Install keyring package on first install

This ensures all debian-based VMs will contain the latest version of the Release Key, in a dedicated keyring file in `/etc/apt/trusted.gpg.d/securedrop_keyring.gpg`, see https://github.com/freedomofpress/securedrop-debian-packaging.

dom0/fpf-apt-test-repo.sls

@@ -32,3 +32,13 @@ configure-apt-test-apt-repo:
     - clean_file: True # squash file to ensure there are no duplicates
     - require:
       - pkg: install-python-apt-for-repo-config
+
+# This will install the production keyring package. This package will delete
+# the prod key from the default keyring in /etc/apt/trusted.gpg but will
+# preserve the apt-test key in this default keyring.
+install-securedrop-keyring-package:
+  pkg.installed:
+    - pkgs:
+      - securedrop-keyring
+    - require:
+      - pkgrepo: configure-apt-test-apt-repo

tests/test_vms_platform.py

@@ -232,18 +232,16 @@ def test_all_sd_vm_apt_sources(self):
             vm = self.app.domains[vm_name]
             self._validate_apt_sources(vm)
 
-    def test_ensure_keyring_package_is_installed(self, vm):
-        self.assertTrue(self._package_is_installed(vm, "securedrop-keyring"))
-
     def test_debian_keyring_config(self):
         """
+        Ensure the securedrop keyring package is properly installed and the
+        key it contains is up-to-date.
         """
         for vm_name in WANTED_VMS:
             vm = self.app.domains[vm_name]
             self._ensure_keyring_package_exists_and_has_correct_key(vm)
             self._ensure_trusted_keyring_securedrop_key_removed(vm)
 
-
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_VM_Platform_Tests)
     return suite