freedomofpress · conorsch · May 15, 2019 · Apr 12, 2019 · Apr 12, 2019 · Apr 15, 2019
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,4 @@
+# ignore everything
+**
+# whitelist just the pubkey, used for verifying sigs
+!sd-workstation/apt-test-pubkey.asc
diff --git a/.gitignore b/.gitignore
@@ -111,3 +111,7 @@ builder/packages/securedrop-workstation-grsec/debian/debhelper-build-stamp
 builder/packages/securedrop-workstation-grsec/debian/securedrop-workstation-grsec.substvars
 builder/packages/securedrop-workstation-grsec/debian/securedrop-workstation-grsec
 builder/packages/securedrop-workstation-grsec/debian/files
+
+# rpm package build artifacts
+*.rpm
+rpm-repo/
diff --git a/Makefile b/Makefile
@@ -127,6 +127,9 @@ flake8: ## Lints all Python files with flake8
 template: ## Builds securedrop-workstation Qube template RPM
 	./builder/build-workstation-template
 
+publish-rpm: ## Uploads signed RPMs to dom0 repository
+	./scripts/publish-rpm
+
 prep-dom0: prep-salt # Copies dom0 config files for VM updates
 	sudo qubesctl top.enable sd-vm-updates
 	sudo qubesctl top.enable sd-dom0-files

diff --git a/Pipfile b/Pipfile
@@ -0,0 +1,12 @@
+[[source]]
+url = "https://pypi.org/simple"
+verify_ssl = true
+name = "pypi"
+
+[dev-packages]
+
+[packages]
+awscli = "*"
+
+[requires]
+python_version = "3.5"
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/README.md b/README.md
@@ -392,6 +392,28 @@ rpm -Kv  # will now say signatures are OK: "Digests signatures OK"
 You can then proceed with distributing the package, via the "test" or "prod" repo,
 as appropriate.
 
+## Distributing packages
+
+For the Debian packages, see https://github.com/freedomofpress/securedrop-debian-packaging/.
+For the RPM packages, such as the `securedrop-workstation` TemplateVM package, first
+build the package (e.g. `make template`), then sign the RPM, as outlined above.
+
+To upload the package to S3, you'll need valid AWS credentials. Talk to a member of the ops team.
+Once you have valid credentials configured, install the dependencies (`pipenv install`), then run:
+
+```
+./scripts/publish-rpm
+```
+
+The RPM will immediately be available in dom0. Provided you've run the Salt configurations,
+find it via:
+
+```
+sudo qubes-dom0-update --action=search qubes-template-securedrop-workstation
+```
+
+You can then install it directly.
+
 ## Threat model
 
 This section outlines the threat model for the *SecureDrop Workstation*, and should complement [SecureDrop's threat model](https://docs.securedrop.org/en/stable/threat_model/threat_model.html). This document is always a work in progress, if you have any questions or comments, please open an issue on [GitHub](https://github.com/freedomofpress/securedrop-workstation) or send an email to [[email protected]](mailto:[email protected]).

diff --git a/docker/CreateRepoRPM/Dockerfile b/docker/CreateRepoRPM/Dockerfile
@@ -0,0 +1,12 @@
+# fedora:29 2019-04-15
+FROM fedora@sha256:8ee55e140e8751492ab2cfa4513c82093cd2716df9311ea6f442f1f1259cbb3e
+LABEL maintainer="Freedom of the Press Foundation"
+RUN dnf update -y && \
+    dnf install -y \
+    createrepo_c
+
+COPY sd-workstation/apt-test-pubkey.asc /tmp/apt-test-pubkey.asc
+RUN rpm --import /tmp/apt-test-pubkey.asc
+
+RUN mkdir /repo
+WORKDIR /repo
diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls
@@ -6,6 +6,68 @@
 # over time. These scripts should be ported to an RPM package.
 ##
 
+dom0-rpm-test-key:
+  file.managed:
+    # We write the pubkey to the repos config location, because the repos
+    # config location is automatically sent to dom0's UpdateVM. Otherwise,
+    # we must place the GPG key inside the fedora-29 TemplateVM, then
+    # restart sys-firewall.
+    - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
+    - source: "salt://sd/sd-workstation/apt-test-pubkey.asc"
+    - user: root
+    - group: root
+    - mode: 644
+
+dom0-rpm-test-key-import:
+  cmd.run:
+    - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
+    - require:
+      - file: dom0-rpm-test-key
+
+dom0-rpm-test-key-sys-firewall:
+  cmd.run:
+    # Pass in the pubkey directly to sys-firewall, so it's available on the
+    # UpdateVM for dom0 while we're configuring dom0 repos.
+    - name: >
+        qvm-run -p sys-firewall '
+        sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test'
+        < /srv/salt/sd/sd-workstation/apt-test-pubkey.asc
+
+dom0-rpm-test-key-sys-firewall-import:
+  cmd.run:
+    - name: >
+        qvm-run --no-gui sys-firewall '
+        sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test'
+    - require:
+      - cmd: dom0-rpm-test-key-sys-firewall
+
+dom0-workstation-rpm-repo:
+  # We use file.managed rather than pkgrepo.managed, because Qubes dom0
+  # settings write new repos to /etc/yum.real.repos.d/, but only /etc/yum.repos.d/
+  # is copied to the UpdateVM for fetching dom0 packages.
+  file.managed:
+    - name: /etc/yum.repos.d/securedrop-workstation-dom0.repo
+    - user: root
+    - group: root
+    - mode: 644
+    - contents: |
+        [securedrop-workstation-dom0]
+        gpgcheck=1
+        gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
+        enabled=1
+        baseurl=https://dev-bin.ops.securedrop.org/dom0-rpm-repo/
+        name=SecureDrop Workstation Qubes dom0 repo
+    - require:
+      - file: dom0-rpm-test-key
+
+# Not installing automatically, since we have more testing to do
+# dom0-install-securedrop-workstation-template:
+#   pkg.installed:
+#     - pkgs:
+#       - qubes-template-securedrop-workstation
+#     - require:
+#       - file: dom0-workstation-rpm-repo
+#       - cmd: dom0-rpm-test-key-sys-firewall
 
 # Copy script to system location so admins can run ad-hoc
 dom0-update-securedrop-script:

diff --git a/rpm-repo/.empty b/rpm-repo/.empty
diff --git a/scripts/clone-to-dom0 b/scripts/clone-to-dom0
@@ -25,6 +25,7 @@ function create-tarball() {
     printf "Cloning code from %s:%s ...\n" "${dev_vm}" "${dev_dir}"
     qvm-run --pass-io "$dev_vm" \
         "tar -c --exclude-vcs \
+        --exclude='*.rpm' \
         -C '$(dirname "$dev_dir")' \
         '$(basename "$dev_dir")'" > /tmp/sd-proj.tar
 }

diff --git a/scripts/publish-rpm b/scripts/publish-rpm
@@ -0,0 +1,65 @@
+#!/bin/bash
+# Creates a local RPM repo, then pushes its contents to S3, for serving.
+set -e
+set -u
+set -o pipefail
+
+
+REPO_ROOT="$(git rev-parse --show-toplevel)"
+RPM_LOCAL_DIR="${REPO_ROOT}/rpm-repo"
+
+
+function list_rpms() {
+    find "$RPM_LOCAL_DIR" | grep '\.rpm$'
+}
+
+function container_run() {
+    docker run --rm \
+        --network=none \
+        -v "$RPM_LOCAL_DIR:/repo" \
+        fpf.local/createrepo \
+        $@
+}
+
+# Check that we have local RPMs to build a repo for
+if [[ -z "$(list_rpms)" ]]; then
+    echo "No RPM files found in $RPM_LOCAL_DIR"
+    echo "Build RPMs and place in that directory, then rerun the publish action."
+    exit 1
+fi
+
+# Ensure we have 'aws' installed, otherwise we cannot push to S3
+if ! hash aws > /dev/null 2>&1 ; then
+    echo "'aws' CLI not found, install requirements"
+    exit 2
+fi
+
+# Build container for preparing repo
+docker build -t fpf.local/createrepo -f docker/CreateRepoRPM/Dockerfile .
+
+# TODO: In order to manage state over time, we'll need to *pull* from S3,
+# populating the existing local dir with the current state of what's in S3.
+# That's a bandwidth-intensive operation, so skipping for now.
+# aws --profile sdpackager s3 sync "s3://dev-bin.ops.securedrop.org/dom0-rpm-repo/ ${RPM_LOCAL_DIR}/"
+
+# Sanity check that we have RPMs locally to upload, and they're already
+# signed.
+echo "Validating RPM signatures..."
+while read -r f; do
+    fname="$(basename "$f")"
+    sig_results="$(container_run rpm -Kv "$fname")"
+    if ! grep -qP '^\s+V4 RSA/SHA256 Signature, key ID \w+: OK$' <<< "$sig_results"; then
+        echo "Failed to validate signature on $fname"
+        echo "Is the RPM signed? rpm -Kv showed:"
+        echo "$sig_results"
+        exit 3
+    fi
+done <<< "$(list_rpms)"
+
+# Use local container for creating repo metadata
+container_run createrepo_c .
+
+# Push created repo dirtree to S3
+aws --profile sdpackager s3 sync \
+    --exclude ".empty" \
+    "${RPM_LOCAL_DIR}/" s3://dev-bin.ops.securedrop.org/dom0-rpm-repo/
diff --git a/sd-workstation/apt-test-pubkey.asc b/sd-workstation/apt-test-pubkey.asc
@@ -27,4 +27,4 @@ J7KQd1hEvVs00DxY6VlyK0FzXqByKYq6Arl2tzlCZ6RPEHKXV2xSP06jLEagzgYe
 DylVo9Xahenj4n/Mtq7Am6tGgU9Vy9cGbWNBdUND/mFQEEZSh9RJabPeluH12sir
 5/tfsDr4DGHSz7ws+5M6Zbk6oNJEwQZ4cR+81qCfXE5X5LW1KlAL8wDl7dfS
 =fYUi
------END PGP PUBLIC KEY BLOCK-----
+-----END PGP PUBLIC KEY BLOCK-----