Merge pull request #6277 from freedomofpress/backport-6270

Backport reply key mtime/ctime update
freedomofpress · Feb 16, 2022 · 41a06b9 · 41a06b9
2 parents eed98b7 + 348515f
commit 41a06b9
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/securedrop/source_app/__init__.py b/securedrop/source_app/__init__.py
@@ -1,6 +1,8 @@
 from pathlib import Path
 from typing import Optional
 
+import os
+import time
 import werkzeug
 from flask import (Flask, render_template, escape, flash, Markup, request, g, session,
                    url_for)
@@ -134,4 +136,15 @@ def page_not_found(error: werkzeug.exceptions.HTTPException) -> Tuple[str, int]:
     def internal_error(error: werkzeug.exceptions.HTTPException) -> Tuple[str, int]:
         return render_template('error.html'), 500
 
+    # Obscure the creation time of source private keys by touching them all
+    # on startup.
+    private_keys = Path(config.GPG_KEY_DIR) / 'private-keys-v1.d'
+    now = time.time()
+    for entry in os.scandir(private_keys):
+        if not entry.is_file() or not entry.name.endswith('.key'):
+            continue
+        os.utime(entry.path, times=(now, now))
+        # So the ctime is also updated
+        os.chmod(entry.path, entry.stat().st_mode)
+
     return app