Adds new pubkey for Release Signing Key

[conorsch]

Status

Ready for review

Description of Changes

Towards #5923

Bumps the version of the securedrop-keyring package, preserving the
old/current release signing key, but adding a new pubkey.

• Old/current fingerprint: 22245C81E3BAEB4138B36061310F561200F4AD77
• New/next fingerprint: 2359E6538C0613E652955E6C188EDD3B7B22E6A3

This this is a soft rotation, we'll make sure that all instances have
the new key first, then later remove reference to the old key.

As with previous updates, here's the command I used to import the new
key into the keyring:

gpg --no-default-keyring --keyring \
install_files/securedrop-keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg \
--import \
install_files/ansible-base/roles/install-fpf-repo/files/fpf-signing-key-2021.pub

Note the tweak to the target file to import, i.e. the "2021" suffix.

Testing

1. Review the transition statement in Rotate the SecureDrop Release Signing Key #5923 (comment)
2. Ensure that the new key introduced in this PR, i.e. 2359E6538C0613E652955E6C188EDD3B7B22E6A3, was used to sign that statement.
3. Ensure that the current/old key, 22245C81E3BAEB4138B36061310F561200F4AD77, was used to sign that statement.
4. Ensure that the keyring changes in this PR preserve the old pubkey while adding the new pubkey.
5. Inspect the GUI updater logic, and confirm it's appropriate for the rotation plan.

Deployment

We intend to include these changes as part of 1.8.2: https://github.com/freedomofpress/securedrop/milestone/73 These changes should be reviewed in the context of ensuring continued updates for both servers and Journalist/Admin Workstations.

[conorsch]

Note that the admin tests will fail during retrieval from keyservers, e.g.

>       assert b'Signature verification failed' in output
E       AssertionError: assert b'Signature verification failed' in b'INFO: Applying SecureDrop updates...\r\nINFO: Checking for SecureDrop updates...\r\nFetching origin\r\nINFO: Update ...r\', \'hkps://keys.openpgp.org\', \'324C978C1CD14C0C2929D7D96FE1D5E9814BE242\']\' returned non-zero exit status 2.\r\n'

That's because the new pubkey has not yet been pushed to keys.openpgp.org. Once this PR and the associated dual-signed transition statement in #5923 are reviewed, we can push as part of review, and confirm all tests are passing.

[zenmonkeykstop]

✔️ Review the transition statement in #5923 (comment)
✔️ Ensure that the new key introduced in this PR, i.e. 324C978C1CD14C0C2929D7D96FE1D5E9814BE242, was used to sign that statement.
✔️ Ensure that the current/old key, 22245C81E3BAEB4138B36061310F561200F4AD77, was used to sign that statement.
✔️ Ensure that the keyring changes in this PR preserve the old pubkey while adding the new pubkey. (built and installed securedrop-keyring, both keys are present on the server and current key is used when checking Release file on apt.fp
✔️ Inspect the GUI updater logic, and confirm it's appropriate for the rotation plan.

Good to go once the new pubkey is available and tests pass.

Publishing pubkey is complicated, let's discuss further

[conorsch]

Thanks for the careful review here, @zenmonkeykstop. I've dismissed your review for now, pending further discussion with the team. Since we're using keys.openpgp.org, which only supports one (1) key per uid, we may need to alter the uid on the next-up pubkey. That'd require regeneration if so.

[conorsch]

OK, @zenmonkeykstop, ready for another look! I've rebased and amended the PR to use a different "new" key. The transition statement in the corresponding issue has been updated with dual-sigs from the proper pair, old and new. Note the slightly altered uid, as you sagely suggested. Ready for another look. If you confirm these changes are well structured, we can proceed with publishing the new pubkey to hagrid and testing Tails workstation behavior.

[zenmonkeykstop]

The transition statement looks good, and both keys are present on a test server, with apt operations that use the old key still working fine, after building and installing the securedrop-keyring package off this branch. IMO we're ok to go with the keyserver upload and final checks on Tails.

[conorsch]

Pushed 2359E6538C0613E652955E6C188EDD3B7B22E6A3 : https://keys.openpgp.org/[email protected] Re-ran the admin tests, and they're passing now. In Tails (4.18), I ran the GUI updater, and it successfully pulled in the new key.

[zenmonkeykstop]

Code changes LGTM, and key and transition statement check out. Approved.