Release SecureDrop 0.7.0

[emkll]

This is a tracking issue for the upcoming release of SecureDrop 0.7.0 - tasks may get added or modified.

Feature freeze: April 24, 2018
String freeze: May 1, 2018
Pre-release announcement: May 1, 2018
Release date: May 8, 2018 May 15th, 2018

SecureDrop maintainers and testers: As you QA 0.7.0, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 0.7 milestone for tracking.

Test debian packages are posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.

Prepare release candidate (0.7.0)

• Prepare 0.7.0 release changelog - @emkll
• Write (Prepare 0.7 Pre-Release Announcement #3277) and send (Disseminate 0.7 Pre-Release Announcement #3278) pre-release announcement - @eloquence
• Check for Tor stable release (Latest stable is 0.3.2.10 released on March 3rd)
• Prepare test plan for 0.7.0 - @emkll
• Branch release/0.7 off develop - @emkll
• Build debs and put up 0.7.0~rc1 on test apt server - @emkll

QA (0.7.0~rc1)

• Test upgrade from 0.6 works on prod w/ test repo debs
• Test fresh install (not upgrade) of 0.7.0 works on prod w/ test repo debs

QA (0.7.0~rc2)

• Test upgrade from 0.6 works on prod w/ test repo debs
• Test fresh install (not upgrade) of 0.7.0 works on prod w/ test repo debs

QA (0.7.0~rc3)

• Test upgrade from 0.6 works on prod w/ test repo debs
• Test fresh install (not upgrade) of 0.7.0 works on prod w/ test repo debs

QA (0.7.0~rc4)

• Test upgrade from 0.6 works on prod w/ test repo debs
• Test fresh install (not upgrade) of 0.7.0 works on prod w/ test repo debs

QA (0.7.0~rc5)

• Test upgrade from 0.6 works on prod w/ test repo debs
• Test fresh install (not upgrade) of 0.7.0 works on prod w/ test repo debs

Final release

• Merge final translations (l10n: sync translations #3377, [0.7.0] l10n: sync translations #3383 )
• Push signed tag
• Build final Debian packages for 0.7.0
• Pre-Flight: Test install (not upgrade) of 0.7.0 works w/ prod repo debs
• Publish blog post about 0.7.0 Debian package release and instructions for admins (Finalize and disseminate SecureDrop 0.7 Release Notes #3346)

[emkll]

Test plan (see #3061 (comment) for basic acceptance testing script). Anyone should feel free to edit this comment and add/remove items as they see fit.

Checklist

For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report.

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

0.7.0-specific testing

• Validate that the logo update functionality works correctly and there are no AppArmor violations
• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158)
• SSH into app and mon and validate that sudo apt update does not indicate there are duplicate tor-apt repos (Removes duplicate tor-apt repo from apt config #3189) (grep -rl tor-apt /etc/apt/ returns 2 entries, not 3)
• Verify daily_reboot_time can be set via securedrop-admin sdconfig (Fix #3160, Added daily_reboot_time option in sdconfig and documented it #3172)
• An Orbot-specific message appears on the source interface (Add Orbot warning in source interface #3215)

Admin Updater GUI (#3300)

• Run ./securedrop-admin tailsconfig and reboot the tails admin workstation. Validate that the updater runs on startup (as we are on an RC and not the previous stable release)
• Click "Update Now" in the GUI and confirm an update of the code to the latest stable release (0.6)

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait (up to 24 hours in default configuration), and receive a journalist notification
• Do not submit a document, wait (up to 24 hours in default configuration), and receive a different journalist notification

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network
• Verify that iptables-based SSH connection rate limiting works
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor

0.7.0-rc2 specific testing

• Verify that decrypted submission gz file does not contain compression time metadata (file <file>.gz should not contain a date (Reduce time information leakage of file uploads and file downloads #3305)
• Verify that network handler does not raise an error (see [QA] Problems running securedrop_init handler via tailsconfig #3337)
• If journalist notification GPG key file is not given, ./securedrop-admin sdconfig should not prompt for GPG fingerprint and journalist email address (see securedrop-admin sdconfig is allowing journalist notification email address without gpg key #3320)
• Verify that SSH over Local/Tor prompts are more user-friendly (see SSH over LAN sdconfig prompt could be clearer #3324)

0.7.0-rc3 specific testing

• Submissions are sent through the source interface when https is enabled (Resolve HTTPS CSRF validation failure due to Referrer-Policy on source interface #3351)
• Verify that ./securedrop-admin sdconfig will now prompt for certificates and key when https is enabled on the prompt (Add HTTPS-related variables to securedrop-admin sdconfig prompt #3366 )
• SSH over Tor message is user-friendly and the default option is automatically populated (Fix #3354: Tor over SSH prompt should not be populated with invalid response #3357)

0.7.0-rc4 specific testing

• SecureDrop instance logos can be properly change (without any AppArmor violations) (Back out functionality requiring libjpeg-dev apt dependency #3379)
• Journalist are sent at most once every 24h (ossec: resolve journalist notification racing with reboots #3374)
• Translations are functional (specifically new translations, Hindi and Russian) (l10n: sync translations #3377)

0.7.0-rc5 specific testing

• Verify that ./securedrop-admin update or the updater UI will not check out an unsigned tag (e.g. create a new tag locally, like 0.6.1)

[ghost]

🔴 IN PROGRESS 🔴

Update from 0.6 to 0.7.0~rc1

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface journalist / likeness squiggly squealer platypus freehand pauper oblong

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

0.7.0-specific testing

• Validate that the logo update functionality works correctly and there are no AppArmor violations
• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158)
• SSH into app and mon and validate that sudo apt update does not indicate there are duplicate tor-apt repos (Fix #3160, Added daily_reboot_time option in sdconfig and documented it #3172)
• An Orbot-specific appears on the source interface (Add Orbot warning in source interface #3215)
• Validate that the SecureDrop updater GUI functions correctly (Add updater GUI #3300): Starts at reboot, updates to the latest signed tag.

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait, and receive a journalist notification
• Do not submit a document, wait, and receive a different journalist notification

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network
• Verify that iptables-based SSH connection rate limiting works
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor

[kushaldas]

Update from 0.6 to 0.7.0~rc1

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

0.7.0-specific testing

• Validate that the logo update functionality works correctly and there are no AppArmor violations [DID NOT TEST THIS ONE]
• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158)
• SSH into app and mon and validate that sudo apt update does not indicate there are duplicate tor-apt repos (Fix #3160, Added daily_reboot_time option in sdconfig and documented it #3172)
• An Orbot-specific appears on the source interface (Add Orbot warning in source interface #3215) [DID NOT TEST THIS ONE]
• Validate that the SecureDrop updater GUI functions correctly (Add updater GUI #3300): Starts at reboot, updates to the latest signed tag.

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait, and receive a journalist notification [DID NOT TEST THIS ONE]
• Do not submit a document, wait, and receive a different journalist notification [DID NOT TEST THIS ONE]

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network
• Verify that iptables-based SSH connection rate limiting works
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor

[emkll]

0.7-rc1 new install with prod VMs

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

0.7.0-specific testing

• Validate that the logo update functionality works correctly and there are no AppArmor violations
• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158)
• SSH into app and mon and validate that sudo apt update does not indicate there are duplicate tor-apt repos (Removes duplicate tor-apt repo from apt config #3189) (grep -rl tor-apt /etc/apt/ returns 2 entries, not 3)
• Verify daily_reboot_time can be set via securedrop-admin sdconfig (Fix #3160, Added daily_reboot_time option in sdconfig and documented it #3172)
• An Orbot-specific message appears on the source interface (Add Orbot warning in source interface #3215)

Admin Updater GUI (#3300)

• Run ./securedrop-admin tailsconfig and reboot the tails admin workstation. Validate that the updater runs on startup (as we are on an RC and not the previous stable release)
• Click "Update Now" in the GUI and confirm an update of the code to the latest stable release (0.6)

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait (up to 24 hours in default configuration), and receive a journalist notification
• Do not submit a document, wait (up to 24 hours in default configuration), and receive a different journalist notification

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network
• Verify that iptables-based SSH connection rate limiting works
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor

I was doing Application QA using the French translation, and noted that a message was not being translated:

[redshiftzero]

Fresh install of 0.7.0-rc1 in prod VMs

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

0.7.0-specific testing

• Validate that the logo update functionality works correctly and there are no AppArmor violations
• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158) - This also needs testing on hardware / prod VMs made from iso
• SSH into app and mon and validate that sudo apt update does not indicate there are duplicate tor-apt repos (Removes duplicate tor-apt repo from apt config #3189) (grep -rl tor-apt /etc/apt/ returns 2 entries, not 3)
• Verify daily_reboot_time can be set via securedrop-admin sdconfig (Fix #3160, Added daily_reboot_time option in sdconfig and documented it #3172)
• An Orbot-specific message appears on the source interface (Add Orbot warning in source interface #3215) - DID NOT TEST, no Android phone at the ready
• Validate that the SecureDrop updater GUI functions correctly (Add updater GUI #3300): Starts at reboot, updates to the latest signed tag (0.6).

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait, and receive a journalist notification
• Do not submit a document, wait, and receive a different journalist notification

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network - DID NOT TEST, will do on my test hardware instance
• Verify that iptables-based SSH connection rate limiting works - DID NOT TEST, will do on my test hardware instance
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor - DID NOT TEST, will do on my test hardware instance

[kushaldas]

Update from 0.7.0~rc1 to 0.7.0~rc2

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

0.7.0-specific testing

• Validate that the logo update functionality works correctly and there are no AppArmor violations
• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158)
• SSH into app and mon and validate that sudo apt update does not indicate there are duplicate tor-apt repos (Fix #3160, Added daily_reboot_time option in sdconfig and documented it #3172)
• An Orbot-specific appears on the source interface (Add Orbot warning in source interface #3215) [DID NOT TEST THIS ONE]
• Validate that the SecureDrop updater GUI functions correctly (Add updater GUI #3300): Starts at reboot, updates to the latest signed tag.

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait, and receive a journalist notification [DID NOT TEST THIS ONE]
• Do not submit a document, wait, and receive a different journalist notification [DID NOT TEST THIS ONE]

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network
• Verify that iptables-based SSH connection rate limiting works
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor

0.7.0-rc2 specific testing

• Verify that decrypted submission gz file does not contain compression time metadata (file <file>.gz should not contain a date (Reduce time information leakage of file uploads and file downloads #3305)
• Verify that network handler does not raise an error (see [QA] Problems running securedrop_init handler via tailsconfig #3337)
• If journalist notification GPG key file is not given, ./securedrop-admin sdconfig should not prompt for GPG fingerprint and journalist email address (see securedrop-admin sdconfig is allowing journalist notification email address without gpg key #3320)
• Verify that SSH over Local/Tor prompts are more user-friendly (see SSH over LAN sdconfig prompt could be clearer #3324)

[emkll]

0.6 -> 0.7.0 upgrade testing on physical instance with 3.14.79 kernels (In progress)

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Administration

• [] I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

0.7.0-specific testing

• Validate that the logo update functionality works correctly and there are no AppArmor violations
• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158)
• SSH into app and mon and validate that sudo apt update does not indicate there are duplicate tor-apt repos (Removes duplicate tor-apt repo from apt config #3189) (grep -rl tor-apt /etc/apt/ returns 2 entries, not 3)
• Verify daily_reboot_time can be set via securedrop-admin sdconfig (Fix #3160, Added daily_reboot_time option in sdconfig and documented it #3172)
• An Orbot-specific message appears on the source interface (Add Orbot warning in source interface #3215)

Admin Updater GUI (#3300)

• Run ./securedrop-admin tailsconfig and reboot the tails admin workstation. Validate that the updater runs on startup (as we are on an RC and not the previous stable release)
• Click "Update Now" in the GUI and confirm an update of the code to the latest stable release (0.6)

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait (up to 24 hours in default configuration), and receive a journalist notification
• Do not submit a document, wait (up to 24 hours in default configuration), and receive a different journalist notification

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network
• Verify that iptables-based SSH connection rate limiting works
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor

0.7.0-rc2 specific testing

• Verify that decrypted submission gz file does not contain compression time metadata (file <file>.gz should not contain a date (Reduce time information leakage of file uploads and file downloads #3305)
• Verify that network handler does not raise an error (see [QA] Problems running securedrop_init handler via tailsconfig #3337)
• If journalist notification GPG key file is not given, ./securedrop-admin sdconfig should not prompt for GPG fingerprint and journalist email address (see securedrop-admin sdconfig is allowing journalist notification email address without gpg key #3320)
• Verify that SSH over Local/Tor prompts are more user-friendly (see SSH over LAN sdconfig prompt could be clearer #3324)

[redshiftzero]

0.6 -> 0.7.0~rc3 upgrade testing on physical instance

0.7.0-specific testing

• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158)

Admin Updater GUI (#3300)

• Run ./securedrop-admin tailsconfig and reboot the tails admin workstation. Validate that the updater runs on startup (as we are on an RC and not the previous stable release)
• Click "Update Now" in the GUI and confirm an update of the code to the latest stable release (0.6)

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait (up to 24 hours in default configuration), and receive a journalist notification
• Do not submit a document, wait (up to 24 hours in default configuration), and receive a different journalist notification - waiting

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network
• Verify that iptables-based SSH connection rate limiting works
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor

0.7.0-rc2 specific testing

• Verify that decrypted submission gz file does not contain compression time metadata (file <file>.gz should not contain a date (Reduce time information leakage of file uploads and file downloads #3305)
• Verify that network handler does not raise an error (see [QA] Problems running securedrop_init handler via tailsconfig #3337)
• If journalist notification GPG key file is not given, ./securedrop-admin sdconfig should not prompt for GPG fingerprint and journalist email address (see securedrop-admin sdconfig is allowing journalist notification email address without gpg key #3320)
• Verify that SSH over Local/Tor prompts are more user-friendly (see SSH over LAN sdconfig prompt could be clearer #3324)

0.7.0-rc3 specific testing

• Submissions are sent through the source interface when https enabled (Resolve HTTPS CSRF validation failure due to Referrer-Policy on source interface #3351)
• Verify that ./securedrop-admin sdconfig will now prompt for certificates and key when https is enabled on the prompt (Add HTTPS-related variables to securedrop-admin sdconfig prompt #3366 )
• SSH over Tor message is user-friendly and the default option is automatically populated (Fix #3354: Tor over SSH prompt should not be populated with invalid response #3357)

[msheiny]

Michael's fantastical upgrade checklist... 0.6 --> 0.7.0rc4

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

0.7.0-specific testing

• Validate that the logo update functionality works correctly and there are no AppArmor violations
• SSH into app and mon and validate that non-grsec kernels are properly removed: sudo apt list --installed | grep linux-image does not return a generic (non grsec) kernel (Remove vanilla Xenial Ubuntu kernels at install-time #3158)
• SSH into app and mon and validate that sudo apt update does not indicate there are duplicate tor-apt repos (Removes duplicate tor-apt repo from apt config #3189) (grep -rl tor-apt /etc/apt/ returns 2 entries, not 3)
• Verify daily_reboot_time can be set via securedrop-admin sdconfig (Fix #3160, Added daily_reboot_time option in sdconfig and documented it #3172)
• An Orbot-specific message appears on the source interface (Add Orbot warning in source interface #3215)

Admin Updater GUI (#3300)

• Run ./securedrop-admin tailsconfig and reboot the tails admin workstation. Validate that the updater runs on startup (as we are on an RC and not the previous stable release)
• Click "Update Now" in the GUI and confirm an update of the code to the latest stable release (0.6)

Journalist Notifications (#1195, #2803):

• Journalist email and GPG key can be added via ./securedrop-admin sdconfig
• Submit a document, wait (up to 24 hours in default configuration), and receive a journalist notification
• Do not submit a document, wait (up to 24 hours in default configuration), and receive a different journalist notification

SSH over local network (#2592):

• Enable SSH over local network and ensure hosts can be accessed via SSH over local network
• Verify that iptables-based SSH connection rate limiting works
• Disable SSH over local network and ensure hosts can be accessed via SSH over Tor

0.7.0-rc2 specific testing

• Verify that decrypted submission gz file does not contain compression time metadata (file <file>.gz should not contain a date (Reduce time information leakage of file uploads and file downloads #3305)
• Verify that network handler does not raise an error (see [QA] Problems running securedrop_init handler via tailsconfig #3337)
• If journalist notification GPG key file is not given, ./securedrop-admin sdconfig should not prompt for GPG fingerprint and journalist email address (see securedrop-admin sdconfig is allowing journalist notification email address without gpg key #3320)
• Verify that SSH over Local/Tor prompts are more user-friendly (see SSH over LAN sdconfig prompt could be clearer #3324)

0.7.0-rc3 specific testing

• Submissions are sent through the source interface when https is enabled (Resolve HTTPS CSRF validation failure due to Referrer-Policy on source interface #3351)
• Verify that ./securedrop-admin sdconfig will now prompt for certificates and key when https is enabled on the prompt (Add HTTPS-related variables to securedrop-admin sdconfig prompt #3366 )
• SSH over Tor message is user-friendly and the default option is automatically populated (Fix #3354: Tor over SSH prompt should not be populated with invalid response #3357)

0.7.0-rc4 specific testing

• SecureDrop instance logos can be properly change (without any AppArmor violations) (Back out functionality requiring libjpeg-dev apt dependency #3379)
• Journalist are sent at most once every 24h (ossec: resolve journalist notification racing with reboots #3374)
• Translations are functional (specifically new translations, Hindi and Russian) (l10n: sync translations #3377)

[redshiftzero]

Hardware upgrade 0.7.0-rc3 to 0.7.0-rc4 testing

• SecureDrop instance logos can be properly changed (without any AppArmor violations) (Back out functionality requiring libjpeg-dev apt dependency #3379)
• Journalist are sent at most once every 24h (ossec: resolve journalist notification racing with reboots #3374) - will check after a couple of days to make sure the alert is rolling in, so far so good
• Reboots more than once per day do not trigger journalist notifications (ossec: resolve journalist notification racing with reboots #3374)
• Translations are functional (specifically new translations, Hindi and Russian) (l10n: sync translations #3377)

[emkll]

Hardware upgrade 0.7.0~rc4 to 0.7.0-rc5 testing

0.7.0-rc2 specific testing

• Verify that decrypted submission gz file does not contain compression time metadata (file <file>.gz should not contain a date (Reduce time information leakage of file uploads and file downloads #3305)
• Verify that network handler does not raise an error (see [QA] Problems running securedrop_init handler via tailsconfig #3337)
• If journalist notification GPG key file is not given, ./securedrop-admin sdconfig should not prompt for GPG fingerprint and journalist email address (see securedrop-admin sdconfig is allowing journalist notification email address without gpg key #3320)
• Verify that SSH over Local/Tor prompts are more user-friendly (see SSH over LAN sdconfig prompt could be clearer #3324)

0.7.0-rc3 specific testing

• Submissions are sent through the source interface when https is enabled (Resolve HTTPS CSRF validation failure due to Referrer-Policy on source interface #3351)
• Verify that ./securedrop-admin sdconfig will now prompt for certificates and key when https is enabled on the prompt (Add HTTPS-related variables to securedrop-admin sdconfig prompt #3366 )
• SSH over Tor message is user-friendly and the default option is automatically populated (Fix #3354: Tor over SSH prompt should not be populated with invalid response #3357)

0.7.0-rc4 specific testing

• SecureDrop instance logos can be properly change (without any AppArmor violations) (Back out functionality requiring libjpeg-dev apt dependency #3379)
  Note that it requires a hard refresh of the page (I think this is consistent with previous behavior)
• Journalist are sent at most once every 24h (ossec: resolve journalist notification racing with reboots #3374) I did receive a SecureDrop Submissions Error message when activating SSH over Local (see below). I opened a ticket in [0.7.0] Journalist Notification error when there is a 2nd install run prior to initial reboot #3393
• Translations are functional (specifically new translations, Hindi and Russian) (l10n: sync translations #3377)

0.7.0-rc5 specific testing

• Verify that ./securedrop-admin update or the updater UI will not check out an unsigned tag (e.g. create a new tag locally, like 0.6.1)

[redshiftzero]

SecureDrop 0.7.0 has been released: https://securedrop.org/news/securedrop-070-released/.

Any issues with this upgrade should be reported via the FPF support portal, the community forum, or by filing a GitHub issue here.