Switch main branch to use 2021 signing key #66
Conversation
Required for the 2021 key rotation for the SD release signing key. Used the scripts in the repo to convert the ascii-armored pubkey to a jwk.
Generated the PEM format public key component via: openssl rsa -in key.pem -outform PEM -pubout -out public.pem where `key.pem` is the RSA privkey in PEM format (via `openpgp2pem`).
(cherry picked from commit 060948a)
(cherry picked from commit d380d4b)
(cherry picked from commit aae0127)
Backports addition of Forbidden Stories
Account for external 2021 path in the nginx redirect
…s signing) (cherry picked from commit adbf810)
Add Al Jazeera Investigative Unit address to the 2021 channel
Updates main to use 2021 key (merged with -Xtheirs merge strategy)
|
LGTM, just blocking on https://github.com/freedomofpress/k8s-configs/pull/205 being merged. I don't mind, but If it bothers you at all one of my commits is duplicated with |
|
I'm fine with it, given the nature of the repo I'd rather preserve the history intact. |
|
Tagging myself in on review here. Will coordinate actual merge (and therefore deploy) with @maeve-fpf ahead of time. First, I'll review the changes locally. |
docker/nginx.conf
Outdated
| # This line has been adjusted for the temporary different external URL. | ||
| # Don't include this change in the main branch. | ||
| rewrite ^/https-everywhere($|//+)(.*) /https-everywhere-2021/$2 permanent; | ||
| rewrite ^/https-everywhere-2021($|//+)(.*) /https-everywhere-2021/$2 permanent; |
There was a problem hiding this comment.
Unfortunately this is where it gets kind of gnarly: our ingress transforms all external requests (/https-everywhere-2021/, or, formerly, /https-everywhere/) to internal requests for /https-everywhere/, because that's what's being served by this container (files are copied to /opt/nginx/root/https-everywhere/). So we need to leave this rewrite as is for it to do its thing.
There was a problem hiding this comment.
Roger that, will amend and at least clarify the comment as a warning to posterity.
| @@ -1,5 +1,5 @@ | |||
| # sha256 as of 2020-09-25 for mainline-alpine | |||
| FROM nginx@sha256:4635b632d2aaf8c37c8a1cf76a1f96d11b899f74caa2c6946ea56d0a5af02c0c | |||
| # sha256 as of 2021-08-18 for nginx:mainline-alpine | |||
There was a problem hiding this comment.
I've been moving toward putting the tag in the FROM line, a la nginx:mainline-alpine@sha256:... and then having only the datestamp in the comment. (Didn't know you could use that syntax until recently!)
There was a problem hiding this comment.
TIL! That's much clearer, will do.
Bumps tag to latest in the "mainline-alpine". Hadn't been updated in a while. Clarifies comment in nginx config, preserving the new route logic.
conorsch
force-pushed
the
switch-main-to-2021
branch
from
c0f8c4a to
304736a
Compare
|
Comments addressed, @maeve-fpf. I'm going to push this to staging, as you advised, and if no problems, will proceed with prod deploy later today. |
Status
Ready for review
This PR pushes the historical changes in the
key-rotation-2021branch tomain, updating the current ruleset to the latest one signed with the 2021 release key.Review Checklist
Path Prefix:https://raw.githubusercontent.com/freedomofpress/securedrop-https-everywhere-ruleset/$BRANCH_NAMEPost-Deployment Checklist
mainbranch, instead of fromkey-rotation-2021.