Add Focal staging environment for Qubes

[rmol]

Status

Ready for review

Description of Changes

Adds a Focal staging environment on Qubes.

Incorporates GPG keyring fix from @kushaldas to get source submission working.

Towards #5468.

Fixes #5523.
Fixes #5499.

Testing

On Qubes, destroy any existing staging environments. If you have Xenial base qubes, rename them to append -xenial, e.g.:

• sd-staging-base → sd-staging-base-xenial
• sd-staging-app-base → sd-staging-app-base-xenial
• sd-staging-mon-base → sd-staging-mon-base-xenial

If you haven't yet set up a staging environment on Qubes, follow the current documentation, but append -xenial to all the VMs whose names end in -base, as we now need to distinguish between the releases.

Run make staging and ensure that the Xenial staging environment still works.

To test Focal, follow the current documentation to create base VMs ending in -focal. The Ubuntu installation process and subsequent customization is pretty similar, except when adjusting the app and mon servers' network configuration: on Focal you'll need to edit /etc/netplan/00-installer-config.yaml instead of /etc/network/interfaces. You can use the same IP addresses as in your Xenial base VMs, as it's not yet possible to run both simultaneously (that would require changing the production location of Tor service files written under install_files/ansible-base), and reusing them simplifies sys-firewall configuration.

Run make staging-focal and ensure that it creates a functional Focal staging environment.

Deployment

This includes two changes to production configuration:

• The GPG keyring on the app server is imported with an explicit location (pubring.gpg) to preserve existing behavior on Focal, where gpg would otherwise prefer pubring.kbx.

• The Apache AppArmor configuration makes /usr/bin/dash, /usr/bin/touch, and /usr/bin/uname executable by Apache; they used to be invoked from /bin.

Checklist

If you made changes to the system configuration:

• Configuration tests pass

(Running the configuration tests on Qubes will still have failures, but there should be no new failures with this branch.)

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

[zenmonkeykstop]

Set up xenial and focal environments, built respective deb versions and stood up respective staging environments:

• make staging works correctly
• make-staging-focal works correctly

Two points of note:

• on a stock 4.0.3 install, a dom0 prompt asking for permission to run admin.vm.mic.List is displayed when on make staging*, as the default policy setting or this is ask. This can just be denied, and is outside of the scope of the PR, so I'll put in a docs PR to note it (and to update the setup instructions in general).
• on switching between the two staging environments, host key verification fails (same IP, different host keys). This could also be handled by a docs update asking the user to add StrictHostKeyChecking no for the two IPs in their .ssh/config but it might be better just to live with it and instruct them to nuke the known_hosts entries instead.