Skip to content

Building securedrop workstation dom0 config RPM package

Allie Crevier edited this page Jan 4, 2021 · 12 revisions

Overview

The securedrop-workstation-dom0-config package is an RPM containing the VM provisioning logic required to run SecureDrop Workstation. It's meant to be installed in Qubes dom0. Use make dom0-rpm (or make dom0-rpm-f<fedora_version_number>, see https://raw.githubusercontent.com/freedomofpress/securedrop-workstation/HEAD/Makefile for available versions) in this repository to build a current version of it for development purposes. Release procedures for release candidate (rc) and production versions are documented below.

Preparing an rc version

Prior to preparing a prod package, we'll make an rc version that's suitable for QA by the development team. To create an rc version:

# Create a new branch for the changes, for version 1.2.3-rc1
git checkout -b dom0-config-1.2.3-rc1
# Run the version-bump script:
./update_version.sh 1.2.3-rc1
# Manually edit the changelog, adding proper date, and rc version,
# along with a list of changes included in the release:
vim ./rpm-build/SPECS/securedrop-workstation-dom0-config.spec 

Once that's done, commit your changes and open a PR. Wait for a team member to approve the PR, confirming that the version strings and changelog contents are correct. Then it's time to append an rc1 tag, used for the build:

# Make sure you're on the same feature branch as the PR
git checkout dom0-config-1.2.3-rc1
# Create an annotated tag, signed with your personal key
git tag -a --sign -m "SecureDrop Workstation 1.2.3-rc1" 1.2.3-rc1
# Push tag to remote
git push origin 1.2.3-rc1

Then merge the PR. You're ready to proceed with the build. Make a fresh clone of the repository. Ideally this will be in a DispVM, but in a tmp directory on your machine is also fine. The entire terminal session should be captured as a build log.

git clone https://github.com/freedomofpress/securedrop-workstation
cd securedrop-workstation
git tag -v 1.2.3-rc1
git checkout 1.2.3-rc1
make dom0-rpm

Commit the build logs to https://github.com/freedomofpress/build-logs (it's OK to push directly to the primary branch on that repo; if you don't have access, submit a PR). Then we need to sign the RPM with the test key, i.e. 4ED79CC3362D7D12837046024A3BE4A92211B03C, as documented in the README. Submit the result to https://github.com/freedomofpress/securedrop-workstation-dev-rpm-packages-lfs/

Preparing a stable version

After an rc has been reviewed, we'll post a final version.

# Create a new branch for the changes, for version 1.2.3
git checkout -b dom0-config-1.2.3
# Run the version-bump script:
./update_version.sh 1.2.3
# Manually edit the changelog, adding proper date,
# along with a list of changes included in the release.
# Make sure to *remove* any rc versions from the history!
vim ./rpm-build/SPECS/securedrop-workstation-dom0-config.spec 

Then open a PR and ask a team member to review. Once approved, a key-holder will push a prod-signed tag, unblocking a build:

# Create new tag
git tag -a -m "SecureDrop Workstation 1.2.3" 1.2.3
# Prepare tag for export
git cat-file tag 1.2.3 > 1.2.3.tag
# Export elsewhere for signing ceremony
qvm-copy 1.2.3.tag
# In secure environment, verify checksums, then generate detached signature
gpg --armor --detach-sign 1.2.3.tag
# Concatenate tag & sig
cat 1.2.3.tag.asc >> 1.2.3.tag
# Copy new tag file with signature appended back to dev vm
# Delete old (unsigned) tag
git tag -d 1.2.3
git mktag < 1.2.3.tag > .git/refs/tags/1.2.3
# Verify tag
git tag -v 1.2.3
git push origin 1.2.3

As above, we'll build in a DispVM:

git clone https://github.com/freedomofpress/securedrop-workstation
cd securedrop-workstation
git tag -v 1.2.3
git checkout 1.2.3
make dom0-rpm

Commit the build logs to https://github.com/freedomofpress/build-logs (it's OK to push directly to the primary branch on that repo; if you don't have access, submit a PR). Then we need to sign the RPM with the prod key, i.e. 22245C81E3BAEB4138B36061310F561200F4AD77, as documented in the README. Submit the result to https://github.com/freedomofpress/securedrop-workstation-prod-rpm-packages-lfs/