From 1b2d919ca2b7df3961dbc9425b8754dac1e8dad6 Mon Sep 17 00:00:00 2001 From: mickael e Date: Tue, 6 Nov 2018 12:17:22 -0500 Subject: [PATCH 1/4] Add instructions for verifying integrity of sources and binaries * GPG signatures and verification of release tags * GPG signatures of .deb and .rpm packages --- README.md | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b0165afb..57bcc2bd 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ Qubes provisioning is handled by Salt on `dom0`, so this project must be copied After that initial manual step, the code in your development VM may be copied into place on `dom0` by setting the `SECUREDROP_DEV_VM` and `SECUREDROP_DEV_DIR` environmental variables to reflect the VM and directory to which you've cloned this repo, and running `make clone` from the root of the project on `dom0`: ``` -export SECUREDROP_DEV_VM=work # set to your dev VM +export SECUREDROP_DEV_VM=sd-dev # set to your dev VM export SECUREDROP_DEV_DIR=/home/user/projects/securedrop-workstation # set to your working directory make clone ``` @@ -331,6 +331,58 @@ pipenv shell apt install lintian make test ``` +## Signing sources + +SecureDrop Workstation code spans across the following repositories: + +https://github.com/freedomofpress/securedrop-client +https://github.com/freedomofpress/securedrop-debian-packaging +https://github.com/freedomofpress/securedrop-proxy +https://github.com/freedomofpress/securedrop-sdk +https://github.com/freedomofpress/securedrop-workstation +https://github.com/freedomofpress/qubes-template-securedrop-workstation + + +### Release +1. For each release, a tag will be signed in all the above repos. + +2. Create a Makefile target in securedrop-debian-packaging repo that contains release tags / commit hashes for each repository used for the release. To verify the tag signature and check out the packaging logic: +``` +git tag -v +git checkout +``` + +3. Metadata (e.g. commit hash for release) should be tracked inside the .deb (e.g.: `/usr/share/packagename/release-info.txt`) + +### Signing binaries/packages + +#### Debs +Apt repository Release file will be signed, containing checksum of the debs. + +#### Rpms +The entire RPM must be signed. This process also requires a Fedora machine/VM on which the GPG signing key (either in GPG keyring or in qubes-split-gpg) is setup. + +`rpm -Kv` indicates if digests and sigs are OK. Before signature it should not return signature, and `rpm -qi .rpm` will indicate an empty Signature field. + +Set up environment: +`sudo dnf install rpm-build /usr/bin/rpmsign` +Set your vault vm in /rw/config/gpg-split-domain +Edit ~/.rpmmacros with the following contents: +``` +%_signature gpg +%_gpg_name +%__gpg /usr/bin/qubes-gpg-client-wrapper +%__gpg_sign_cmd %{__gpg} qubes-gpg-client-wrapper --no-verbose --detach-sign %{__plaintext_filename} --output %{__signature_filename} +``` + +Sign the rpm: +`rpm --resign .rpm` (--addsign would allow us to apply multiple signatures to the RPM) +Verify that the rpm is signed: +`rpm -qi` should now show that the file is signed +`rpm -Kv` will complain that signature is not ok (`Digests SIGNATURES NOT OK`) +This is because the rpm key needs to be added locally: +`sudo rpm --import .asc` +`rpm -Kv` will now say signatures are ok (`Digests signatures OK`) ## Threat model From ba07ee4913c952d50525d1dc74c01a1237f3ff36 Mon Sep 17 00:00:00 2001 From: mickael e Date: Tue, 6 Nov 2018 14:06:05 -0500 Subject: [PATCH 2/4] Address review comments: * Clarify rpm key, add public key to rpm in a way analogous to `apt-key add` in the Debian world. * Use package name instead of binary path for rpmsign * List for repo URLs --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 57bcc2bd..fe399118 100644 --- a/README.md +++ b/README.md @@ -335,16 +335,16 @@ make test SecureDrop Workstation code spans across the following repositories: -https://github.com/freedomofpress/securedrop-client -https://github.com/freedomofpress/securedrop-debian-packaging -https://github.com/freedomofpress/securedrop-proxy -https://github.com/freedomofpress/securedrop-sdk -https://github.com/freedomofpress/securedrop-workstation -https://github.com/freedomofpress/qubes-template-securedrop-workstation +* https://github.com/freedomofpress/securedrop-client +* https://github.com/freedomofpress/securedrop-debian-packaging +* https://github.com/freedomofpress/securedrop-proxy +* https://github.com/freedomofpress/securedrop-sdk +* https://github.com/freedomofpress/securedrop-workstation +* https://github.com/freedomofpress/qubes-template-securedrop-workstation ### Release -1. For each release, a tag will be signed in all the above repos. +1. For each release, a tag for each release will be signed and pushed to each of the above repos. 2. Create a Makefile target in securedrop-debian-packaging repo that contains release tags / commit hashes for each repository used for the release. To verify the tag signature and check out the packaging logic: ``` @@ -360,19 +360,19 @@ git checkout Apt repository Release file will be signed, containing checksum of the debs. #### Rpms -The entire RPM must be signed. This process also requires a Fedora machine/VM on which the GPG signing key (either in GPG keyring or in qubes-split-gpg) is setup. +The entire RPM must be signed. This process also requires a Fedora machine/VM on which the GPG signing key (either in GPG keyring or in qubes-split-gpg) is setup. You will need to add the public key to RPM for verification (see below). `rpm -Kv` indicates if digests and sigs are OK. Before signature it should not return signature, and `rpm -qi .rpm` will indicate an empty Signature field. Set up environment: -`sudo dnf install rpm-build /usr/bin/rpmsign` +`sudo dnf install rpm-build rpm-sign` Set your vault vm in /rw/config/gpg-split-domain Edit ~/.rpmmacros with the following contents: ``` %_signature gpg %_gpg_name %__gpg /usr/bin/qubes-gpg-client-wrapper -%__gpg_sign_cmd %{__gpg} qubes-gpg-client-wrapper --no-verbose --detach-sign %{__plaintext_filename} --output %{__signature_filename} +%__gpg_sign_cmd %{__gpg} --no-verbose --detach-sign %{__plaintext_filename} --output %{__signature_filename} ``` Sign the rpm: @@ -380,7 +380,7 @@ Sign the rpm: Verify that the rpm is signed: `rpm -qi` should now show that the file is signed `rpm -Kv` will complain that signature is not ok (`Digests SIGNATURES NOT OK`) -This is because the rpm key needs to be added locally: +This is because the the (public) key of the RPM signing key is not present and must be added to the RPM client config to verify the signature: `sudo rpm --import .asc` `rpm -Kv` will now say signatures are ok (`Digests signatures OK`) From 3d375927a8f258e5cb1595a9c1903313a3f4d9f1 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 15 Apr 2019 13:55:38 -0700 Subject: [PATCH 3/4] Addresses formatting nits in RPM signing docs Discussed during review, implementing now to make the instructions more readable as a reference during critical workflows. --- README.md | 40 ++++++++++++++++++++++++---------------- 1 file changed, 24 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index fe399118..3ab06ba5 100644 --- a/README.md +++ b/README.md @@ -356,33 +356,41 @@ git checkout ### Signing binaries/packages -#### Debs +#### Debian packages Apt repository Release file will be signed, containing checksum of the debs. -#### Rpms -The entire RPM must be signed. This process also requires a Fedora machine/VM on which the GPG signing key (either in GPG keyring or in qubes-split-gpg) is setup. You will need to add the public key to RPM for verification (see below). +#### RPM packages +The entire RPM must be signed. This process also requires a Fedora machine/VM on which +the GPG signing key (either in GPG keyring or in qubes-split-gpg) is setup. +You will need to add the public key to RPM for verification (see below). -`rpm -Kv` indicates if digests and sigs are OK. Before signature it should not return signature, and `rpm -qi .rpm` will indicate an empty Signature field. +`rpm -Kv` indicates if digests and sigs are OK. Before signature it should not return signature, +and `rpm -qi .rpm` will indicate an empty Signature field. Set up your environment: -Set up environment: -`sudo dnf install rpm-build rpm-sign` -Set your vault vm in /rw/config/gpg-split-domain -Edit ~/.rpmmacros with the following contents: ``` +sudo dnf install rpm-build rpm-sign # install required packages +echo "QUBES_GPG_DOMAIN=vault" | sudo tee /rw/config/gpg-split-domain # edit 'vault' as required +cat << EOF > ~/.rpmmacros %_signature gpg %_gpg_name %__gpg /usr/bin/qubes-gpg-client-wrapper %__gpg_sign_cmd %{__gpg} --no-verbose --detach-sign %{__plaintext_filename} --output %{__signature_filename} +EOF ``` +Now we'll sign the RPM: -Sign the rpm: -`rpm --resign .rpm` (--addsign would allow us to apply multiple signatures to the RPM) -Verify that the rpm is signed: -`rpm -qi` should now show that the file is signed -`rpm -Kv` will complain that signature is not ok (`Digests SIGNATURES NOT OK`) -This is because the the (public) key of the RPM signing key is not present and must be added to the RPM client config to verify the signature: -`sudo rpm --import .asc` -`rpm -Kv` will now say signatures are ok (`Digests signatures OK`) +``` +rpm --resign .rpm # --addsign would allow us to apply multiple signatures to the RPM +rpm -qi # should now show that the file is signed +rpm -Kv # will complain that signature is not OK: "Digests SIGNATURES NOT OK" +# This is because the the (public) key of the RPM signing key is not present, +# and must be added to the RPM client config to verify the signature: +sudo rpm --import .asc +rpm -Kv # will now say signatures are OK: "Digests signatures OK" +``` + +You can then proceed with distributing the package, via the "test" or "prod" repo, +as appropriate. ## Threat model From d285d861289c1ef32d39c8fba0f90f232df11aab Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 15 Apr 2019 14:02:22 -0700 Subject: [PATCH 4/4] Interpolate GPG keyid in RPM sign macros This was required to select a specific private key from the keyring, during local signing. --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ab06ba5..e6c2f443 100644 --- a/README.md +++ b/README.md @@ -374,7 +374,7 @@ cat << EOF > ~/.rpmmacros %_signature gpg %_gpg_name %__gpg /usr/bin/qubes-gpg-client-wrapper -%__gpg_sign_cmd %{__gpg} --no-verbose --detach-sign %{__plaintext_filename} --output %{__signature_filename} +%__gpg_sign_cmd %{__gpg} --no-verbose -u %{_gpg_name} --detach-sign %{__plaintext_filename} --output %{__signature_filename} EOF ``` Now we'll sign the RPM: