SecureDrop 1.8.1-rc1 - version bump and cherry-picked changes.

.circleci/config.yml

@@ -100,7 +100,7 @@ jobs:
       enabled: true
     environment:
       DOCKER_API_VERSION: 1.23
-      BASE_OS: xenial
+      BASE_OS: focal
     steps:
       - checkout
       - *rebaseontarget
@@ -115,8 +115,8 @@ jobs:
       - run:
           name: Run all linters but shellcheck
           command: |
-            fromtag=$(docker images |grep securedrop-test-xenial-py3 |head -n1 |awk '{print $2}')
-            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "/opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/develop-requirements.txt && make -C .. ansible-config-lint app-lint flake8 html-lint typelint yamllint"
+            fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}')
+            DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "/opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/develop-requirements.txt && make -C .. ansible-config-lint app-lint flake8 html-lint typelint yamllint"
 
       - run:
           name: Run shellcheck

admin/requirements-dev.in

@@ -6,7 +6,7 @@ mock
 pbr
 pip==19.3.1
 pip-tools==4.5.1
-pylint==2.5.0
+pylint>=2.7.0; python_version > '3.6'
 pytest==3.2.0
 requests>=2.22.0
 tox

admin/requirements-dev.txt

@@ -4,9 +4,9 @@
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=requirements-dev.txt requirements-dev.in
 #
-astroid==2.4.2 \
-    --hash=sha256:2f4078c2a41bf377eea06d71c9d2ba4eb8f6b1af2135bec27bbbb7d8f12bb703 \
-    --hash=sha256:bc58d83eb610252fd8de6363e39d4f1d0619c894b0ed24603b881c02e64c7386 \
+astroid==2.5.2 \
+    --hash=sha256:6b0ed1af831570e500e2437625979eaa3b36011f66ddfc4ce930128610258ca9 \
+    --hash=sha256:cd80bf957c49765dce6d92c43163ff9d2abc43132ce64d4b1b47717c6d2522df \
     # via pylint
 certifi==2018.4.16 \
     --hash=sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7 \
@@ -137,9 +137,9 @@ pyflakes==1.6.0 \
     --hash=sha256:08bd6a50edf8cffa9fa09a463063c425ecaaf10d1eb0335a7e8b1401aef89e6f \
     --hash=sha256:8d616a382f243dbf19b54743f280b80198be0bca3a5396f1d2e1fca6223e8805 \
     # via flake8
-pylint==2.5.0 \
-    --hash=sha256:588e114e3f9a1630428c35b7dd1c82c1c93e1b0e78ee312ae4724c5e1a1e0245 \
-    --hash=sha256:bd556ba95a4cf55a1fc0004c00cf4560b1e70598a54a74c6904d933c8f3bd5a8 \
+pylint==2.7.4 ; python_version > "3.6" \
+    --hash=sha256:209d712ec870a0182df034ae19f347e725c1e615b2269519ab58a35b3fcbbe7a \
+    --hash=sha256:bd38914c7731cdc518634a8d3c5585951302b6e2b6de60fbb3f7a0220e21eeee \
     # via -r requirements-dev.in
 pytest-catchlog==1.2.2 \
     --hash=sha256:4be15dc5ac1750f83960897f591453040dff044b5966fe24a91c2f7d04ecfcf0 \
@@ -156,7 +156,7 @@ requests==2.22.0 \
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
     --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced \
-    # via astroid, mock, pip-tools, tox
+    # via mock, pip-tools, tox
 toml==0.10.1 \
     --hash=sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f \
     --hash=sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88 \

admin/requirements-testinfra.txt

@@ -202,18 +202,36 @@ pytest==6.1.1 \
     --hash=sha256:7a8190790c17d79a11f847fba0b004ee9a8122582ebff4729a082c109e81a4c9 \
     --hash=sha256:8f593023c1a0f916110285b6efd7f99db07d59546e3d8c36fc60e2ab05d3be92 \
     # via -r requirements-testinfra.in, pytest-forked, pytest-xdist, testinfra
-pyyaml==5.3.1 \
-    --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \
-    --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \
-    --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \
-    --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \
-    --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \
-    --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \
-    --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \
-    --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \
-    --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \
-    --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \
-    --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \
+pyyaml==5.4.1 ; python_version > "3.6" \
+    --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \
+    --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \
+    --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \
+    --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \
+    --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \
+    --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \
+    --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \
+    --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \
+    --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \
+    --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \
+    --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \
+    --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \
+    --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \
+    --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \
+    --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \
+    --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \
+    --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \
+    --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \
+    --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \
+    --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \
+    --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \
+    --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \
+    --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \
+    --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \
+    --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \
+    --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \
+    --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \
+    --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \
+    --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 \
     # via -r requirements.in, ansible
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \

admin/requirements.in

@@ -1,5 +1,5 @@
 markupsafe>=1.1
 prompt_toolkit==2.0.9
-pyyaml>=5.3.1
+pyyaml>=5.4.1; python_version > '3.6'
 setuptools>=46.0.0
 six==1.15.0

admin/requirements.txt

@@ -111,18 +111,36 @@ prompt_toolkit==2.0.9 \
 pycparser==2.18 \
     --hash=sha256:99a8ca03e29851d96616ad0404b4aad7d9ee16f25c9f9708a11faf2810f7b226 \
     # via cffi
-pyyaml==5.3.1 \
-    --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \
-    --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \
-    --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \
-    --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \
-    --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \
-    --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \
-    --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \
-    --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \
-    --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \
-    --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \
-    --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \
+pyyaml==5.4.1 ; python_version > "3.6" \
+    --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \
+    --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \
+    --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \
+    --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \
+    --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \
+    --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \
+    --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \
+    --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \
+    --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \
+    --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \
+    --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \
+    --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \
+    --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \
+    --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \
+    --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \
+    --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \
+    --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \
+    --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \
+    --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \
+    --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \
+    --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \
+    --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \
+    --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \
+    --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \
+    --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \
+    --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \
+    --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \
+    --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \
+    --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 \
     # via -r requirements.in, ansible
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \

changelog.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 1.8.1~rc1
+
+* Install a fixed version of setuptools-scm before building packages (#5877)
+* Update pylint from 2.5.0 to 2.7.4, pyyaml from 5.3.1 to 5.4.1 (#5884)
+* Suppress OSSEC alert caused by fwupd not being active (#5882)
+* Exclude SSH onion service config from restores (#5886)
+* Add support for custom logos in backups (#5880)
+* Add check for SecureBoot status in installer (#5879)
+
 ## 1.8.0
 
 ### Web applications

install_files/ansible-base/group_vars/all/securedrop

@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml
-securedrop_version: "1.8.0"
+securedrop_version: "1.8.1~rc1"
 securedrop_app_code_sdist_name: "securedrop-app-code-{{ securedrop_version | replace('~', '-') }}.tar.gz"
 
 grsecurity: true

install_files/ansible-base/roles/backup/files/backup.py

@@ -1,8 +1,11 @@
 #!/opt/venvs/securedrop-app-code/bin/python
 """
-This script is copied to the App server and run by the Ansible playbook. When
-run (as root), it collects all of the necessary information to backup the 0.3
-system and stores it in /tmp/sd-backup-0.3-TIME_STAMP.tar.gz.
+This script is copied to the App server (to /tmp) and run by the Ansible playbook,
+typically via `securedrop-admin`.
+
+The backup file in the format sd-backup-$TIMESTAMP.tar.gz is then copied to the
+Admin Workstation by the playbook, and removed on the server. For further
+information and limitations, see https://docs.securedrop.org/en/stable/backup_and_restore.html
 """
 
 from datetime import datetime
@@ -19,14 +22,17 @@ def main():
 
     sd_code = '/var/www/securedrop'
     sd_config = os.path.join(sd_code, "config.py")
-    sd_custom_logo = os.path.join(sd_code, "static/i/logo.png")
+    sd_custom_logo = os.path.join(sd_code, "static/i/custom_logo.png")
 
     tor_hidden_services = "/var/lib/tor/services"
     torrc = "/etc/tor/torrc"
 
     with tarfile.open(backup_filename, 'w:gz') as backup:
         backup.add(sd_config)
-        backup.add(sd_custom_logo)
+
+        # If no custom logo has been configured, the file will not exist
+        if os.path.exists(sd_custom_logo):
+            backup.add(sd_custom_logo)
         backup.add(sd_data)
         backup.add(tor_hidden_services)
         backup.add(torrc)

install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal

@@ -1,3 +1,9 @@
+securedrop-app-code (1.8.1~rc1+focal) focal; urgency=medium
+
+  * See changelog.md
+
+ -- SecureDrop Team <[email protected]>  Wed, 07 Apr 2021 11:48:22 -0400
+
 securedrop-app-code (1.8.0+focal) focal; urgency=medium
 
   * see changelog.md

install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial

@@ -1,3 +1,9 @@
+securedrop-app-code (1.8.1~rc1+xenial) xenial; urgency=medium
+
+  * See changelog.md
+
+ -- SecureDrop Team <[email protected]>  Wed, 07 Apr 2021 11:47:42 -0400
+
 securedrop-app-code (1.8.0+xenial) xenial; urgency=medium
 
   * See changelog.md 

install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml

@@ -1,8 +1,10 @@
 ---
 
 - name: Install SecureDrop Python requirements in virtualenv for translation work
-  shell: |
-    python3 -m venv /tmp/securedrop-app-code-i18n-ve
+  shell: >
+    set -e &&
+    python3 -m venv /tmp/securedrop-app-code-i18n-ve &&
+    /tmp/securedrop-app-code-i18n-ve/bin/pip3 install "setuptools-scm==5.0.2" &&
     /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt
   tags:
     - pip

install_files/ansible-base/roles/prepare-servers/tasks/main.yml

@@ -22,10 +22,26 @@
       https://github.com/freedomofpress/securedrop/issues/4058
 
 - name: Install python and packages required by installer
-  raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core
+  raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core mokutil
   register: _apt_install_prereqs_results
   changed_when: "'0 upgraded, 0 newly installed, 0 to remove' not in _apt_install_prereqs_results.stdout"
 
+- name: Check SecureBoot status
+  command: mokutil --sb-state
+  changed_when: false
+  failed_when: false # results inspected below
+  register: _mokutil_results
+
+- name: Verify that SecureBoot is not enabled
+  assert:
+    that:
+      - "'SecureBoot enabled' not in _mokutil_results.stdout"
+      - "'SecureBoot enabled' not in _mokutil_results.stderr"
+    fail_msg: >-
+      SecureBoot is enabled. SecureDrop cannot be installed, as it uses a
+      custom kernel that is not signed. Please disable SecureBoot on the
+      target servers and try again.
+
 - name: Remove cloud-init
   apt:
     name: cloud-init

install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml

@@ -0,0 +1,40 @@
+---
+- name: Copy disable_v2.py script
+  copy:
+    src: "{{ role_path }}/files/disable_v2.py"
+    dest: /opt/disable_v2.py
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Execute disable_v2 script
+  command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove v2 tor source directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/source
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove v2 tor journalist directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/journalist
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove v2 tor ssh directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/ssh
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove v2 source_url application file
+  file:
+    state: absent
+    path: /var/lib/securedrop/source_v2_url
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove disable_v2.py script
+  file:
+    state: absent
+    path: /opt/disable_v2.py
+  when: ("V3 services only" in compare_result.stdout)