Rotate the SecureDrop Release Signing Key

[conorsch]

Description

The release signing key is coming up for renewal, due to expire on 2021-06-30. Typically we bump expiry by ~1y and press on with the same keypair. We've been using 22245C81E3BAEB4138B36061310F561200F4AD77 for almost 5 years now. With SD v2 coming up, we're in a good position to make a full rotation, via the securedrop-keyring for servers & Workstation.

Opening this ticket as a catch-all for related changes, such as PRs, so they can cross-link for tracking purposes. There are a number of places to update outside version control, such as URLs on the website.

We'll take it slow: first, generate a new keypair, and add that to the securedrop-keyring package. In a subsequent release, we can follow up with removing the old keypair, and proceed with formal revocation published to keyservers once it's no longer used.

Sub-tasks

• Use new signing key in SecureDrop Server
  • Add new pubkey to server keyring - Adds new pubkey for Release Signing Key #5930
  • Update docs to note that post 2.0.0 tags will be signed with new signing key
  • Use old key to sign 2.0.0 tag (required by updater as per securedrop-admin does not include new UID in signature check #5994)
  • Use new key to sign repository's focal Release file.
  • Include information about new signing key in release comms (both fingerprints, maybe link to signed transition statement)
  • Update signing key file and footer references on https://securedrop.org (post-release)
  • Use new key to sign a subsequent point release (2.0.1) (Release SecureDrop 2.0.1 #6034)
  • Remove old key from securedrop-keyring package (after 2.0.0) - Removes old release signing key from securedrop-keyring #5979
• Add new pubkey to dom0 (and sys-firewall) in Workstation - Update signing key in dom0 securedrop-workstation#697
• Add new pubkey to domU (TemplateVMs in Workstation) - Update securedrop-keyring package for TemplateVMs securedrop-builder#249
• Build new Workstation template including new keyring package - Rebuild TemplateVM with updated signing key qubes-template-securedrop-workstation#20
• Update HTTPS-Everywhere ruleset config - upstream Tor Browser ticket
  • Create new URL https://securedrop.org/https-everywhere-2021/
  • Create new JWK based on RSA pubkey.
  • Resign ruleset with new key, push to branch "key-rotation-2021" in https://github.com/freedomofpress/securedrop-https-everywhere-ruleset
  • Test new ruleset in Tor Browser release candidate build
  • Confirm new channel is shipped in Tor Browser stable release
• Prior to 2021-06-30: Resign https://apt.freedom.press Release files (for all distros) with new key
• Prior to 2021-06-30: Resign RPM files in https://yum.securedrop.org with new key
• Re-sign Buster Release file to only use the new key: https://github.com/freedomofpress/securedrop-debian-packages-lfs/pull/54
• Release SecureDrop 2.0.1 signed with new key: Release SecureDrop 2.0.1 #6034
• Update Debian packaging logic: Update signing key fingerprint securedrop-builder#261
• After grace period, retire HTTPSEverywhere endpoint signed with old key: After grace period, deactivate old endpoint and update main branch/deploy logic securedrop-https-everywhere-ruleset#64
• Re-sign SecureDrop Workstation RPM with new key: Resigns sdw-dom0-config 0.5.5 with new key securedrop-yum-prod#21
• Update SecureDrop Workstation signing key docs: Update signing key securedrop-workstation-docs#82
• Perform Workstation clean install with "prod" settings to verify key info and docs

[conorsch]

Here's a dual-signed transition statement, to aid in review of the forthcoming rotation changes:

Transition statement for the SecureDrop Release Signing Key, 2021-05

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

The SecureDrop Release Signing Key will transition to a new fingerprint,
and new UID. The current key information is:

pub   rsa4096/0x310F561200F4AD77 2016-10-20 [SC] [expires: 2021-06-30]
      Key fingerprint = 2224 5C81 E3BA EB41 38B3  6061 310F 5612 00F4 AD77
uid                   [ultimate] SecureDrop Release Signing Key
uid                   [ultimate] SecureDrop Release Signing Key <[email protected]>

The new key information is:

pub   rsa4096/0x188EDD3B7B22E6A3 2021-05-10 [SC] [expires: 2022-07-04]
      Key fingerprint = 2359 E653 8C06 13E6 5295  5E6C 188E DD3B 7B22 E6A3
uid                   [ultimate] SecureDrop Release Signing Key <[email protected]>
sub   rsa4096/0x6275A4BA4C71447A 2021-05-10 [E] [expires: 2022-07-04]

This message is signed with both keys, to attest that the transition
is authorized by the SecureDrop team.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcFAmCZcXsACgkQMQ9WEgD0
rXcmUw//bChK0GP2NkPuBzuUieFKIIRLo6mFqx/RdzYcaSkswSGdiDPZ4IPH0rPd
qo3IBUsfL12Ln565lHhig9tEwzahQjEPfWorJBPtzjbVDKC15J6tB1Qkp6Tx95ZI
oO8cevtyLxQb10bqlVG0J88bE8HF6pboGSGD06uFcOPUb/DHDRM/V2mJRvjRD8bW
TW9Q9J+24fgQT18kagYtvFEYXkkJfTscXO3xWSzt5UGa1L/VKLHTggfwZ5qmf0hV
6QN2Vr9T5+BEhJ6GCDZBdGrixM6s3d7glE5s37/9J6Y0Hw1qbCv0A/EdCfVldeEO
o/AbOXnwABjniRdbQ7Qj/4Hs4uvGPbDNrVp5/lMKMRwUbrFuOeo9fviCuGx+u0fH
hEVUWaa14uhcAC2olIMRiHOOtbxWsv9SSzd5Tsk64ZUMTCb0JmGSjwiDtsw4nuaE
T+c9hl/QhAjK53ROizCTY0GjLZxpJroqhAJ9FjTNibi01XYrDq8NqJpL6KCbCYef
63rscGTEFB1vsMSvfmmZ04ev22v22P4QdghgcGnK1xq+DfsrnTEE7TyURwYvVnWV
0mqdaMhnZ/oVpvSszQEYI+TJynmmLnwWaNSAk//YDpk8u6y7EoNznC0zRI7m9rX8
LyhI4lvhRy2Cp3a1r5OQOpAJ3sCarOzZ67LuWydA4ebaYpwaUEOJAjMEAQEKAB0W
IQQjWeZTjAYT5lKVXmwYjt07eyLmowUCYJlxewAKCRAYjt07eyLmozacD/9dyRer
hMcNiQmKFEzNIIJulaz+GKvGTMN42S8cFPH7wVPcgsn3grvBV6ZWMHPKSUrw2H8e
h9QG85DiL4K/k+fIHUOBr3hV0mrNcPpZtgquiFqH3xLD5Kdgx4qIKgMQ8aoMsIke
LIJJWtcLyeiD/9TQlU0R/kcyndIqSkYnEOCk6w+PzjkXR7zdYOFyVEGBSW4MGvJW
TJD+sxdbVr8nJ4W2SHo1XBNYNpyd7mbh1wY8edY8s9xyggyfWtTOZg5VKku5haIZ
WTxEpPJ6jdImLfmaG30r74mLUW3ggnLJEQ0Lvhuo72b5AZ1pkH9++UVAA4dVT7Qp
PRtPwsGwYayXKzBA2LL8sCNWYSoIl5dsk1FNoNe5Dz7YqTLgV22BJojii/A976hA
tiluDLOPceJjcQI06IIeoditByYax9nbim97l+dtTncDGugz+gj37c5c49sZeOFX
+Y3dB1nElJ+1iQuqoPmU6maGIknjiKzineGV8tp+Jr4eNgLzjruxpp36MwMSyTDB
In8x8JZSB89qvmXEwvQvVpKwhgp+LOZOIxKsbiuf+tbrkGPJhDVHCgU2yWxu9c49
GcTofKLpE5JO8NBi5oquH6xTdoH9qO4EDTeuMlNFB3uXGTk2XMsmo1uFJTe5qyej
TApZUcXI8KFjTdQF8QjctaKHNeTvuhYQKFXjYw==
=h5TY
-----END PGP SIGNATURE-----

[zenmonkeykstop]

Seems legit:

$ gpg --verify transition-2.txt 
gpg: Signature made Mon May 10 13:46:35 2021 EDT
gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2224 5C81 E3BA EB41 38B3  6061 310F 5612 00F4 AD77
gpg: Signature made Mon May 10 13:46:35 2021 EDT
gpg:                using RSA key 2359E6538C0613E652955E6C188EDD3B7B22E6A3
gpg: Good signature from "SecureDrop Release Signing Key <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2359 E653 8C06 13E6 5295  5E6C 188E DD3B 7B22 E6A3

[eloquence]

(Re-milestoned to 2.0.0 now that the 1.8.2 part of this task has been completed.)

[eloquence]

During this sprint we will need to:

• Remove the old signing key preparatory to the 2.0.0 release
• Handle the SecureDrop Workstation signing key rotation, also in two stages (Rebuild TemplateVM with updated signing key qubes-template-securedrop-workstation#20, Update securedrop-keyring package for TemplateVMs securedrop-builder#249 and Update signing key in dom0 securedrop-workstation#697)

We'll likely also want to make progress towards publishing an HTTPSE ruleset signed with the new key (freedomofpress/securedrop-https-everywhere-ruleset#54).

As part of the release, we will also need to update the key published on securedrop.org (freedomofpress/securedrop.org#851).

[eloquence]

Overview of current state and desired state by component:
https://docs.google.com/spreadsheets/d/1vBNyEGuJEmWvu-3_N1NAJJEJAl-j3pdGdt-PjI-uiPg/edit#gid=0

[eloquence]

Due to #5994, it may be necessary to sign the 2.0.0 tag using the old key, to avoid broken updates using the graphical updater. (Even when the fix for that issue is merged and backported, users will still be running the old updater code on their workstations by the time they need to get to 2.0.0.)

[eloquence]

We're mostly done, updated epic with remaining tasks.

[conorsch]

With the latest docs changes merged as part of freedomofpress/securedrop-workstation-docs#82, we've completed the final items on the checklist, so I'm closing. Great job, all!