt/trusted.gpg`.
# It's cleaner to use the trusted.gpg.d subdirectory, since we can
# update that trivially in future versions of the keyring package.
#
# Therefore let's clean up prior versions of the key installed
# to the general apt keyring, to ensure we only have one signing key
# installed for authenticating securedrop-related packages.

if [ -e /etc/apt/trusted.gpg ] && which gpg >/dev/null; then
(
h="$(mktemp -d)"
trap "rm -rf '$h'" EXIT

if gpg --homedir="$h" \
--batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \
--list-key 0x22245C81E3BAEB4138B36061310F561200F4AD77 > /dev/null 2>&1 ; then
gpg --homedir="$h" \
--batch --no-tty --no-default-keyring --keyring /etc/apt/trusted.gpg \
--no-auto-check-trustdb \
--delete-key 0x22245C81E3BAEB4138B36061310F561200F4AD77 || true
fi
)
fi

#DEBHELPER#

5 changes: 5 additions & 0 deletions securedrop-keyring/debian/rules
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#!/usr/bin/make -f

%:
dh $@

1 change: 1 addition & 0 deletions securedrop-keyring/debian/securedrop-keyring.install
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
securedrop-keyring.gpg etc/apt/trusted.gpg.d/
Binary file added securedrop-keyring/securedrop-keyring.gpg
View file
Open in desktop
Binary file not shown.
6 changes: 6 additions & 0 deletions securedrop-workstation-config/debian/changelog-buster
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
securedrop-workstation-config (0.1.3+buster) unstable; urgency=medium

* Adds securedrop-keyring to list of dependencies

-- SecureDrop Team <[email protected]> Fri, 22 May 2020 12:02:57 -0400

securedrop-workstation-config (0.1.2+buster) unstable; urgency=medium

* Bump securedrop-workstation-config to 0.1.2
Expand Down
2 changes: 1 addition & 1 deletion securedrop-workstation-config/debian/control
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,6 @@ Homepage: https://github.com/freedomofpress/securedrop-workstation-config

Package: securedrop-workstation-config
Architecture: all
Depends: nautilus, gvfs-bin
Depends: nautilus, gvfs-bin, securedrop-keyring
Description: This is the SecureDrop workstation template configuration package.
This package provides dependencies and configuration for the Qubes SecureDrop workstation VM Templates.