From 824793a7eb489f24a108dfdf733fe844015d59c3 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Fri, 22 May 2020 14:39:01 -0400
Subject: [PATCH 1/4] Update release key due to expiry

Now expires on 20200630
---
 .../securedrop-release-signing-pubkey.asc     | 58 +++++++++----------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/sd-workstation/securedrop-release-signing-pubkey.asc b/sd-workstation/securedrop-release-signing-pubkey.asc
index 1912a587..7c1f70d5 100644
--- a/sd-workstation/securedrop-release-signing-pubkey.asc
+++ b/sd-workstation/securedrop-release-signing-pubkey.asc
@@ -11,33 +11,33 @@ ZZKLSApWXbB32ug5WNoGaQmq+hye1i40zu3fx8MRYefkpSSatNuIbrwLLnq0NR+k
 qXcP1SPgtoy/EnW0oa/NDiT/rSh1PuAjG7oOpiNdQdmnA+xIYGreeNoPtuh7gJRc
 XYrtWI5zzsGwrFE0LMMPw6SVGONfM5M4Efc+oUn3cIn7gQITm31JNTbRpnwT7bMo
 Hy+MrILJITj6Rwi8EGyeTBVolM/L0W3WpjJuj6yhcRZURkBMA01aSUG3yQARAQAB
-tEVTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs
-ZWFzZS1rZXlAZnJlZWRvbS5wcmVzcz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsF
-FgIDAQACHgECF4AWIQQiJFyB47rrQTizYGExD1YSAPStdwUCXRqEkwUJBvMLKgAK
-CRAxD1YSAPStd3YjD/4hT5+Q1ZVobUh9Psuv1XYaHTnqJvVxXjheXns9SGqSsvFC
-+2O1RVfse+fKaY9lRaG179toKEOEcoyydCpdInlCkhx8Ny9O+pyiH5TawnaKVpRW
-j/9JJGW+Ceaipr1rawOzuG67MplButBFGmA1jPkeH38wcvep+PIUU5ZJ+aXbdrKT
-uWBwKjzjiF2LMsh9Pnn9XN/T5Ph39WR6utsd/wdbb8xdpq4tivUDWV7W7ztG1No9
-exYfftnn6nLF74dLayhHxESE/yUilxR/XDQxvYbcjNAS9OZVKnkrq8o+8bLBKLV1
-le4168rdyVBxrhLCG3wXaWqO4AaECMHSfZR2Lvb/d1wIyMtEcWbRlDwmTDFOQ1XU
-RCR0coeemYeAzt2hF6/tIrrCGmCKllQNN+JegH2MbXG7SjnCbWwWxAWtccf6L7Ht
-BYDe3RWK0VyMwsHVuTakMKzIoH++e8XnmEKf3JFMz27RcgXRFN1Wo4/iRIq/zM+i
-l/wTfN9l3yzojKmwZQvvICITCkeh/1sEspEkzmg74inJVpTEHQCWQ41c5ugPqjHd
-kvpjxZML4B0+9nN9WQvqhRgmjCKnN+PvYw/mBaEfgA36E8pkcyNwnw+VrFgQyQ1R
-FH0yg6P2Y6zaSKLEHkpjzWaCc3sOA/qMFuTw5aUkPj7Go1DMEV/z/xl6tDlM2bQe
-U2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5iQJXBBMBCgBBAhsDBQsJCAcD
-BRUKCQgLBRYCAwEAAh4BAheABQkG8wsqFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcF
-Al0ah20CGQEACgkQMQ9WEgD0rXcqpA//ZD481Wytd1ZXiXIee8I4ekIGpq0UVJuL
-g8Bh0hhH2LTqIMuMVIVQM7/k/xxHBd+kxpAv/sUhJKrY16XBkGzz7v1Rcl29uWUR
-GSPiLl2OehlT8Ahf60Dv4czhlvBdT3lWtYwM2zciOe4Y5mPwqzEgkrxRD2V9XnmO
-8X3giZyaTDz/iiTQ+WMSvjIgVNGBe38tzoofSCSxNk8KfAWtchZhZgR0ZsYRWlUa
-7dT4Syi0KutEXjRfZFneNPWnqfhQZlxsjw5gzTgV792MPDbZAm/1eziGCvPgX01W
-f2eadxSYuJRLtmOBggwo/vC04MWWQbmYgJfOjL8DDWS17cdfLa8IjUYV8MDStWY6
-PDg1gaA5s3UroFh/nOCipoGvq51iSUF/GYd2OJAUd20SjMR+TQgK3lPuX4hMtVId
-4x/xrkoY4q0MZJmrB6ysbpeHhl/HA+ofwScNtyKL3iQHN6oQ8llBoMuF9xFm4xX8
-fn8WHrd+hD0S8hnBkTJ2ckSqJDxzGFu4+6NBhEWtcigzn9iD7HUWljXAUkEfN39I
-jdgaxjrwE3FagE+RCEbdRXDpHYWlyo91YYqFedcT2v/l73twyFw7p3zYskW8pjRZ
-F0Lqvn7fiOzxNi98tVYHqs4L17BOWFQt8MhQr9f590jtGQ/+ufhAb33/E9JFQXUg
-cIYqWzBX7dw=
-=ZsUE
+tB5TZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXmJAlcEEwEKAEECGwMFCwkI
+BwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQQiJFyB47rrQTizYGExD1YSAPStdwUC
+XsZBhAUJCNOEJQAKCRAxD1YSAPStd+ovD/4+jLGlwlLmBpgvohrbiC7xCioVW+Ik
+18j+uUSyYBNhvDOZugY+/Z6X99PHvjgjRbTle2NvAx5itdZfiooGSZ8cuiPRbDkQ
+xpmZqOdkpN+5/B5dh/bd+P/K2Ggxqkyb80b+xoDviLh6OmIDPILTbz9ACkwu5jdH
+0wo0UEt5C+GT8lvBmVXii6vGlTvsv86/yLShvBq6mEJ+7nazWMOShJy3bvyrJRMg
+3dZfQSB6WlVCRO9EDBlvTW9Xedva7VDu6Up1BSD+enpXWRLTbqWvxmS7QQ2Usw58
+D7CCoJDA+8zL6UkJFrVxTiXQWbOvttkOA9++aJp4IbXsqTyrIkxNRjlKdyET9xbB
+HGSgJhhgGUNVZNBxHVZFHvHurXDX0OyfWaYY9ET/EjqMCjUbWh0vh2c6/M3rDh+J
+nH+tZUjJ9mM/AJ0hcORPVv3wbWdsfWq9r3t1Q7wlphal7RzgNqPymekj+1ndTs4y
+jfsWgLmxYF8knP1+EipoL1Q7vm1JdO0VOb4IyhF+6VUTkjrDy6uHwXc3fMGHEAeU
+nZvhVzZSx8h8HVsfnppM2RjNZKPwNQ43he8HllLqsRFsumg6gbBNRgrsVEBjRzxf
+OKESJqxVZ5iHUvWPQPuGjuh83HiUxPN4yjZXUVNXv0Alevv1By3ALeVAmaQVw/KA
+/sNu9p74VRggjrRFU2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxzZWN1
+cmVkcm9wLXJlbGVhc2Uta2V5QGZyZWVkb20ucHJlc3M+iQJUBBMBCgA+AhsDBQsJ
+CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcFAl7G
+QZQFCQjThCUACgkQMQ9WEgD0rXcWVg/+JJT7J0ycCd2Rl7A2K4YQfJcf6TV05HDf
+/sxc+JGs1hh/CFgR5Nt1TDPg7dQfCumQWI+e4A8NSFllIKGEajgxdAg/uszO9UQL
+9iVtyNFY69/gfWeNVyOoioYxRSlaIyKUD2PINeHi5KYDe3dkh9aXDA/X4sB8k7Dt
+mvDXqNX4/85P9M9JUjWahHqG3giYW9nyvvlMeV82K4BPPhwwqwbRRaIVNcdytDIi
+LvXxOZf/TjX3xHbwTHYghclZZX3ZCiZ8OTD+yLkCqTJsT9GVfIlO/algc+7ezz7B
+acsSuTa77/+8vy78dA5k9JM6rSZzfl/8T3LOmDLq+RE+DCUXx8ZJ+qnrr5aSruPB
+BSlu7S/26NIAtB6LyKtSBpX39y66/9lYCaQWZDcNraq5PWInv0kQqXEc6C8Vi25q
+BFE3a4Lt45bZMGCREYvLWXRxzH9rESVVekxZVZEjgmldh94OLRuXRvU8nlu2fq4G
+YH0a+Oy/87LemKv7q2IZX6s7uTZg5xMBTaPqFsE/AGQWQfHvj1EWthcaeoIasfxE
+lsWi9qHE4N+Jg/L+XC90S0kogDWGdyS+mKf0dE6jq4ioKf29zRJ4629id6VYHeib
+i3df/KOdUeeth5X9ann6/KNncX7Us16rV4a6Tl1OLoV7xkwh2Hy8MfClDkTYeoHc
+Y6V2vWAk0Rc=
+=LOAb
 -----END PGP PUBLIC KEY BLOCK-----

From c886be316629756717a7ba198a9bd9dc3240887a Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Fri, 22 May 2020 16:19:43 -0400
Subject: [PATCH 2/4] Adds tests for securedrop-keyring package

Ensures the securedrop-provisioned apt key resides in a separate keyring file from the default trusted.gpg
---
 tests/test_vms_platform.py | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py
index 36961877..de02e6c8 100644
--- a/tests/test_vms_platform.py
+++ b/tests/test_vms_platform.py
@@ -117,6 +117,29 @@ def _ensure_jessie_backports_disabled(self, vm):
         # We expect zero hits, so confirm output is empty string.
         self.assertEqual(results, "")
 
+    def _ensure_keyring_package_exists_and_has_correct_key(self, vm):
+        # apt-key finger doesnt work here due to stdout/terminal
+        cmd = "gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/securedrop-keyring.gpg -k"
+        stdout, stderr = vm.run(cmd)
+        results = stdout.rstrip().decode("utf-8")
+        fpf_gpg_pub_key_info = [
+            "/etc/apt/trusted.gpg.d/securedrop-keyring.gpg",
+            "---------------------------------------------",
+            "pub   rsa4096 2016-10-20 [SC] [expires: 2021-06-30]",
+            "      22245C81E3BAEB4138B36061310F561200F4AD77",
+            "uid           [ unknown] SecureDrop Release Signing Key",
+            "uid           [ unknown] SecureDrop Release Signing Key <securedrop-release-key@freedom.press>"  # noqa: E501
+        ]
+        self.assertEqual(fpf_gpg_pub_key_info, results.split('\n'))
+
+    def _ensure_trusted_keyring_securedrop_key_removed(self, vm):
+        # apt-key finger doesnt work here due to stdout/terminal
+        cmd = "gpg --no-default-keyring --keyring /etc/apt/trusted.gpg -k"
+        stdout, stderr = vm.run(cmd)
+        results = stdout.rstrip().decode("utf-8")
+        fpf_gpg_pub_key_fp = "22245C81E3BAEB4138B36061310F561200F4AD77"
+        self.assertFalse(fpf_gpg_pub_key_fp in results)
+
     def test_all_jessie_backports_disabled(self):
         """
         Asserts that all VMs lack references to Jessie in apt config.
@@ -209,6 +232,17 @@ def test_all_sd_vm_apt_sources(self):
             vm = self.app.domains[vm_name]
             self._validate_apt_sources(vm)
 
+    def test_ensure_keyring_package_is_installed(self, vm):
+        self.assertTrue(self._package_is_installed(vm, "securedrop-keyring"))
+
+    def test_debian_keyring_config(self):
+        """
+        """
+        for vm_name in WANTED_VMS:
+            vm = self.app.domains[vm_name]
+            self._ensure_keyring_package_exists_and_has_correct_key(vm)
+            self._ensure_trusted_keyring_securedrop_key_removed(vm)
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_VM_Platform_Tests)

From 9ff5f3131f70cab054ada5570a3a359a559c6cc2 Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Tue, 26 May 2020 11:00:49 -0400
Subject: [PATCH 3/4] Install keyring package

This ensures all debian-based VMs will contain the latest version of the Release Key, whenever state is applied to a given VM, in a dedicated keyring file in `/etc/apt/trusted.gpg.d/securedrop_keyring.gpg`, see https://github.com/freedomofpress/securedrop-debian-packaging.
---
 dom0/fpf-apt-test-repo.sls | 10 ++++++++++
 tests/test_vms_platform.py |  6 ++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/dom0/fpf-apt-test-repo.sls b/dom0/fpf-apt-test-repo.sls
index 46c36444..6299198f 100644
--- a/dom0/fpf-apt-test-repo.sls
+++ b/dom0/fpf-apt-test-repo.sls
@@ -32,3 +32,13 @@ configure-apt-test-apt-repo:
     - clean_file: True # squash file to ensure there are no duplicates
     - require:
       - pkg: install-python-apt-for-repo-config
+
+# This will install the production keyring package. This package will delete
+# the prod key from the default keyring in /etc/apt/trusted.gpg but will
+# preserve the apt-test key in this default keyring.
+install-securedrop-keyring-package:
+  pkg.installed:
+    - pkgs:
+      - securedrop-keyring
+    - require:
+      - pkgrepo: configure-apt-test-apt-repo
diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py
index de02e6c8..1bba4327 100644
--- a/tests/test_vms_platform.py
+++ b/tests/test_vms_platform.py
@@ -232,18 +232,16 @@ def test_all_sd_vm_apt_sources(self):
             vm = self.app.domains[vm_name]
             self._validate_apt_sources(vm)
 
-    def test_ensure_keyring_package_is_installed(self, vm):
-        self.assertTrue(self._package_is_installed(vm, "securedrop-keyring"))
-
     def test_debian_keyring_config(self):
         """
+        Ensure the securedrop keyring package is properly installed and the
+        key it contains is up-to-date.
         """
         for vm_name in WANTED_VMS:
             vm = self.app.domains[vm_name]
             self._ensure_keyring_package_exists_and_has_correct_key(vm)
             self._ensure_trusted_keyring_securedrop_key_removed(vm)
 
-
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_VM_Platform_Tests)
     return suite

From cfc60fdfd826ea57131f041b3354a78a78ddc80b Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Thu, 28 May 2020 09:47:47 -0400
Subject: [PATCH 4/4] Whonix-specific keyring changes, tests

* Purge securedrop-keyring package on whonix template cleanup:
    * Purge is required to completely remove the keyring file from /etc/ and avoid issues with tempfiles
    * We no longer need to remove the Release Key since postinst will remove the Release Key from `/etc/apt/trusted.gpg` and the package will remove the SecureDrop-specific keyring in `/etc/apt/trusted.gpg.d/` folder
    * Finally, specify homedir to not use whonix-specific gnupg.conf
---
 dom0/sd-clean-whonix.sls   |  4 ++--
 tests/test_vms_platform.py | 18 +++++++++++++++---
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/dom0/sd-clean-whonix.sls b/dom0/sd-clean-whonix.sls
index 50400d29..6143604a 100644
--- a/dom0/sd-clean-whonix.sls
+++ b/dom0/sd-clean-whonix.sls
@@ -6,9 +6,10 @@
 ##
 
 remove-securedrop-log-package-from-whonix:
-  pkg.removed:
+  pkg.purged:
     - pkgs:
       - securedrop-log
+      - securedrop-keyring
 
 sd-cleanup-whonix-gw-15:
   cmd.run:
@@ -17,4 +18,3 @@ sd-cleanup-whonix-gw-15:
       - sudo rm -f /etc/apt/sources.list.d/securedrop_workstation.list
       - sudo systemctl restart rsyslog
       - sudo apt-key del 4ED79CC3362D7D12837046024A3BE4A92211B03C
-      - sudo apt-key del 22245C81E3BAEB4138B36061310F561200F4AD77
diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py
index 1bba4327..2cac32da 100644
--- a/tests/test_vms_platform.py
+++ b/tests/test_vms_platform.py
@@ -118,12 +118,18 @@ def _ensure_jessie_backports_disabled(self, vm):
         self.assertEqual(results, "")
 
     def _ensure_keyring_package_exists_and_has_correct_key(self, vm):
+        """
+        Inspect the securedrop-keyring used by apt to ensure the correct key
+        and only the correct key is installed in that location.
+        """
+        keyring_path = "/etc/apt/trusted.gpg.d/securedrop-keyring.gpg"
         # apt-key finger doesnt work here due to stdout/terminal
-        cmd = "gpg --no-default-keyring --keyring /etc/apt/trusted.gpg.d/securedrop-keyring.gpg -k"
+        # We also set the homedir to bypass whonix-specific gnupg.conf
+        cmd = "gpg --homedir /tmp --no-default-keyring --keyring {} -k".format(keyring_path)
         stdout, stderr = vm.run(cmd)
         results = stdout.rstrip().decode("utf-8")
-        fpf_gpg_pub_key_info = [
-            "/etc/apt/trusted.gpg.d/securedrop-keyring.gpg",
+        fpf_gpg_pub_key_info = ["{}".format(keyring_path)]
+        fpf_gpg_pub_key_info += [
             "---------------------------------------------",
             "pub   rsa4096 2016-10-20 [SC] [expires: 2021-06-30]",
             "      22245C81E3BAEB4138B36061310F561200F4AD77",
@@ -133,6 +139,11 @@ def _ensure_keyring_package_exists_and_has_correct_key(self, vm):
         self.assertEqual(fpf_gpg_pub_key_info, results.split('\n'))
 
     def _ensure_trusted_keyring_securedrop_key_removed(self, vm):
+        """
+        Ensures the production key is no longer found in the default apt keyring
+        In testeing dev/staging, that keyring will be used for the test apt key,
+        the goal is to reduce of the production key
+        """
         # apt-key finger doesnt work here due to stdout/terminal
         cmd = "gpg --no-default-keyring --keyring /etc/apt/trusted.gpg -k"
         stdout, stderr = vm.run(cmd)
@@ -242,6 +253,7 @@ def test_debian_keyring_config(self):
             self._ensure_keyring_package_exists_and_has_correct_key(vm)
             self._ensure_trusted_keyring_securedrop_key_removed(vm)
 
+
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_VM_Platform_Tests)
     return suite