Release SecureDrop 1.7.0

[sssoleileraaa]

This is a tracking issue for the release of SecureDrop 1.7.0

Tentatively scheduled as follows:

String and feature freeze: 2021-01-11
String comment period: 2021-01-11 - 2021-01-18
Translation period: 2021-01-18 - 2021-01-25
Pre-release announcement: 2021-01-19
Release date: 2021-01-26

Release manager: @creviera (surprise!)
Deputy release manager: @emkll
Localization manager: @rmol
Deputy localization manager: @kushaldas
Communications manager:: @eloquence

SecureDrop maintainers and testers: As you QA 1.7.0, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 1.7.0 milestone for tracking (or ask a maintainer to do so).

Test debian packages will be posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.

QA Matrix for 1.7.0

Test Plan for 1.7.0

Prepare release candidate (1.7.0~rc1)

• Link to latest version of Tails, including release candidates, to test against during QA: https://deb.tails.boum.org/dists/4.14/
• Prepare 1.7.0~rc1 release changelog
• Branch off release/1.7.0 from develop https://github.com/freedomofpress/securedrop/tree/release/1.7.0
• Prepare 1.7.0~rc1
• Build debs and put up 1.7.0~rc1 on test apt server (this is now done via a PR into this repository)
• Commit build logs to https://github.com/freedomofpress/build-logs

After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and 1.7.0-specific testing below in comments to this ticket.

Final release

• Ensure builder in release branch is updated and/or update builder image
• Push signed tag https://github.com/freedomofpress/securedrop/releases/tag/1.7.0
• Pre-Flight: Test updater logic in Tails (apt-qa tracks the release branch in the LFS repo)
• Build final Debian packages for 1.7.0 (and preserve build logs)
• Commit package build logs to https://github.com/freedomofpress/build-logs
• Upload Debian packages to apt-qa server (including new Tor packages)
• Pre-Flight: Test that install and upgrade from 1.6.0 to 1.7.0 works w/ prod repo debs (apt-qa.freedom.press polls the release branch in the LFS repo for the debs)
• Flip apt QA server to prod status (merge to main in the LFS repo)
• Merge Docs branch changes to main and verify new docs build in securedrop-docs repo
• Prepare release messaging

Post release

• Create GitHub release object https://github.com/freedomofpress/securedrop/releases/tag/1.7.0
• Once release object is created, update versions in securedrop-docs and Wagtail
• Build readthedocs and verify new docs show up on https://docs.securedrop.org
• Publish announcements
• Merge changelog back to develop
• Update upgrade testing boxes

  1.7.1 had to be released right after so boxes were updgraded to 1.7.1 instead, see Upgrade boxes for SecureDrop 1.7.1 #5763

• Update roadmap wiki page: https://github.com/freedomofpress/securedrop/wiki/Development-Roadmap

[conorsch]

Test report from 1.7.0~rc1. Mostly completed yesterday. Omitted the portions I skipped, after encountering #5703

Environment

• Install target: Clean install
• Tails version: 4.10 [sic, my Admin VM was out of date]
• Test Scenario: Clean install, v3-only, with zh_Hans
• SSH over Tor: Yes, v3 only
• Onion service version: v3 only
• Release candidate: 1.7.0~rc1

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
  • 0 processes are running unconfined
• AppArmor is loaded on mon
  • 0 processes are running unconfined
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them
• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
  • N.B. The AppArmor tests passed at first (well, except the apt source ones, since I was using apt-test), then failed after interactive testing. See [QA 1.7.0] Admin actions for user management trigger 500 #5703 (comment)
• QA Matrix checks pass
  • 🟧 : One of the spectre-meltdown tests falied in prod VM. Host machine was a Lenovo T450s, with old microcode, so doesn't indicate kernel problems IMO.

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.6.0 and restore this backup on 1.7.0
• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication
  • ❌ Failed, see report in [QA 1.7.0] Admin actions for user management trigger 500 #5703

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

(did not test, presumably prevented by #5703)

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

(did not test)

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in - did not test
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in - did not test
• Journalist account with HOTP can log in - did not test

1.7.0 release-specific changes

• language support changes #5697

  • Simplified Chinese (zh_Hans) is a listed option in language support in ./securedrop-admin sdconfig
  • When selected during installation, zh_hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese
  • With cleared browser data and the browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default
  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

  • ❌ Could not verify, reported AppArmor violation in [QA 1.7.0] Admin actions for user management trigger 500 #5703

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup".
  • With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30".
  • With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login.
  • No red banner is displayed on the login page in any of the 3 above cases

[kushaldas]

Environment

• Install target: prod vm
• Tails version: 4.14
• Test Scenario: update testing from 1.6.0
• SSH over Tor: no
• Onion service version: v2 + v3
• Release candidate: rc2
• General notes: During fresh installs, attempt to select zh_Hans as a language choice.

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
  • 0 processes are running unconfined
• AppArmor is loaded on mon
  • 0 processes are running unconfined
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them
• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• QA Matrix checks pass

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.6.0 and restore this backup on 1.7.0
• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.7.0 release-specific changes

• language support changes #5697

  • Simplified Chinese (zh_hans) is a listed option in language support in ./securedrop-admin sdconfig
  • When selected during installation, zh_Hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese
  • With cleared browser data and the browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default
  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup".
  • [ ] With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30". DID NOT TEST
  • ❌ With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login. FAILED, still showing me the "Complete the v3 .." banner
  • No red banner is displayed on the login page in any of the 3 above cases

• Added error handling for missing file deletions #5549

  • Log in to the Source Interface and submit 3 or more messages as a single source
  • Log in to the Journalist Interface and reply to the source from the previous step
  • log in to the application server, find the source's submission files under `/var/lib/securedrop/store, and delete the reply file and one of the submissions
  • in the Journalist Interface on the source's collection page, select the reply, the deleted message, and one other message, and delete the messages via Delete Selected
  • Deletion completes without error and all 3 rows are removed
  • on the Application server, errors are logged relating to the missing files in /var/log/apache2/journalist-error.log
  • in the Journalist Interface on the source's collection page, delete the source via *Delete Source and Submissions
  • the source collection is deleted and the source is no longer listed on the Journalist Interface
  • the source submissions directory is removed from /var/lib/securedrop/store

• Added error handling for missing file downloads #5573

  • Log in to the Source Interface and submit two messages
  • Log in to the Application Server and delete the first submission file from the source's directory under /var/lib/securedrop/store
  • Log into the Journalist Interface
  • When the source's 2 unread button is clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download Unread clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • Click through to the source's collection page:
  • When Select All and Download Selected are clicked:
    • A flash error message is displayed and the missing message's status remains unread
  • When the missing message is clicked:
    • A flash error message is displayed and the missing message's status remains unread

• Show session expiry message only for users that have generated a codename #5582

  • Log in to the application server and update the value of SESSION_EXPIRATION_MINUTES from 120 to 2 in /var/www/securedrop/config.py, then restart Apache with sudo systemctl restart apache2
  • ❌ Visit the Source interface index page, and wait for slightly more than 2 minutes. Reload the index page, and verify that no session expiry error message is displayed. Failed, I can see session expiary message.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started, wait slightly over 2 minutes after the codename generation page is displayed, then visit the Source Interface index page again. Verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started and then SUBMIT DOCUMENTS. Wait just over 2 minutes, reload the page, and verify that the index page is rendered instead of /lookup with a session expiry error message displayed.

• Add functionality to set organization name #5629

  • Log in to the Journalist Interface with an admin account and navigate to the Instance Config page
  • Set the Organization Name to a string with less than 75 chars
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces
  • Set the Organization Name to a string with less than 75 chars including HTML formatting
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces with HTML formatting escaped.
  • Set the Organization Name to a string with more than 75 chars
    • An error message is flashed and the organization name is not updated (The message is saying 64 chars limit)
  • Set the Organization Name to a blank value
    • An error message is flashed and the organization name is not updated

• Visit Source Interface on the latest Tor Browser on MacOS and verify that the TBB warning notice is not displayed #5647

• Reset journalist passwords without errors #5618

  • Log in to the Journalist Interface with a journalist account
  • Log out, then log in again with an admin account and edit the previous account
    • The journalist account's password can be reset repeatedly without errors

• Update references to submission key on Source Interface #5651

  • Log in to the Source Interface and verify that the "public key" link points to /public-key and that /public-key is functional, downloading the Subbmission Public Key
  • Verify that the "learn more" link points to /why-public-key, and that /why-public-key is functional
  • Verify that the download link on /why-public-key points to /public-key
  • Verify that navigating to /journalist-key redirects to /public-key

• Update navigation "Back" link icons on web interfaces #5641

  • PNG < icon replaces « on /why-public-key on Source Interface
  • PNG < icon replaces « on Add User page on Admin Interface
  • PNG < icon replaces « on Edit User page on Admin Interface
  • PNG < icon replaces « on Instance Config page on Admin Interface

• Verify that an OSSEC alert is sent on a daily schedule if v2 onion services are enabled #5682

• Verify that directory permissions are set to 700 on /var/ossec/.gnupg and to 600 on its files on the Monitor Server
  #5330

• Verify that Tor is updated to v0.4.4.6 on the Application and Monitor Servers #5648

• Verify that cryptography is updated to v3.2.1 in the securedrop-app-code virtual environment on the Application Server #5612

Preflight

• Ensure the builder image is up-to-date on release day

These tests should be performed the day of release prior to live debian packages on apt.freedom.press

Basic testing

• Install or upgrade occurs without error
• Source interface is available and version string indicates it is 1.7.0
• A message can be successfully submitted

Tails

• The updater GUI appears on boot
• The update successfully occurs to 1.7.0

[emkll]

Mac Mini - cron-apt upgrade from 1.6.0 (In progress)

Environment

• Install target: Mac Mini
• Tails version: 4.14
• Test Scenario: Cron-apt upgrade
• SSH over Tor: Yes
• Onion service version: v2+v3 -> v3 only
• Release candidate: 1.7.0-rc2
• General notes: During fresh installs, attempt to select zh_Hans as a language choice.

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
  • 0 processes are running unconfined
• AppArmor is loaded on mon
  • 0 processes are running unconfined
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them
• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• QA Matrix checks pass

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.6.0 and restore this backup on 1.7.0
• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication (DID NOT TEST)

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.7.0 release-specific changes

• language support changes #5697

  • Simplified Chinese (zh_hans) is a listed option in language support in ./securedrop-admin sdconfig
  • When selected during installation, zh_Hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese
  • With cleared browser data and the browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default
  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup".
  • With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30".
  • With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login.
  • No red banner is displayed on the login page in any of the 3 above cases

• Added error handling for missing file deletions #5549

  • Log in to the Source Interface and submit 3 or more messages as a single source
  • Log in to the Journalist Interface and reply to the source from the previous step
  • log in to the application server, find the source's submission files under `/var/lib/securedrop/store, and delete the reply file and one of the submissions
  • in the Journalist Interface on the source's collection page, select the reply, the deleted message, and one other message, and delete the messages via Delete Selected
  • Deletion completes without error and all 3 rows are removed
  • on the Application server, errors are logged relating to the missing files in /var/log/apache2/journalist-error.log
  • in the Journalist Interface on the source's collection page, delete the source via *Delete Source and Submissions
  • the source collection is deleted and the source is no longer listed on the Journalist Interface
  • the source submissions directory is removed from /var/lib/securedrop/store

• Added error handling for missing file downloads #5573

  • Log in to the Source Interface and submit two messages
  • Log in to the Application Server and delete the first submission file from the source's directory under /var/lib/securedrop/store
  • Log into the Journalist Interface
  • When the source's 2 unread button is clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download Unread clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • Click through to the source's collection page:
  • When Select All and Download Selected are clicked:
    • A flash error message is displayed and the missing message's status remains unread
  • When the missing message is clicked:
    • A flash error message is displayed and the missing message's status remains unread

• Show session expiry message only for users that have generated a codename #5582

  • Log in to the application server and update the value of SESSION_EXPIRATION_MINUTES from 120 to 2 in /var/www/securedrop/config.py, then restart Apache with sudo systemctl restart apache2
  • Visit the Source interface index page, and wait for slightly more than 2 minutes. Reload the index page, and verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started, wait slightly over 2 minutes after the codename generation page is displayed, then visit the Source Interface index page again. Verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started and then SUBMIT DOCUMENTS. Wait just over 2 minutes, reload the page, and verify that the index page is rendered instead of /lookup with a session expiry error message displayed.

• Add functionality to set organization name #5629

  • Log in to the Journalist Interface with an admin account and navigate to the Instance Config page
  • Set the Organization Name to a string with less than 75 chars
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces
  • Set the Organization Name to a string with less than 75 chars including HTML formatting
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces with HTML formatting escaped.
  • Set the Organization Name to a string with more than 75 chars
    • An error message is flashed and the organization name is not updated
  • Set the Organization Name to a blank value
    • An error message is flashed and the organization name is not updated

• Visit Source Interface on the latest Tor Browser on MacOS and verify that the TBB warning notice is not displayed #5647

• Reset journalist passwords without errors #5618

  • Log in to the Journalist Interface with a journalist account
  • Log out, then log in again with an admin account and edit the previous account
    • The journalist account's password can be reset repeatedly without errors

• Update references to submission key on Source Interface #5651

  • Log in to the Source Interface and verify that the "public key" link points to /public-key and that /public-key is functional, downloading the Subbmission Public Key
  • Verify that the "learn more" link points to /why-public-key, and that /why-public-key is functional
  • Verify that the download link on /why-public-key points to /public-key
  • Verify that navigating to /journalist-key redirects to /public-key

• Update navigation "Back" link icons on web interfaces #5641

  • PNG < icon replaces « on /why-public-key on Source Interface
  • PNG < icon replaces « on Add User page on Admin Interface
  • PNG < icon replaces « on Edit User page on Admin Interface
  • PNG < icon replaces « on Instance Config page on Admin Interface

• Verify that an OSSEC alert is sent on a daily schedule if v2 onion services are enabled #5682

• Verify that directory permissions are set to 700 on /var/ossec/.gnupg and to 600 on its files on the Monitor Server
  #5330

• Verify that Tor is updated to v0.4.4.6 on the Application and Monitor Servers #5648

• Verify that cryptography is updated to v3.2.1 in the securedrop-app-code virtual environment on the Application Server #5612

[zenmonkeykstop]

QA plan - IN PROGRESS

• NUC5s
• NUC7s
• NUC8s
• Mac Minis
• 1U test servers

1.7.0 QA Checklist

For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report.

If you have submitted a QA report already for a 1.7.0 release candidate with successful basic server testing and application acceptance testing sections, then you can skip these sections in subsequent reports, unless otherwise indicated by the Release Manager. This is to ensure that you focus your QA effort on the 1.7.0-specific changes as well as changes since the previous release candidate.

Environment

• Install target: Nuc8(app)+Nuc7(mon)
• Tails version: 4.14
• Test Scenario: fresh
• SSH over Tor: yes
• Onion service version: v2+v3
• Release candidate: rc2
• General notes: During fresh installs, attempt to select zh_Hans as a language choice.

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
  • 0 processes are running unconfined
• AppArmor is loaded on mon
  • 0 processes are running unconfined
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them
• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• QA Matrix checks pass

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.6.0 and restore this backup on 1.7.0
• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication not tested

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in not tested

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.7.0 release-specific changes

• language support changes #5697

  • Simplified Chinese (zh_hans) is a listed option in language support in ./securedrop-admin sdconfig
  • When selected during installation, zh_Hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese
  • With cleared browser data and the browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default FAIL - English
  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup".
  • With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30". not tested
  • With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login. FAIL as per V2 warning still showing even with only v3 enabled service #5715
  • No red banner is displayed on the login page in any of the 3 above cases

• Added error handling for missing file deletions #5549

  • Log in to the Source Interface and submit 3 or more messages as a single source
  • Log in to the Journalist Interface and reply to the source from the previous step
  • log in to the application server, find the source's submission files under `/var/lib/securedrop/store, and delete the reply file and one of the submissions
  • in the Journalist Interface on the source's collection page, select the reply, the deleted message, and one other message, and delete the messages via Delete Selected
  • Deletion completes without error and all 3 rows are removed
  • on the Application server, errors are logged relating to the missing files in /var/log/apache2/journalist-error.log
  • in the Journalist Interface on the source's collection page, delete the source via *Delete Source and Submissions
  • the source collection is deleted and the source is no longer listed on the Journalist Interface
  • the source submissions directory is removed from /var/lib/securedrop/store

• Added error handling for missing file downloads #5573 FAILED

  • Log in to the Source Interface and submit two messages
  • Log in to the Application Server and delete the first submission file from the source's directory under /var/lib/securedrop/store
  • Log into the Journalist Interface
  • When the source's 2 unread button is clicked:
    • a flash error message is displayed and the number of unread messages is still 2 500 error
  • When the source's checkbox is selected and Download Unread clicked:
    • a flash error message is displayed and the number of unread messages is still 2 404 error for /col/None
  • When the source's checkbox is selected and Download clicked:
    • a flash error message is displayed and the number of unread messages is still 2 404 error for /col/None
  • Click through to the source's collection page:
  • When Select All and Download Selected are clicked:
    • A flash error message is displayed and the missing message's status remains unread 404 error for /None
  • When the missing message is clicked:
    • A flash error message is displayed and the missing message's status remains unread 404 error for /None

• Show session expiry message only for users that have generated a codename #5582

  • Log in to the application server and update the value of SESSION_EXPIRATION_MINUTES from 120 to 2 in /var/www/securedrop/config.py, then restart Apache with sudo systemctl restart apache2
  • Visit the Source interface index page, and wait for slightly more than 2 minutes. Reload the index page, and verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started, wait slightly over 2 minutes after the codename generation page is displayed, then visit the Source Interface index page again. Verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started and then SUBMIT DOCUMENTS. Wait just over 2 minutes, reload the page, and verify that the index page is rendered instead of /lookup with a session expiry error message displayed.

• Add functionality to set organization name #5629

  • Log in to the Journalist Interface with an admin account and navigate to the Instance Config page
  • Set the Organization Name to a string with less than 75 chars
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces
  • Set the Organization Name to a string with less than 75 chars including HTML formatting
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces with HTML formatting escaped.
  • Set the Organization Name to a string with more than 75 chars
    • An error message is flashed and the organization name is not updated
  • Set the Organization Name to a blank value
    • An error message is flashed and the organization name is not updated

• Visit Source Interface on the latest Tor Browser on MacOS and verify that the TBB warning notice is not displayed #5647

• Reset journalist passwords without errors #5618

  • Log in to the Journalist Interface with a journalist account
  • Log out, then log in again with an admin account and edit the previous account
    • The journalist account's password can be reset repeatedly without errors

• Update references to submission key on Source Interface #5651

  • Log in to the Source Interface and verify that the "public key" link points to /public-key and that /public-key is functional, downloading the Subbmission Public Key
  • Verify that the "learn more" link points to /why-public-key, and that /why-public-key is functional
  • Verify that the download link on /why-public-key points to /public-key
  • Verify that navigating to /journalist-key redirects to /public-key

• Update navigation "Back" link icons on web interfaces #5641

  • PNG < icon replaces « on /why-public-key on Source Interface
  • PNG < icon replaces « on Add User page on Admin Interface
  • PNG < icon replaces « on Edit User page on Admin Interface
  • PNG < icon replaces « on Instance Config page on Admin Interface

• Verify that an OSSEC alert is sent on a daily schedule if v2 onion services are enabled #5682

• Verify that directory permissions are set to 700 on /var/ossec/.gnupg and to 600 on its files on the Monitor Server
  #5330

• Verify that Tor is updated to v0.4.4.6 on the Application and Monitor Servers #5648

• Verify that cryptography is updated to v3.2.1 in the securedrop-app-code virtual environment on the Application Server #5612

Preflight

• Ensure the builder image is up-to-date on release day

These tests should be performed the day of release prior to live debian packages on apt.freedom.press

Basic testing

• Install or upgrade occurs without error
• Source interface is available and version string indicates it is 1.7.0
• A message can be successfully submitted

Tails

• The updater GUI appears on boot
• The update successfully occurs to 1.7.0
• After reboot, updater GUI no longer appears

[sssoleileraaa]

QA plan

• NUC5s
• NUC7s
• Mac Minis
• 1U test servers

1.7.0 QA Checklist

Environment

• Install target: NUC7
• Tails version: 4.14
• Test Scenario: NUC 7i5BNH (v3 only clean install)
• SSH over Tor: Yes
• Onion service version: v3
• Release candidate: rc3

Basic Server Testing

• I can access both the source and journalist interfaces

• I can SSH into both machines over Tor

• AppArmor is loaded on app

  • 0 processes are running unconfined

    sudo aa-status
    

    ✔️ everything is in enforce mode

• AppArmor is loaded on mon

  • 0 processes are running unconfined

    sudo aa-status
    

    ✔️ everything is in enforce mode

• Both servers are running grsec kernels

  uname -r
  4.14.188-grsec-securedrop
  

  ✔️ both servers show the above output

• iptables rules loaded

  iptables -S
  

  ✔️ rules look fine for app

  ✔️ rules look fine for mon

• OSSEC emails begin to flow after install

• OSSEC emails are decrypted to correct key and I am able to decrypt them

• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing

  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)

    ❌ Lots of errors when running this, see No longer auto-rename /etc/apt/sources.list.d/apt_test_freedom_press.list or make sure to change contents of file too #5737 (comment)

  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup

• QA Matrix checks pass

  sudo bash meltdown.sh failure is expected:

  CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'

  • CPU microcode mitigates the vulnerability: NO
    STATUS: VULNERABLE (your CPU supports SGX and the microcode is not up to date)

  SUMMARY: CVE-2018-3615:KO

  To mock this CPU, set those vars: SMC_MOCK_CMDLINE='BOOT_IMAGE=/vmlinuz-4.14.188-grsec-securedrop root=/dev/mapper/app--vg-root ro mds=full,nosmt noefi' SMC_MOCK_CPU_FAMILY='6' SMC_MOCK_CPU_FRIENDLY_NAME='Intel(R) Core(TM) i5-7260U CPU @ 2.20GHz' SMC_MOCK_CPUID_1=' 526057 1050624 2147154879 3219913727' SMC_MOCK_CPUID_7=' 0 43804591 0 2617255424' SMC_MOCK_CPUINFO='H4sIAJceC2AAA+1UPY/cNhCtrV8xpQ0kB0m33vhcBXFhB4GBIIhrgiJHEh1+HUlptffr8yjdGgaCVGlSXCGKM8P5eI/DiSkozjmkV++pbVb2OiRhNKSP7Bfj+Vdf2DYqLjRKZ+wVlnPjgmb7Ctvu1B8CeekYiv346z/e0IeQ+PWfn9+QefvjT/25/UIffv9CP1N/17cfPz01uXCMxk/weWicUagDcWoVm+Y93+dPTzXF/alt79qubZRUM1M2T/XUqX0402+/NHG+ZqOkpb3mtslmsIiaIfSNQg3VsFtqyKo4TDIadbMYb4pBiGddVY1xqbYr57oVvCmOxQT/rEMso8nyChYQrW8u8dtxK5EdAvxodUyaKWamkhW5nChKJqeY1PZuT0iZI7mSYJmqRZJyYcWxUt3uz6TsaJc8ky6ZpIqGnNto3BAqIyy+HgvNhYqjOEBzzeADF7JR1JG7aaAEXxXJOhDgc5G+iFqOTAWfmkXkNLrgKfKQaUCexFFMIWjyIVraSojBhukKEe4h7t4HB3L3rQvZry4+VpziLx8uXoyJHyl6Q1FZt9hH/QgMnM8nQi5TQiKdhUL8FYA4VwAVCkBT1sNEowMXW3dG/gh2tAI+3E+FfBLd8etp63cWwRmwxxCVL3sNmqVGJ7AoxnEiyZm2LFcmuYK+7qzASpIetyjnUYAaOTi616g8Jh65qPlAKEa52EIcBzJ+rQWIjAazlfpBkxlSxgJrLvjRohnuhIpFnqUOF1q9MzRa3mIyIZlyRaxCawSSMU95kEdzCKm/LiBhcKarNYIKh86A2BMnl2/ZycUNpWdmkK83nJLx1iMBgU19gAKbHW24bRRtE5dh7Q4x4ypmhMXrkOiB2mwW94+rny+xfsKHYsbrvpWqiIvxFUwV8W7JaaEsy0R7XmE73QzL0fdgTTi2Bcc95ciqJBbI+23b71uBRoI0XKNE+9qujAiaKV9knAC22EGgaYqZTaGcBp2bIUzBmVjf7+nUne9avOnnt/E8FM6nY0gIac3kHftyKKXWePd5P1bd7x9oMMB6Gx4/0OndoVlNKou0TQwXNI2TXk5c47xvmvjdpOz+z5Py7X+blN2/Tsr+n5Oyf5mUL5PyZVK+TMrvJ+XfWMpj9FQKAAA=' SMC_MOCK_CPU_MODEL='142' SMC_MOCK_CPU_STEPPING='9' SMC_MOCK_CPU_UCODE='0xde' SMC_MOCK_CPU_VENDOR='GenuineIntel' SMC_MOCK_RDMSR_0x123='0' SMC_MOCK_RDMSR_0x48='0' SMC_MOCK_WRMSR_0x10b_RET=1 SMC_MOCK_WRMSR_0x49_RET=1

A false sense of security is worse than no security at all, see --disclaimer

Command Line User Generation

• Can successfully add admin user and login

  ./manage.py add-admin
  

  ✔️ able to create an account and log in with it

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.6.0 and restore this backup on 1.7.0

  N/A

• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot

  ❌ When I run securedrop-admin tailsconfig and reboot I don't see a gui updater

• Updating occurs without issue

  ❌ I don't recall seeing a gui updater

1.7.0 release-specific changes

• [RC3] v3 ssh migration bugfix #5718

  • given a v2 or v2+v3 initial config on a version less than 1.7.0-rc3, updating the workstation to 1.7.0-rc3 and migrating to v3 services results in no v2 hidden services being configured in the app and mon servers' /etc/tor/torrc.

    N/A

  OR

  • a fresh install with only v3 services results in only v3 ssh services being configured in the app and mon servers' /etc/tor/torrc.

• language support changes #5697

  • Simplified Chinese (zh_hans) is a listed option in language support in ./securedrop-admin sdconfig
  • When selected during installation, zh_Hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese
  • With cleared browser data and the browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default
  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup".

    N/A

  • With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30".

    N/A

  • With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login.
  • No red banner is displayed on the login page in any of the 3 above cases

    N/A

• Show session expiry message only for users that have generated a codename #5582

  • Log in to the application server and update the value of SESSION_EXPIRATION_MINUTES from 120 to 2 in /var/www/securedrop/config.py, then restart Apache with sudo systemctl restart apache2
  • Visit the Source interface index page, and wait for slightly more than 2 minutes. Reload the index page, and verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started, wait slightly over 2 minutes after the codename generation page is displayed, then visit the Source Interface index page again. Verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started and then SUBMIT DOCUMENTS. Wait just over 2 minutes, reload the page, and verify that the index page is rendered instead of /lookup with a session expiry error message displayed.

• Add functionality to set organization name #5629

  • Log in to the Journalist Interface with an admin account and navigate to the Instance Config page
  • Set the Organization Name to a string with less than 75 chars
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces
  • Set the Organization Name to a string with less than 75 chars including HTML formatting
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces with HTML formatting escaped.
  • Set the Organization Name to a string with more than 75 chars
    • An error message is flashed and the organization name is not updated
  • Set the Organization Name to a blank value
    • An error message is flashed and the organization name is not updated

• Visit Source Interface on the latest Tor Browser on MacOS and verify that the TBB warning notice is not displayed #5647

  N/A

• Reset journalist passwords without errors #5618

  • Log in to the Journalist Interface with a journalist account
  • Log out, then log in again with an admin account and edit the previous account
    • The journalist account's password can be reset repeatedly without errors

• Update references to submission key on Source Interface #5651

  • Log in to the Source Interface and verify that the "public key" link points to /public-key and that /public-key is functional, downloading the Subbmission Public Key
  • Verify that the "learn more" link points to /why-public-key, and that /why-public-key is functional
  • Verify that the download link on /why-public-key points to /public-key
  • Verify that navigating to /journalist-key redirects to /public-key

• Update navigation "Back" link icons on web interfaces #5641

  • PNG < icon replaces « on /why-public-key on Source Interface
  • PNG < icon replaces « on Add User page on Admin Interface
  • PNG < icon replaces « on Edit User page on Admin Interface
  • PNG < icon replaces « on Instance Config page on Admin Interface

• Verify that an OSSEC alert is sent on a daily schedule if v2 onion services are enabled #5682

  N/A

• Verify that directory permissions are set to 700 on /var/ossec/.gnupg and to 600 on its files on the Monitor Server
  #5330

• Verify that Tor is updated to v0.4.4.6 on the Application and Monitor Servers #5648

• Verify that cryptography is updated to v3.2.1 in the securedrop-app-code virtual environment on the Application Server #5612

Preflight

• Ensure the builder image is up-to-date on release day

  N/A

These tests should be performed the day of release prior to live debian packages on apt.freedom.press

Basic testing

• Install or upgrade occurs without error
• Source interface is available and version string indicates it is 1.7.0
• A message can be successfully submitted

[kushaldas]

Spent some time on this:

$ sudo apt update
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [109 kB]
Hit:2 http://archive.ubuntu.com/ubuntu xenial InRelease  
Get:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [109 kB]
Get:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease [107 kB]
Get:5 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages [1,931 kB]
Get:6 http://archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages [1,473 kB]
Ign:7 https://apt-test.freedom.press xenial InRelease     
Err:8 https://apt-test.freedom.press xenial Release
  403  Forbidden
Reading package lists... Done
E: The repository 'https://apt-test.freedom.press xenial Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

It seems our server is throwing 403 for both https://apt-test.freedom.press/dists/xenial/Release https://apt-test.freedom.press/dists/xenial/InRelease.

Finally, just downloaded the package and updated by hand.

[kushaldas]

Environment

• Install target: prod vm
• Tails version: 4.14
• Test Scenario: update testing from 1.6.0
• SSH over Tor: no
• Onion service version: v2 + v3
• Release candidate: rc4
• General notes: During fresh installs, attempt to select zh_Hans as a language choice.

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
  • 0 processes are running unconfined
• AppArmor is loaded on mon
  • 0 processes are running unconfined
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them
• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• QA Matrix checks pass

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.6.0 and restore this backup on 1.7.0
• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.7.0 release-specific changes

• language support changes #5697

  • Simplified Chinese (zh_hans) is a listed option in language support in ./securedrop-admin sdconfig
  • When selected during installation, zh_Hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese
  • With cleared browser data and the browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default
  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup".
  • [ ] With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30". DID NOT TEST
  • With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login. FAILED, still showing me the "Complete the v3 .." banner
  • No red banner is displayed on the login page in any of the 3 above cases

• [x ] Added error handling for missing file deletions #5549

  • Log in to the Source Interface and submit 3 or more messages as a single source
  • Log in to the Journalist Interface and reply to the source from the previous step
  • log in to the application server, find the source's submission files under `/var/lib/securedrop/store, and delete the reply file and one of the submissions
  • in the Journalist Interface on the source's collection page, select the reply, the deleted message, and one other message, and delete the messages via Delete Selected
  • Deletion completes without error and all 3 rows are removed
  • on the Application server, errors are logged relating to the missing files in /var/log/apache2/journalist-error.log
  • in the Journalist Interface on the source's collection page, delete the source via *Delete Source and Submissions
  • the source collection is deleted and the source is no longer listed on the Journalist Interface
  • the source submissions directory is removed from /var/lib/securedrop/store

• Added error handling for missing file downloads #5573

  • Log in to the Source Interface and submit two messages
  • Log in to the Application Server and delete the first submission file from the source's directory under /var/lib/securedrop/store
  • Log into the Journalist Interface
  • When the source's 2 unread button is clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download Unread clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • Click through to the source's collection page:
  • When Select All and Download Selected are clicked:
    • A flash error message is displayed and the missing message's status remains unread
  • When the missing message is clicked:
    • A flash error message is displayed and the missing message's status remains unread

• Show session expiry message only for users that have generated a codename #5582

  • Log in to the application server and update the value of SESSION_EXPIRATION_MINUTES from 120 to 2 in /var/www/securedrop/config.py, then restart Apache with sudo systemctl restart apache2
  • Visit the Source interface index page, and wait for slightly more than 2 minutes. Reload the index page, and verify that no session expiry error message is displayed. Failed, I can see session expiary message.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started, wait slightly over 2 minutes after the codename generation page is displayed, then visit the Source Interface index page again. Verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started and then SUBMIT DOCUMENTS. Wait just over 2 minutes, reload the page, and verify that the index page is rendered instead of /lookup with a session expiry error message displayed.

• Add functionality to set organization name #5629

  • Log in to the Journalist Interface with an admin account and navigate to the Instance Config page
  • Set the Organization Name to a string with less than 75 chars
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces
  • Set the Organization Name to a string with less than 75 chars including HTML formatting
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces with HTML formatting escaped.
  • Set the Organization Name to a string with more than 75 chars
    • An error message is flashed and the organization name is not updated (The message is saying 64 chars limit)
  • Set the Organization Name to a blank value
    • An error message is flashed and the organization name is not updated

• Visit Source Interface on the latest Tor Browser on MacOS and verify that the TBB warning notice is not displayed #5647

• Reset journalist passwords without errors #5618

  • Log in to the Journalist Interface with a journalist account
  • Log out, then log in again with an admin account and edit the previous account
    • The journalist account's password can be reset repeatedly without errors

• Update references to submission key on Source Interface #5651

  • Log in to the Source Interface and verify that the "public key" link points to /public-key and that /public-key is functional, downloading the Subbmission Public Key
  • Verify that the "learn more" link points to /why-public-key, and that /why-public-key is functional
  • Verify that the download link on /why-public-key points to /public-key
  • Verify that navigating to /journalist-key redirects to /public-key

• Update navigation "Back" link icons on web interfaces #5641

  • PNG < icon replaces « on /why-public-key on Source Interface
  • PNG < icon replaces « on Add User page on Admin Interface
  • PNG < icon replaces « on Edit User page on Admin Interface
  • PNG < icon replaces « on Instance Config page on Admin Interface

• Verify that an OSSEC alert is sent on a daily schedule if v2 onion services are enabled #5682

• Verify that directory permissions are set to 700 on /var/ossec/.gnupg and to 600 on its files on the Monitor Server
  #5330

• Verify that Tor is updated to v0.4.4.6 on the Application and Monitor Servers #5648

• Verify that cryptography is updated to v3.2.1 in the securedrop-app-code virtual environment on the Application Server #5612

Preflight

• Ensure the builder image is up-to-date on release day

These tests should be performed the day of release prior to live debian packages on apt.freedom.press

Basic testing

• Install or upgrade occurs without error
• Source interface is available and version string indicates it is 1.7.0
• A message can be successfully submitted

Tails

• The updater GUI appears on boot
• The update successfully occurs to 1.7.0

[emkll]

1.6.0-> 1.7.0-rc4

Environment

• Install target: mac mini
• Tails version: 4.14
• Test Scenario: cron-apt upgrade
• SSH over Tor: yes
• Onion service version: v2+v3 -> v3 only
• Release candidate: 1.7.0-rc4
• General notes: During fresh installs, attempt to select zh_Hans as a language choice.

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
  • 0 processes are running unconfined
• AppArmor is loaded on mon
  • 0 processes are running unconfined
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them
• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)
  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
• QA Matrix checks pass

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation (DID NOT TEST)
• If doing upgrade testing, make a backup on 1.6.0 and restore this backup on 1.7.0 (DID NOT TEST)
• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.7.0 release-specific changes

• [RC3] v3 ssh migration bugfix #5718

  • given a v2 or v2+v3 initial config on a version less than 1.7.0-rc3, updating the workstation to 1.7.0-rc3 and migrating to v3 services results in no v2 hidden services being configured in the app and mon servers' /etc/tor/torrc.
    OR
  • a fresh install with only v3 services results in only v3 ssh services being configured in the app and mon servers' /etc/tor/torrc.

• language support changes #5697

  • Simplified Chinese (zh_hans) is a listed option in language support in ./securedrop-admin sdconfig
  • When selected during installation, zh_Hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese
  • With cleared browser data and the browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default
  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup".
  • With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30".
  • With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login.
  • No red banner is displayed on the login page in any of the 3 above cases

• Added error handling for missing file deletions #5549

  • Log in to the Source Interface and submit 3 or more messages as a single source
  • Log in to the Journalist Interface and reply to the source from the previous step
  • log in to the application server, find the source's submission files under `/var/lib/securedrop/store, and delete the reply file and one of the submissions
  • in the Journalist Interface on the source's collection page, select the reply, the deleted message, and one other message, and delete the messages via Delete Selected
  • Deletion completes without error and all 3 rows are removed
  • on the Application server, errors are logged relating to the missing files in /var/log/apache2/journalist-error.log
  • in the Journalist Interface on the source's collection page, delete the source via *Delete Source and Submissions
  • the source collection is deleted and the source is no longer listed on the Journalist Interface
  • the source submissions directory is removed from /var/lib/securedrop/store

• Added error handling for missing file downloads #5573

  • Log in to the Source Interface and submit two messages
  • Log in to the Application Server and delete the first submission file from the source's directory under /var/lib/securedrop/store
  • Log into the Journalist Interface
  • When the source's 2 unread button is clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download Unread clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • Click through to the source's collection page:
  • When Select All and Download Selected are clicked:
    • A flash error message is displayed and the missing message's status remains unread
  • When the missing message is clicked:
    • A flash error message is displayed and the missing message's status remains unread

• Show session expiry message only for users that have generated a codename #5582

  • Log in to the application server and update the value of SESSION_EXPIRATION_MINUTES from 120 to 2 in /var/www/securedrop/config.py, then restart Apache with sudo systemctl restart apache2
  • Visit the Source interface index page, and wait for slightly more than 2 minutes. Reload the index page, and verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started, wait slightly over 2 minutes after the codename generation page is displayed, then visit the Source Interface index page again. Verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started and then SUBMIT DOCUMENTS. Wait just over 2 minutes, reload the page, and verify that the index page is rendered instead of /lookup with a session expiry error message displayed.

• Add functionality to set organization name #5629

  • Log in to the Journalist Interface with an admin account and navigate to the Instance Config page
  • Set the Organization Name to a string with less than 75 chars
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces
  • Set the Organization Name to a string with less than 75 chars including HTML formatting
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces with HTML formatting escaped.
  • Set the Organization Name to a string with more than 75 chars
    • An error message is flashed and the organization name is not updated
  • Set the Organization Name to a blank value
    • An error message is flashed and the organization name is not updated

• Visit Source Interface on the latest Tor Browser on MacOS and verify that the TBB warning notice is not displayed #5647

• Reset journalist passwords without errors #5618

  • Log in to the Journalist Interface with a journalist account
  • Log out, then log in again with an admin account and edit the previous account
    • The journalist account's password can be reset repeatedly without errors

• Update references to submission key on Source Interface #5651

  • Log in to the Source Interface and verify that the "public key" link points to /public-key and that /public-key is functional, downloading the Subbmission Public Key
  • Verify that the "learn more" link points to /why-public-key, and that /why-public-key is functional
  • Verify that the download link on /why-public-key points to /public-key
  • Verify that navigating to /journalist-key redirects to /public-key

• Update navigation "Back" link icons on web interfaces #5641

  • PNG < icon replaces « on /why-public-key on Source Interface
  • PNG < icon replaces « on Add User page on Admin Interface
  • PNG < icon replaces « on Edit User page on Admin Interface
  • PNG < icon replaces « on Instance Config page on Admin Interface

• Verify that an OSSEC alert is sent on a daily schedule if v2 onion services are enabled #5682

• Verify that directory permissions are set to 700 on /var/ossec/.gnupg and to 600 on its files on the Monitor Server
  #5330

• Verify that Tor is updated to v0.4.4.6 on the Application and Monitor Servers #5648

• Verify that cryptography is updated to v3.2.1 in the securedrop-app-code virtual environment on the Application Server #5612

RC4-specific testing

#5718, #5726

• On a v2+v3 install, disabling v2 removes the v2 ssh config in /etc/tor/torrc and no ossec alerts are sent about v2 deprecation after running the playbook
• The banner disappears on a simple page refresh (without rebooting or apache restart)

#5721, #5722

• Submit multiple files via the SI, delete manually one from the store on the app server, files can be downloaded via "N unread" or select all download link on JI.

#5724

• Submit multiple files via the SI, delete manually one or more the store on the app server. After manually deleting the files on disk, submit a new file as that source. zero-length files are not created

[sssoleileraaa]

1.7.0 QA Checklist

Environment

• Install target: NUC7
• Tails version: 4.14
• Test Scenario: NUC 7i5BNH (v3 only clean install)
• SSH over Tor: Yes
• Onion service version: v3
• Release candidate: rc4

Basic Server Testing

• I can access both the source and journalist interfaces

• I can SSH into both machines over Tor

• AppArmor is loaded on app

  sudo aa-status

  • 0 processes are running unconfined

• AppArmor is loaded on mon

  sudo aa-status

  • 0 processes are running unconfined

• Both servers are running grsec kernels

  uname -r
  4.14.188-grsec-securedrop

• iptables rules loaded

  iptables -S for app:

  -P INPUT DROP
  -P FORWARD DROP
  -P OUTPUT DROP
  -N LOGNDROP
  -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT
  -A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT
  -A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT
  -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT
  -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
  -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
  -A INPUT -s 10.20.3.2/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT
  -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
  -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP
  -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP
  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 111 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT
  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 111 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP
  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 111 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT
  -A OUTPUT -p tcp -m owner --uid-owner 111 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor outbound" -j ACCEPT
  -A OUTPUT -m owner --uid-owner 111 -m comment --comment "Drop all other traffic for tor" -j LOGNDROP
  -A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT
  -A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner 33 -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT
  -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner 33 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT
  -A OUTPUT -m owner --uid-owner 33 -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP
  -A OUTPUT -m owner --gid-owner 112 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP
  -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
  -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
  -A OUTPUT -d 10.20.3.2/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT
  -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
  -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP
  -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid
  -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
  -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
  -A LOGNDROP -j DROP

  iptables -S for mon:

  -P INPUT DROP
  -P FORWARD DROP
  -P OUTPUT DROP
  -N LOGNDROP
  -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT
  -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
  -A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
  -A INPUT -s 10.20.2.2/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT
  -A INPUT -s 8.8.8.8/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A INPUT -s 8.8.8.8/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT
  -A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
  -A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP
  -A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP
  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 111 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit traffic from tor to the ssh dameon" -j ACCEPT
  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 111 -m state --state NEW -m comment --comment "Drop all other new connections from tor to the ssh dameon" -j LOGNDROP
  -A OUTPUT -o lo -p tcp -m tcp --dport 22 -m owner --uid-owner 111 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow the established traffic from tor to the ssh dameon" -j ACCEPT
  -A OUTPUT -p tcp -m owner --uid-owner 111 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor outbound" -j ACCEPT
  -A OUTPUT -m owner --uid-owner 111 -m comment --comment "Drop all other traffic for tor" -j LOGNDROP
  -A OUTPUT -m owner --gid-owner 112 -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP
  -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
  -A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
  -A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
  -A OUTPUT -d 10.20.2.2/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT
  -A OUTPUT -d 8.8.8.8/32 -p tcp -m tcp --dport 53 -m owner --uid-owner 112 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT
  -A OUTPUT -d 8.8.8.8/32 -p udp -m udp --dport 53 -m owner --uid-owner 112 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT
  -A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner 112 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT
  -A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
  -A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP
  -A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid
  -A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
  -A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
  -A LOGNDROP -j DROP

• OSSEC emails begin to flow after install

• OSSEC emails are decrypted to correct key and I am able to decrypt them

• After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:

  • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
  • Run tests with ./securedrop-admin verify (this will take a while)

    Errors that @Mickael confirmed are expected when running this, see No longer auto-rename /etc/apt/sources.list.d/apt_test_freedom_press.list or make sure to change contents of file too #5737 (comment)

  • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup

• QA Matrix checks pass

  sudo bash meltdown.sh failure is expected:

  CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'

  • CPU microcode mitigates the vulnerability: NO
    STATUS: VULNERABLE (your CPU supports SGX and the microcode is not up to date)

  SUMMARY: CVE-2018-3615:KO

  To mock this CPU, set those vars: SMC_MOCK_CMDLINE='BOOT_IMAGE=/vmlinuz-4.14.188-grsec-securedrop root=/dev/mapper/app--vg-root ro mds=full,nosmt noefi' SMC_MOCK_CPU_FAMILY='6' SMC_MOCK_CPU_FRIENDLY_NAME='Intel(R) Core(TM) i5-7260U CPU @ 2.20GHz' SMC_MOCK_CPUID_1=' 526057 1050624 2147154879 3219913727' SMC_MOCK_CPUID_7=' 0 43804591 0 2617255424' SMC_MOCK_CPUINFO='H4sIAJceC2AAA+1UPY/cNhCtrV8xpQ0kB0m33vhcBXFhB4GBIIhrgiJHEh1+HUlptffr8yjdGgaCVGlSXCGKM8P5eI/DiSkozjmkV++pbVb2OiRhNKSP7Bfj+Vdf2DYqLjRKZ+wVlnPjgmb7Ctvu1B8CeekYiv346z/e0IeQ+PWfn9+QefvjT/25/UIffv9CP1N/17cfPz01uXCMxk/weWicUagDcWoVm+Y93+dPTzXF/alt79qubZRUM1M2T/XUqX0402+/NHG+ZqOkpb3mtslmsIiaIfSNQg3VsFtqyKo4TDIadbMYb4pBiGddVY1xqbYr57oVvCmOxQT/rEMso8nyChYQrW8u8dtxK5EdAvxodUyaKWamkhW5nChKJqeY1PZuT0iZI7mSYJmqRZJyYcWxUt3uz6TsaJc8ky6ZpIqGnNto3BAqIyy+HgvNhYqjOEBzzeADF7JR1JG7aaAEXxXJOhDgc5G+iFqOTAWfmkXkNLrgKfKQaUCexFFMIWjyIVraSojBhukKEe4h7t4HB3L3rQvZry4+VpziLx8uXoyJHyl6Q1FZt9hH/QgMnM8nQi5TQiKdhUL8FYA4VwAVCkBT1sNEowMXW3dG/gh2tAI+3E+FfBLd8etp63cWwRmwxxCVL3sNmqVGJ7AoxnEiyZm2LFcmuYK+7qzASpIetyjnUYAaOTi616g8Jh65qPlAKEa52EIcBzJ+rQWIjAazlfpBkxlSxgJrLvjRohnuhIpFnqUOF1q9MzRa3mIyIZlyRaxCawSSMU95kEdzCKm/LiBhcKarNYIKh86A2BMnl2/ZycUNpWdmkK83nJLx1iMBgU19gAKbHW24bRRtE5dh7Q4x4ypmhMXrkOiB2mwW94+rny+xfsKHYsbrvpWqiIvxFUwV8W7JaaEsy0R7XmE73QzL0fdgTTi2Bcc95ciqJBbI+23b71uBRoI0XKNE+9qujAiaKV9knAC22EGgaYqZTaGcBp2bIUzBmVjf7+nUne9avOnnt/E8FM6nY0gIac3kHftyKKXWePd5P1bd7x9oMMB6Gx4/0OndoVlNKou0TQwXNI2TXk5c47xvmvjdpOz+z5Py7X+blN2/Tsr+n5Oyf5mUL5PyZVK+TMrvJ+XfWMpj9FQKAAA=' SMC_MOCK_CPU_MODEL='142' SMC_MOCK_CPU_STEPPING='9' SMC_MOCK_CPU_UCODE='0xde' SMC_MOCK_CPU_VENDOR='GenuineIntel' SMC_MOCK_RDMSR_0x123='0' SMC_MOCK_RDMSR_0x48='0' SMC_MOCK_WRMSR_0x10b_RET=1 SMC_MOCK_WRMSR_0x49_RET=1

A false sense of security is worse than no security at all, see --disclaimer

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.6.0 and restore this backup on 1.7.0

  N/A

• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.7.0 release-specific changes

• [RC3] v3 ssh migration bugfix #5718

  • given a v2 or v2+v3 initial config on a version less than 1.7.0-rc3, updating the workstation to 1.7.0-rc3 and migrating to v3 services results in no v2 hidden services being configured in the app and mon servers' /etc/tor/torrc.

    N/A
    OR

  • a fresh install with only v3 services results in only v3 ssh services being configured in the app and mon servers' /etc/tor/torrc.

• language support changes #5697

  • Simplified Chinese (zh_hans) is a listed option in language support in ./securedrop-admin sdconfig
  • ❌ When selected during installation, zh_Hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese

    This works for the Source Interface, but not the Journalist Interface, see [1.7.0-rc4 QA] Internal Server Error when selecting Simplified Chinese #5740, the plan is to test this after language translations are merged in with the expectation that it'll be fixed

  • With cleared browser data and the so we browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default

    This didn't work for me because I never chose zh_Hant as an option and the browser doesn't have Simplified Chinese as an option.

  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup".

    N/A

  • With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30".

    N/A

  • With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login.
  • No red banner is displayed on the login page in any of the 3 above cases

    N/A

• Added error handling for missing file deletions #5549

  • Log in to the Source Interface and submit 3 or more messages as a single source
  • Log in to the Journalist Interface and reply to the source from the previous step
  • log in to the application server, find the source's submission files under `/var/lib/securedrop/store, and delete the reply file and one of the submissions
  • in the Journalist Interface on the source's collection page, select the reply, the deleted message, and one other message, and delete the messages via Delete Selected
  • Deletion completes without error and all 3 rows are removed
  • on the Application server, errors are logged relating to the missing files in /var/log/apache2/journalist-error.log
  • in the Journalist Interface on the source's collection page, delete the source via *Delete Source and Submissions
  • the source collection is deleted and the source is no longer listed on the Journalist Interface
  • [] the source submissions directory is removed from /var/lib/securedrop/store

• Added error handling for missing file downloads #5573

  • Log in to the Source Interface and submit two messages
  • Log in to the Application Server and delete the first submission file from the source's directory under /var/lib/securedrop/store
  • Log into the Journalist Interface
  • When the source's 2 unread button is clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download Unread clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • Click through to the source's collection page:
  • When Select All and Download Selected are clicked:
    • A flash error message is displayed and the missing message's status remains unread
  • When the missing message is clicked:
    • A flash error message is displayed and the missing message's status remains unread

• ❌ Show session expiry message only for users that have generated a codename #5582

  • Log in to the application server and update the value of SESSION_EXPIRATION_MINUTES from 120 to 2 in /var/www/securedrop/config.py, then restart Apache with sudo systemctl restart apache2
  • Visit the Source interface index page, and wait for slightly more than 2 minutes. Reload the index page, and verify that no session expiry error message is displayed.
  • ❌ Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started, wait slightly over 2 minutes after the codename generation page is displayed, then visit the Source Interface index page again. Verify that no session expiry error message is displayed.

    After waiting for over 2 minutes, I clicked on the SecureDrop icon to get back to the index page, and saw the session expiry error message. I also ran into this issue: Logged-out user is shown "You were logged out due to inactivity" and redirected to index page #5741

  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started and then SUBMIT DOCUMENTS. Wait just over 2 minutes, reload the page, and verify that the index page is rendered instead of /lookup with a session expiry error message displayed.
  • ❌ Other issue: Session expiration message shows up when you log into the Journalist Interface #5742

• Add functionality to set organization name #5629

  • Log in to the Journalist Interface with an admin account and navigate to the Instance Config page
  • Set the Organization Name to a string with less than 75 chars
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces
  • Set the Organization Name to a string with less than 75 chars including HTML formatting
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces with HTML formatting escaped.
  • Set the Organization Name to a string with more than 75 chars
    • An error message is flashed and the organization name is not updated
  • Set the Organization Name to a blank value
    • An error message is flashed and the organization name is not updated

• Visit Source Interface on the latest Tor Browser on MacOS and verify that the TBB warning notice is not displayed #5647

  SKIP (not on macosx)

• Reset journalist passwords without errors #5618

  • Log in to the Journalist Interface with a journalist account
  • Log out, then log in again with an admin account and edit the previous account
    • The journalist account's password can be reset repeatedly without errors

• Update references to submission key on Source Interface #5651

  • Log in to the Source Interface and verify that the "public key" link points to /public-key and that /public-key is functional,
    ing the Subbmission Public Key
  • Verify that the "learn more" link points to /why-public-key, and that /why-public-key is functional
  • Verify that the download link on /why-public-key points to /public-key
  • Verify that navigating to /journalist-key redirects to /public-key

• Update navigation "Back" link icons on web interfaces #5641

  • PNG < icon replaces « on /why-public-key on Source Interface
  • PNG < icon replaces « on Add User page on Admin Interface
  • PNG < icon replaces « on Edit User page on Admin Interface
  • PNG < icon replaces « on Instance Config page on Admin Interface

• Verify that an OSSEC alert is sent on a daily schedule if v2 onion services are enabled #5682

  N/A

• Verify that directory permissions are set to 700 on /var/ossec/.gnupg and to 600 on its files on the Monitor Server
  #5330

• Verify that Tor is updated to v0.4.4.6 on the Application and Monitor Servers #5648

• Verify that cryptography is updated to v3.2.1 in the securedrop-app-code virtual environment on the Application Server #5612

RC4-specific testing

#5718, #5726

• On a v2+v3 install, disabling v2 removes the v2 ssh config in /etc/tor/torrc and no ossec alerts are sent about v2 deprecation after running the playbook

  I had to reinstall since I was testing v3 only earlier

• The banner disappears on a simple page refresh (without rebooting or apache restart)

#5721, #5722

• Submit multiple files via the SI, delete manually one from the store on the app server, files can be downloaded via "N unread" or select all download link on JI.

#5724

• Submit multiple files via the SI, delete manually one or more the store on the app server. After manually deleting the files on disk, submit a new file as that source. zero-length files are not created

[zenmonkeykstop]

QA plan - IN PROGRESS

• NUC5s
• NUC7s
• Mac Minis
• 1U test servers

1.7.0 QA Checklist

For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report.

If you have submitted a QA report already for a 1.7.0 release candidate with successful basic server testing and application acceptance testing sections, then you can skip these sections in subsequent reports, unless otherwise indicated by the Release Manager. This is to ensure that you focus your QA effort on the 1.7.0-specific changes as well as changes since the previous release candidate.

Environment

• Install target: Nuc8(app)+Nuc7(mon)
• Tails version: 4.14
• Test Scenario: fresh
• SSH over Tor: yes
• Onion service version: v3
• Release candidate: rc4
• General notes: During fresh installs, attempt to select zh_Hans as a language choice.

Basic Server Testing SKIPPED

Application Acceptance Testing SKIPPED

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.7.0 release-specific changes

• language support changes #5697

  • Simplified Chinese (zh_hans) is a listed option in language support in ./securedrop-admin sdconfig
  • When selected during installation, zh_Hans is listed as 中文 (简体) in the interfaces' language dropdown, and is selectable with pages then rendered in Simplified Chinese
  • With cleared browser data and the browser language set to traditional Chinese ("Chinese(Taiwan)") the interfaces are rendered in traditional Chinese by default FAIL - English
  • The Source Interface metadata endpoint lists zh_Hans when selected during installation

• TOTP secret style has been changed to match screenshot in PR #5574

• v3 banner notification changes #5679

  • With v2 and v3 services both enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Complete the v3 Onion Services setup". N/A
  • With only v2 services enabled, a red banner is displayed on Journalist Interface pages after login, with a message starting with "Set up v3 Onion Services before April 30". N/A
  • With only v3 services enabled, no red banner is displayed on Journalist Interface pages after login.
  • No red banner is displayed on the login page in any of the 3 above cases

• Added error handling for missing file deletions #5549

  • Log in to the Source Interface and submit 3 or more messages as a single source
  • Log in to the Journalist Interface and reply to the source from the previous step
  • log in to the application server, find the source's submission files under `/var/lib/securedrop/store, and delete the reply file and one of the submissions
  • in the Journalist Interface on the source's collection page, select the reply, the deleted message, and one other message, and delete the messages via Delete Selected
  • Deletion completes without error and all 3 rows are removed
  • on the Application server, errors are logged relating to the missing files in /var/log/apache2/journalist-error.log
  • in the Journalist Interface on the source's collection page, delete the source via *Delete Source and Submissions
  • the source collection is deleted and the source is no longer listed on the Journalist Interface
  • the source submissions directory is removed from /var/lib/securedrop/store

• Added error handling for missing file downloads #5573

  • Log in to the Source Interface and submit two messages
  • Log in to the Application Server and delete the first submission file from the source's directory under /var/lib/securedrop/store
  • Log into the Journalist Interface
  • When the source's 2 unread button is clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download Unread clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • When the source's checkbox is selected and Download clicked:
    • a flash error message is displayed and the number of unread messages is still 2
  • Click through to the source's collection page:
  • When Select All and Download Selected are clicked:
    • A flash error message is displayed and the missing message's status remains unread
  • When the missing message is clicked:
    • A flash error message is displayed and the missing message's status remains unread

• Show session expiry message only for users that have generated a codename #5582

  • Log in to the application server and update the value of SESSION_EXPIRATION_MINUTES from 120 to 2 in /var/www/securedrop/config.py, then restart Apache with sudo systemctl restart apache2
  • Visit the Source interface index page, and wait for slightly more than 2 minutes. Reload the index page, and verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started, wait slightly over 2 minutes after the codename generation page is displayed, then visit the Source Interface index page again. Verify that no session expiry error message is displayed.
  • Click the New Identity icon in the Tor Browser to clear current browser data and visit the Source Interface again. Click Get Started and then SUBMIT DOCUMENTS. Wait just over 2 minutes, reload the page, and verify that the index page is rendered instead of /lookup with a session expiry error message displayed.

• Add functionality to set organization name #5629

  • Log in to the Journalist Interface with an admin account and navigate to the Instance Config page
  • Set the Organization Name to a string with less than 75 chars
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces
  • Set the Organization Name to a string with less than 75 chars including HTML formatting
    • The organization name is used in page titles and logo alt texts on the Source And Journalist Interfaces with HTML formatting escaped.
  • Set the Organization Name to a string with more than 75 chars
    • An error message is flashed and the organization name is not updated
  • Set the Organization Name to a blank value
    • An error message is flashed and the organization name is not updated

• Visit Source Interface on the latest Tor Browser on MacOS and verify that the TBB warning notice is not displayed #5647

• Reset journalist passwords without errors #5618

  • Log in to the Journalist Interface with a journalist account
  • Log out, then log in again with an admin account and edit the previous account
    • The journalist account's password can be reset repeatedly without errors

• Update references to submission key on Source Interface #5651

  • Log in to the Source Interface and verify that the "public key" link points to /public-key and that /public-key is functional, downloading the Subbmission Public Key
  • Verify that the "learn more" link points to /why-public-key, and that /why-public-key is functional
  • Verify that the download link on /why-public-key points to /public-key
  • Verify that navigating to /journalist-key redirects to /public-key

• Update navigation "Back" link icons on web interfaces #5641

  • PNG < icon replaces « on /why-public-key on Source Interface
  • PNG < icon replaces « on Add User page on Admin Interface
  • PNG < icon replaces « on Edit User page on Admin Interface
  • PNG < icon replaces « on Instance Config page on Admin Interface

• Verify that an OSSEC alert is sent on a daily schedule if v2 onion services are enabled #5682 N/A

• Verify that directory permissions are set to 700 on /var/ossec/.gnupg and to 600 on its files on the Monitor Server
  #5330

• Verify that Tor is updated to v0.4.4.6 on the Application and Monitor Servers #5648

• Verify that cryptography is updated to v3.2.1 in the securedrop-app-code virtual environment on the Application Server #5612

RC4-specific testing

#5718, #5726

• On a v2+v3 install, disabling v2 removes the v2 ssh config in /etc/tor/torrc and no ossec alerts are sent about v2 deprecation after running the playbook N/A
• The banner disappears on a simple page refresh (without rebooting or apache restart) N/A

#5721, #5722

• Submit multiple files via the SI, delete manually one from the store on the app server, files can be downloaded via "N unread" or select all download link on JI. - FAILS - instead get flashed error on existing page, which I think is actually correct based on the original PR

#5724

• Submit multiple files via the SI, delete manually one or more the store on the app server. After manually deleting the files on disk, submit a new file as that source. zero-length files are not created

Preflight

• Ensure the builder image is up-to-date on release day

These tests should be performed the day of release prior to live debian packages on apt.freedom.press

Basic testing

• Install or upgrade occurs without error
• Source interface is available and version string indicates it is 1.7.0
• A message can be successfully submitted

Tails

• The updater GUI appears on boot
• The update successfully occurs to 1.7.0
• After reboot, updater GUI no longer appears

[emkll]

SecureDrop 1.7.0 was released on January 26th. The only outstanding task in this ticket is to build and upload the upgrade boxes. With the release of #5758, and because only support a single version of upgrade boxes is supported in the tooling, there is little benefit to building 1.7.0 upgrade boxes. We will provide 1.7.1 upgrade boxes, tracked in #5758