Whonix-specific keyring changes

* Update tests to account for whonix-specific output differences when invoking gpg vs debian-10-based TemplateVMs * Remove securedrop-keyring package on whonix template cleanup: We no longer need to remove the Release Key since postinst will remove the Release Key from `/etc/apt/trusted.gpg` and the package will remove the SecureDrop-specific keyring in `/etc/apt/trusted.gpg.d/` folder
freedomofpress · May 28, 2020 · 3964783 · 3964783
1 parent 11c250e
commit 3964783
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 7 deletions.
diff --git a/dom0/sd-clean-whonix.sls b/dom0/sd-clean-whonix.sls
@@ -9,6 +9,7 @@ remove-securedrop-log-package-from-whonix:
   pkg.removed:
     - pkgs:
       - securedrop-log
+      - securedrop-keyring
 
 sd-cleanup-whonix-gw-15:
   cmd.run:
@@ -17,4 +18,3 @@ sd-cleanup-whonix-gw-15:
       - sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list
       - sudo systemctl restart rsyslog
       - sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C
-      - sudo apt-key del 22245C81E3BAEB4138B36061310F561200F4AD77
diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py
@@ -117,14 +117,21 @@ def _ensure_jessie_backports_disabled(self, vm):
         # We expect zero hits, so confirm output is empty string.
         self.assertEqual(results, "")
 
-    def _ensure_keyring_package_exists_and_has_correct_key(self, vm):
+    def _ensure_keyring_package_exists_and_has_correct_key(self, vm, is_whonix=False):
+        keyring_path = "/etc/apt/trusted.gpg.d/securedrop-keyring.gpg"
+        # in whonix-gw-15, the keyring name gets appended with ~ on install
+        if is_whonix:
+            keyring_path += "~"
         # apt-key finger doesnt work here due to stdout/terminal
-        cmd = "gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/securedrop-keyring.gpg -k"
+        cmd = "gpg --no-default-keyring --keyring {} -k".format(keyring_path)
         stdout, stderr = vm.run(cmd)
         results = stdout.rstrip().decode("utf-8")
-        fpf_gpg_pub_key_info = [
-            "/etc/apt/trusted.gpg.d/securedrop-keyring.gpg",
-            "---------------------------------------------",
+        fpf_gpg_pub_key_info = ["{}".format(keyring_path)]
+        if is_whonix:
+            fpf_gpg_pub_key_info.append("----------------------------------------------")
+        else:
+            fpf_gpg_pub_key_info.append("---------------------------------------------")
+        fpf_gpg_pub_key_info += [
             "pub   rsa4096 2016-10-20 [SC] [expires: 2021-06-30]",
             "      22245C81E3BAEB4138B36061310F561200F4AD77",
             "uid           [ unknown] SecureDrop Release Signing Key",
@@ -239,9 +246,14 @@ def test_debian_keyring_config(self):
         """
         for vm_name in WANTED_VMS:
             vm = self.app.domains[vm_name]
-            self._ensure_keyring_package_exists_and_has_correct_key(vm)
+            if "whonix" in vm_name:
+                self._ensure_keyring_package_exists_and_has_correct_key(vm, is_whonix=True)
+            else:
+                self._ensure_keyring_package_exists_and_has_correct_key(vm)
+
             self._ensure_trusted_keyring_securedrop_key_removed(vm)
 
+
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_VM_Platform_Tests)
     return suite