Release securedrop-workstation-dom0-config 1.0.0

[legoktm]

• RM: @legoktm
• Deputy RM: @zenmonkeykstop
• Comms: TK
• QA: (all-team)

QA:

To test this release, you will need a dedicated computer compatible with Qubes 4.2. You'll also need a test SecureDrop server instance, either:

• a production hardware instance,
• a staging or production virtualized test enviroment,
• or (as a fallback) a server dev environment with Tor services enabled (make dev-tor)

Do not use a production server instance to test release candidates! You'll need to copy the SVS's Submission Private Key to the SecureDrop Workstation config, and it will have access to submissions, so you should use test instances and test data only.

In order to configure SecureDrop Workstation, you'll need the Journalist interface address and authorization key, and the Submission Private Key from the server instance - so set the server instance up first.

Next, install Qubes 4.2 (preferably the latest stable patch version) on your Qubes computer. Then install SecureDrop Workstation, following the standard installation process with 2 deviations:

• Instead of downloading the latest production RPM from yum.securedrop.org, download the latest f37 release candidate RPM from yum-test.securdrop.org
• When updating config.json, set the value of environment to staging instead of prod - this will enforce the use of the test repos and latest RCs for both workstation and client packages.

Once the installation is complete, copy the securedrop-workstation source tagged with the curent RC version to dom0 on your test system using make clone and run the configuration tests in dom0 with make test.

Then, add a column with your config and initial test results (installation, setup, dom0 tests) in the SecureDrop Workstation QA Matrix, and complete one or more acceptance test scenarios (check with the release manager if you're unsure as to which ones are needed), and complete any linked release-specific tests, copying the scenario test plans from the linked wiki pages, and adding the completed versions as comments on this issue.

(Then take a rest and get yourself a nice treat - you've earned it.)

QA test plan:

Note: there is no upgrade scenario because all users must reinstall for this release.

Fresh install (prodlike install)

Qubes 4.2.1 [edit: 4.2.2-rc1 or newer] expected, please note hardware

Testing:

• download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
• RPM installs successfully in dom0
• Set up /usr/share/securedrop-workstation-dom0-config/, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging.
• Run sdw-admin --validate && sdw-admin --apply; both should finish successfully.
• open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop and verify you have 0.11.0-rc1 packages
• After running the updater, ~/.securedrop_updater/sdw-last-updated has been updated. (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Manually start the sdw-notify systemd user unit after running the updater - you should not see a notification popup (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Open the menu, for sd-devices you should see "Files" and "Disks". for sd-whonix you should see "Anon Connection Wizard" and "Tor Control panel" (verifies sd-devices menu should include file manager #1109)
• basic client functionality requiring Tor (login, first sync) completed successfully.
• Run through selected sscenarios from SecureDrop Workstation QA Matrix

Release process:

RC1:

• [In release branch] bump rc version using update_version script, update changelog in .spec file and markdown: [1.0.0] SecureDrop Workstation 1.0.0-rc1 #1102
• [In release branch] create rc tag
• build rc, commit build logs, and publish artifact to yum-test

RC2:

• [In release branch] bump rc version using update_version script, update changelog in .spec file and markdown: [1.0.0] SecureDrop Workstation 1.0.0-rc1 #1102
• [In release branch] create rc tag
• build rc, commit build logs, and publish artifact to yum-test

Release:

• [In release branch] Bump version via update_version script, and update changelog in .spec file and markdown
• [In release branch] Create prod tag (signed by release signing key)
• Build prod artifact, sign with release key, commit build logs
• QA/smoketest of prod artifact (stuff rpm in dom0 of SDW prod machine)
• Publish prod artifact to yum repo

Post-release

• Backport version and changelog updates to main branch from release branch
• Retro if/as needed
• Update documentation

[rocodes]

testing

version: rc1
status: WIP

• download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
• RPM installs successfully in dom0
• Set up /usr/share/securedrop-workstation-dom0-config/, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging.
• Run sdw-admin --validate && sdw-admin --apply; both should finish successfully.
• open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop and verify you have 0.11.0-rc1 packages
• basic client functionality requiring Tor (login, first sync) completed successfully. (todo)
• Run through https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests and other QA testing (todo)

[deeplow]

testing

version: rc1
status: WIP

• download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
• RPM installs successfully in dom0
• Set up /usr/share/securedrop-workstation-dom0-config/, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging.
• Run sdw-admin --validate && sdw-admin --apply; both should finish successfully.
• open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop and verify you have 0.11.0-rc1 packages
• basic client functionality requiring Tor (login, first sync) completed successfully. (todo)

Run through https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests and other QA testing (todo)

- **Scenario A: International user** - [ ] il8n/locale testing - [ ] network tests (Tor/JI), - [ ] large file sizes (submit/download/view) - **Scenario B: Longstanding user** - [ ] Export scenarios (veracrypt, LUKS and print); - [ ] export docs review, multiple file type previews (including zip files), - [ ] source and conversation deletion scenarios. - **Scenario C - new user** (making notes on ease of use and usability, assume lack of Qubes mental model) - [ ] provisioning - [ ] updater testing - [ ] docs review - **Scenario D: admin installing** Admin familiar with Qubes going through the installation documentation; - [ ] ensuring old conversations are recovered - **Scenario E: admin troubleshooting** - [ ] updater failures; - [ ] connectivity issues, unable to troubleshoot alone and process to request support - **Scenario F: Occasionally-connected user** - [ ] going back and forth between an authenticated session and offline mode

[legoktm]

Testing:

• rc2
• T490, Qubes 4.2.1

• download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
• RPM installs successfully in dom0
• Set up /usr/share/securedrop-workstation-dom0-config/, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging.
• Run sdw-admin --validate && sdw-admin --apply; both should finish successfully.
• open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop and verify you have 0.11.0-rc1 packages
• basic client functionality requiring Tor (login, first sync) completed successfully.
• Run through https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests and other QA testing
• After running the updater, ~/.securedrop_updater/sdw-last-updated has been updated. (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Manually start the sdw-notify systemd user unit after running the updater - you should not see a notification popup (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Open the menu, for sd-devices you should see "Files" and "Disks". for sd-whonix you should see "Anon Connection Wizard" and "Tor Control panel" (verifies sd-devices menu should include file manager #1109)

[cfm]

• Qubes 4.2.1 4.2.2-rc1
• ThinkPad T14

Smoke-testing

• download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
• RPM installs successfully in dom0
• Set up /usr/share/securedrop-workstation-dom0-config/, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging.
• Run sdw-admin --validate && sdw-admin --apply; both should finish successfully.
• open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop and verify you have 0.11.0-rc1 packages
• basic client functionality requiring Tor (login, first sync) completed successfully.
• Run through https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests and other QA testing
• After running the updater, ~/.securedrop_updater/sdw-last-updated has been updated. (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Manually start the sdw-notify systemd user unit after running the updater - you should not see a notification popup (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Open the menu, for sd-devices you should see "Files" and "Disks". for sd-whonix you should see "Anon Connection Wizard" and "Tor Control panel" (verifies sd-devices menu should include file manager #1109)

SDW Test Scenario: New User

Updater

• Disconnect network (either by disabling wireless connections in sys-net network widget or unplugging wired connection if in use)
  • when SecureDrop desktop icon is double-clicked, preflight updater is displayed but immediately fails with an error related to network access
• Close updater and reconnect to network
  • when SecureDrop desktop icon is double-clicked, preflight updater is displayed and prompts to complete update
  • Update can be started and completed successfully.

Online Mode

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• In login dialog:
  • show/hide password functionality works
  • incorrect password cannot log in
  • 2FA token reuse cannot log in after password failure
  • invalid 2FA token cannot log in
  • valid credentials and 2FA can log in

Sources

• after valid login:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately
• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the conversation view is blanked
    • the source is deleted from the server and not restored on next sync
    • source submissions and messages are removed from the client's data directory
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • the source is still starred in the source list

With known limitations of the current data/sync model:

Data race (contention): If you click the star icon while a sync is in progress, then: (1) the GUI shows the source as starred; (2) the sync completes; (3) the GUI shows the source as unstarred; (4) the star operation completes; (5) the GUI shows the source as starred.

Data race (interruption): If you click the star icon and then immediately quit the Client, then: (1) the GUI shows the source as starred; (2) the Client quits; (3) when the Client restarts, the GUI shows the source as unstarred; (4) the first sync completes; (5) the GUI shows the source as starred.

→ freedomofpress/securedrop-client#874 (comment)

Replies

• when a source is selected in the source list:

  • the reply panel is available for use and there is no message asking the user to sign in

  • a reply can be added to the conversation

  • a pending reply can be added to the conversation (ie., by disconnecting the network or shutting down sd-whonix just before sending a reply)

  • a reply containing HTML is displayed as unformatted text

    • a reply with a single string of characters longer than 100 chars is displayed, but truncated

  • a reply with a line longer than 100 chars is displayed correctly

  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince
  • when evince is closed, the dispVM shuts down
• For a JPEG PNG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when Image Viewer is closed, the dispVM shuts down
• For an audio submission:
  • when the submission filename is clicked, a dispVM is started.
  • After the dispVM starts, the submission is played in Audacious
  • Sound is audible
  • when Audacious is closed, the dispVM shuts down
• For a video submission:
  • when the submission filename is clicked, a dispVM is started.
  • After the dispVM starts, the submission is played in Totem
  • Sound is audible if applicable
  • when Totem is closed, the dispVM shuts down

No, probably an unsupported format: A .webm video file fails with the prompt "Are you sure you want to create another disposable VM?" and then Denied: qubes.OpenInVM.

• For a compressed (archive) submission:
• when the submission filename is clicked, a dispVM is started.
• After the dispVM starts, the submission is opened in FileRoller
• Individual files can be extracted and previewed
• when FileRoller is closed, the dispVM shuts down

This is freedomofpress/securedrop-client#2007 at https://github.com/freedomofpress/securedrop-client/blob/d94eca34a2f530c7286e5463bde64ef0fc73f878/workstation-config/mimeapps.list.sd-app#L191.

Batch submission actions

• For a given source:
  • "Download all" is available
  • "Export all" is available
  • "Export all" shows a modal warning when not all files have been downloaded prior to export
    • Accepting the warning opens the export dialog (there is a known UI bug with export dialog size when the dialog is launched this way)
  • "Export conversation transcript" generates and exports a plaintext transcript that includes message text and file information
    • For downloaded files, the filename as submitted is included in the transcript

Closing the client

• When the user clicks the main window close button:
  • the client exits.

SDW Test Scenario: Export and Print

Prerequisites:

• server is available and contains large source test dataset (256 sources,
  submission sizes ranging from 1-500MB)
• client data directory is empty

diff --git a/securedrop/loaddata.py b/securedrop/loaddata.py
index 241e00f43..3b1b7a85f 100755
--- a/securedrop/loaddata.py
+++ b/securedrop/loaddata.py
@@ -208,6 +208,7 @@ def submit_file(source: Source, journalist_who_saw: Optional[Journalist], size:
     if not size:
         file_bytes = b"This is an example of a plain text file upload"
     else:
+        size = random.randint(0, size)
         file_bytes = os.urandom(size * 1024)
 
     fpath = Storage.get_default().save_file_submission(

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• In login dialog:
  • valid credentials and 2FA can log in

Sources

• after valid login:
  • the login dialog closes
  • all source data is downloaded and source list is populated
  • user can scroll to bottom of source list

Modulo freedomofpress/securedrop-client#1476.

• user is prompted for GPG key access
• submissions and replies are decrypted
• the source list is displayed but no sources are selected by default
• the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately
• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the converation view is blanked
    • the source is deleted from the server and not restored on next sync
    • source submissions and messages are removed from the client's data directory
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • the source is still starred in the source list

Replies

• when a source is selected in the source list:
  • the reply panel is available for use and there is no message asking the user to sign in
  • a reply can be added to the conversations
  • a reply containing HTML is displayed as unformatted text
  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince
  • when evince is closed, the dispVM shuts down
• For a JPEG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when evince is closed, the dispVM shuts down

Export

• When Export is clicked on a 1MB submission:
  • The export flow can be completed successfully
• When Export is clicked on a 50MB submission:
  • The export flow can be completed successfully
• When Export is clicked on a 100MB submission:
  • The export flow can be completed successfully
• (optional) When Export is clicked on a 500MB submission:
  • The export flow can be completed successfully

Yes, although the wizard steps stall for an interval proportional to the size of the file being exported, without much UI feedback.

I had one failure where send-to-usb returned EOF after reaching Syncing filesystems, but I've not been able to reproduce it in repeated testing with a ~500 MB file.

• When the user detaches the Export USB and mounts it on another VM or computer:
  • the decrypted submissions are available in on the Export USB, in directories sd-export-<timestamp>/export_data

[deeplow]

securedrop-workstation-dom0-config 1.0.0-rc2

• Qubes 4.2.2-rc2
• Framework 13

QA Test Plan

Testing:

• download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
• RPM installs successfully in dom0
• Set up /usr/share/securedrop-workstation-dom0-config/, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging.
• Run sdw-admin --validate && sdw-admin --apply; both should finish successfully.
• open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop and verify you have 0.11.0-rc1 packages
• basic client functionality requiring Tor (login, first sync) completed successfully.
• Run through https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests and other QA testing -> See Testing Scenarios
• After running the updater, ~/.securedrop_updater/sdw-last-updated has been updated. (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Manually start the sdw-notify systemd user unit after running the updater - you should not see a notification popup (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Open the menu, for sd-devices you should see "Files" and "Disks". for sd-whonix you should see "Anon Connection Wizard" and "Tor Control panel" (verifies sd-devices menu should include file manager #1109)

Scenarios Testing

• Scenario A: International user
  • il8n/locale testing
• Scenario B: Longstanding user - Export scenarios (veracrypt, LUKS and print)
  • populate submissions list with multiple file type previews (including zip files),
  • provision Veracrypt device according to the docs
  • export scenario with Veracrypt device
  • provision LUKS device according to the export docs
  • export scenario with LUKS device
    • ⚠️ The following lines were inconsistent with my test. In my case I had to insert the password again and I saw in the upper-right corner that the device was being locked again. Could this be a case where the testing scenarios haven't kept up with the workstation and need updating?

      • the user is not prompted for the USB's password, if the (LUKS or VeraCrypt) device is unlocked

      • the user is not prompted for the USB's password, if the (LUKS or VeraCrypt) device is unlocked and mounted

    • I encountered a blank export failed is this expected?
  • large dataset scenario (submit/download/view)
• Scenario C - new user (making notes on ease of use and usability, assume lack of Qubes mental model)
  • updater testing, including failure situations
    • ⚠️ I have tested all conditions. The only thing that is not consistent is the VM restarts. Tracking as Investigate updater not restarting some qubes #1127
  • [scenario: online mode]https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests/(#scenario-online-mode)
    • ⚠️ NOTE: source submission compressed file size is displayed accurately - I didn't know what I was supposed to do here
    • ⚠️ NOTE: Couldn't find video submission on Gdrive
    • Missing export and print scenarios
  • scenario: client and journalist interface both in use
• Scenario D: admin installing Admin familiar with Qubes going through the installation documentation;
  • provisioning
  • ensuring old conversations are recovered
• Scenario E: admin troubleshooting
  • updater failures
  • connectivity issues, unable to troubleshoot alone and process to request support
• Scenario F: Occasionally-connected user
  • network tests (Tor/JI)
  • going back and forth between an authenticated session and offline mode
  • offline mode scenario without existing data
  • offline mode scenario with existing data

[rocodes]

@deeplow can you provide more details about the export failures please, eg STR / where the process failed/what error message or error logs you see? (Edit) Even if it's a misconfigured drive, it could be something real-world users run into so it's helpful information. Thank you!

[deeplow]

That was at the end of last week. I was trying to reproduce it now, but it works. Could have something to do with how I created the device. Will test again various times this week and see if I get it to fail as before. But I had originally provisioned from nautilus » right-click on drive » format.

[rocodes]

Thanks @deeplow - For creating a device, we ask people to follow https://workstation.securedrop.org/en/stable/admin/provisioning_usb.html , so as long as you're using that or equivalent workflow and creating a whole-encrypted device, or a device with one encrypted partition (other non encrypted partitions are fine), any STR / bugreports are useful

[rocodes]

Setup

hw: T480 / Qubes 4.2.2-rc1
version 1.0.0-rc2

Testing (WIP, will update as I go)

• download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
• RPM installs successfully in dom0
• Set up /usr/share/securedrop-workstation-dom0-config/, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging.
• Run sdw-admin --validate && sdw-admin --apply; both should finish successfully.
• open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop and verify you have 0.11.0-rc1 packages
• basic client functionality requiring Tor (login, first sync) completed successfully.
• Run through https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Acceptance-Tests and other QA testing
• After running the updater, ~/.securedrop_updater/sdw-last-updated has been updated. (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Manually start the sdw-notify systemd user unit after running the updater - you should not see a notification popup (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Open the menu, for sd-devices you should see "Files" and "Disks". for sd-whonix you should see "Anon Connection Wizard" and "Tor Control panel" (verifies sd-devices menu should include file manager #1109)

[deeplow]

When the export fails it shows the following screen:

The scenarios expect this:

When the user encounters error state(s) during export:
   a user-facing message (rather than an EXPORT_ERROR_CODE style message) is shown

I am not sure if this is a successful outcome or not.

The way I simulated the failure was by remove the USB stick mid-copying.

[rocodes]

Looks like freedomofpress/securedrop-client#1926, same question - I'm curious about the logs in sd-devices, specifically the export_status, when that happens.

It's definitely something to fix, but I'm not sure where it ranks in our priorities - if the user pulls out a drive mid-export they can/should expect that to fail in a weird way. (Ideally it would fail with a better message of course)

[rocodes]

@deeplow (and other testers) re the export scenarios:

• Devices are still locked every time an export finishes.
• If a user manually unlocks the drive beforehand (eg via the commandline or the file browser app in sd-devices), they will not be re-prompted for the drive password. But the drive will still lock after export is finished.
• There is an open issue for providing the option to keep a drive unlocked ( [securedrop-export] Add option to keep a device unlocked on sd-devices securedrop-client#1729), which would be easy to implement now, but it has not been implemented yet.

HTH!

[deeplow]

HTH!

Does help. Thanks for the context, again!

[rocodes]

I still have to finish up some of the export/print test plan and report out in more detail (tomorrow), but with the addition of freedomofpress/securedrop-client#2102 in sd-app, basic print testing so far is looking good on both supported HP and Brother printers. Basic export testing is also looking good and I will test freedomofpress/securedrop-client#2100 tomorrow to mark for review since I think it will resolve some of the corner case issues with error reporting.

until tm :)

[rocodes]

Qubes: 4.2.2-rc2
dom0 config: rc2
client: 0.11.0 -rc1 + print changes (0.11.0-rc2 equiv)

Export

• When Export is first clicked on a submission:
  • the "Preparing to export..." message is displayed
  • the sd-devices VM is started
  • the user is prompted to insert an Export USB
  • On clicking Cancel, the prompt closes and the file is not exported
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts an invalid Export USB, attaches it to the sd-devices VM and clicks Next:
    • x ] a message is displayed indicating that the Export USB is invalid and
      the user is prompted to insert a valid device
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts a valid Export USB, attaches it to the sd-devices VM, and clicks Next:
    • the user is prompted for the Export USB's password if the (LUKS) device is locked
    • the user is not prompted for the USB's password, if the (LUKS or VeraCrypt) device is unlocked
    • the user is not prompted for the USB's password, if the (LUKS or VeraCrypt) device is unlocked and mounted
  • When the user enters an invalid Export USB password and clicks Next:
    • a failure message is displayed and the user is prompted to enter the password again
  • When the user enters an valid Export USB password and clicks Next:
    • the file is saved to the Export USB and a success message is shown
  • When the user encounters error state(s) during export:
    • a user-facing message (rather than an EXPORT_ERROR_CODE style message) is shown (yes, except see discussion above and Export wizard advances too soon and blank "Export failed" message appears securedrop-client#2098)
• When the user detaches the Export USB and mounts it on another VM or computer:
  • the decrypted submission(s) is available in on the Export USB, in a directory sd-export-<timestamp>/export_data

Print

Tested with HP LaserJetPro 4001dn and Brother HL-L2360DW

• When the user clicks Print on a downloaded submission:
  • a "Preparing to print..." message is displayed
  • the sd-devices VM is started
  • the user is prompted to connect a supported printer
• When the user connects a printer, attaches it to the sd-devices VM, and clicks Continue:
  • a "Printing..." message is displayed: No, "preparing to print" and then the xpp panel closes, but this is expected
  • the X Printer Panel dialog is displayed with the printer selected
• When the user clicks Print in the X Printer Panel:
  • the submission is printed successfully.
• A multi-page document can be printed successfully (todo: will try some more filetypes eg multifile pdf)

[zenmonkeykstop]

Fresh install (prodlike install)

Qubes 4.2.2-rc1, Novacustom NV41

Testing:

• download rpm from https://yum-test.securedrop.org/workstation/dom0/f37/, copy into dom0 and install (see steps at https://workstation.securedrop.org/en/stable/admin/install.html#download-and-install-securedrop-workstation but it's OK to skip the download through dnf and signature verification parts)
• RPM installs successfully in dom0
• Set up /usr/share/securedrop-workstation-dom0-config/, see https://workstation.securedrop.org/en/stable/admin/install.html#configure-securedrop-workstation-estimated-wait-time-60-90-minutes, make sure that in config.json, environment is set to staging.
• Run sdw-admin --validate && sdw-admin --apply; both should finish successfully.
• open a terminal in one of the SDW appVMs/templates, run dpkg -l | grep securedrop and verify you have 0.11.0-rc1 packages
• After running the updater, ~/.securedrop_updater/sdw-last-updated has been updated. (verifies sdw-notify warns of lack of updates even if updates have been applied #1107)
• Manually start the sdw-notify systemd user unit after running the updater - you should not see a notification popup (verifies sdw-notify warns of lack of updates even if updates have been applied #1107) skipped
• Open the menu, for sd-devices you should see "Files" and "Disks". for sd-whonix you should see "Anon Connection Wizard" and "Tor Control panel" (verifies sd-devices menu should include file manager #1109)
• basic client functionality requiring Tor (login, first sync) completed successfully.
• Run through selected scenarios from SecureDrop Workstation QA Matrix Large dataset in progress

SDW Test Scenario: Export and Print

Prerequisites:

• server is available and contains large source test dataset (256 sources,
  submission sizes ranging from 1-500MB)
• client data directory is empty

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• In login dialog:
  • valid credentials and 2FA can log in

Sources

• after valid login:
  • the login dialog closes
  • all source data is downloaded and source list is populated
  • user can scroll to bottom of source list
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately
• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the converation view is blanked
    • the source is deleted from the server and not restored on next sync
    • source submissions and messages are removed from the client's data directory
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • the source is still starred in the source list

Replies

• when a source is selected in the source list:
  • the reply panel is available for use and there is no message asking the user to sign in
  • a reply can be added to the conversations
  • a reply containing HTML is displayed as unformatted text
  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince
  • when evince is closed, the dispVM shuts down
• For a JPEG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when evince is closed, the dispVM shuts down

Export

• When Export is clicked on a 1MB submission:
  • The export flow can be completed successfully
• When Export is clicked on a 50MB submission:
  • The export flow can be completed successfully
• When Export is clicked on a 100MB submission:
  • The export flow can be completed successfully
• (optional) When Export is clicked on a 500MB submission:
  • The export flow can be completed successfully
• When the user detaches the Export USB and mounts it on another VM or computer:
  • the decrypted submissions are available in on the Export USB, in directories sd-export-<timestamp>/export_data

[rocodes]

Environment

Qubes 4.2.2-rc1 / T480 / staging servers

Candidate(s)

dom0 rc3 / client rc2

Installation

upgrade (rc{1,2} -> rc{2,3}) via updater

• SDW prompts to apply updates
• Upgrade completed without error and prompted dom0 reboot
• Synced with 500 messages
• Printed multi-page PDF with lots of metadata and embedded images successfully on both HP (4001dn) and Brother (HL-L2360DW), pages appear clean and without any garbled metadata/headers
• Successful LUKS and VeraCrypt exports in various conditions, printer acceptance testing in various conditions (Attempting to print with no printer connected yields "connect printer" prompt, and connecting allows user to proceed with printing (autoattach) works)

I was able, once, to encounter a printer error, when deliberately trying to print without a printer connected, but I couldn't replicate it.

[rocodes]

prod qa instructions:

• Fresh install Qubes 4.2.2-rc1 (soon to be 4.2.2, like possibly later today, so check back)
• Treat this (almost) like a prod install, so follow the docs at workstation.securedrop.org like an end-user would, but instead of downloading the RPM from yum.securedrop.org, download from yum-qa.securedrop.org.
• After installing the RPM but before running apply, manually edit the following files so that the repo URLs point to our prod qa repos:
  • /srv/salt/securedrop_salt/sd-default.config.yml : change the prod settings (dom0_yum_repo_url) to https://yum-qa.securedrop.org/workstation/dom0
  • /srv/salt/securedrop_salt/apt_freedom_press.sources.j2: change the apt repo to https://apt-qa.freedom.press
  • [edit: thanks Kunal!] copy /srv/salt/securedrop_salt/apt_freedom_press.sources.j2 to /srv/salt/securedrop_salt/apt-qa_freedom_press.sources.j2, and edit the path in /srv/salt/securedrop_salt/sd-default.config.yml.
• You should not have to change the build flavour/type in config.json - it should say "prod". (If it doesn't, file an issue!)
• apply
• Your packages should be signed with the prod key, your laptop should behave like a prod laptop (power settings, lid close handling settings). Please follow the public-facing documentation, QA with prod settings in mind, and treat any discrepancies as issues that need to be resolved :)

[legoktm]

For apt-qa, I also copied /srv/salt/securedrop_salt/apt_freedom_press.sources.j2 to /srv/salt/securedrop_salt/apt-qa_freedom_press.sources.j2, and edited the path in /srv/salt/securedrop_salt/sd-default.config.yml. Otherwise when the securedrop-keyring package is installed, it overwrites our apt->apt-qa.

[deeplow]

Shall we update https://github.com/freedomofpress/securedrop-workstation/wiki/QA-Testing#preflight-testing with this information?

[rocodes]

@deeplow : Yes, and we should update the developer docs as well