Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removes old release signing key from securedrop-keyring #5979

Merged
merged 1 commit into from
Aug 13, 2021
Merged

Removes old release signing key from securedrop-keyring #5979

merged 1 commit into from
Aug 13, 2021

Conversation

zenmonkeykstop
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop commented Jun 8, 2021
edited
Loading

Status

Ready for review.

Description of Changes

Towards #5923 .

Removes the key with fingerprint 22245C81E3BAEB4138B36061310F561200F4AD77 from the keyting installed by the securedrop-keyring package.

Testing

  • Ensure that there is only one key in the securedrop-keyring keyring, with fingerprint 2359E6538C0613E652955E6C188EDD3B7B22E6A3
  • Ensure that this key was used to sign the transition statement in Rotate the SecureDrop Release Signing Key #5923
  • make testinfra passes against a staging environment built from this branch.

Deployment

  • fresh 2.0.0 installs will receive only the new key by default
  • instances on 1.8.2 already have both keys - if the repo Release file is signed with either apt operations will work, the keyring package will be updated successfully, and other packages should also be fine regardless of installation order.

Checklist

If you added or removed a file deployed with the application:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

@zenmonkeykstop
Removes old release signing key from securedrop-keyring
d934e03 
- Removed old key from existing keyring using commands:
  ```
  cd install_files/securedrop-keyring
  gpg --no-default-keyring --keyring etc/apt/trusted.gpg.d/securedrop-keyring.gpg \
  --delete-key "22245C81E3BAEB4138B36061310F561200F4AD77"
  ```
- Updated testinfra test to verify that only new signing key is present.
@zenmonkeykstop zenmonkeykstop requested a review from a team as a code owner June 8, 2021 22:07
@zenmonkeykstop zenmonkeykstop added this to the 2.0.0 milestone Jun 8, 2021
@zenmonkeykstop zenmonkeykstop marked this pull request as draft June 8, 2021 22:26
@conorsch
Copy link
Contributor

conorsch commented Jun 8, 2021

We've discussed including this change for v2.0.0, but decided against it: right now, the prod Release file is still signed with the old key, so let's continue to honor that config until we've shipped v2. Then we can follow up in the n+1 release and pull in the changes presented here, as well as yanking out the dual-key logic in e.g. the Tails Workstation admin logic.

@zenmonkeykstop zenmonkeykstop modified the milestones: 2.0.0, 2.1.0 Jun 8, 2021
@zenmonkeykstop zenmonkeykstop marked this pull request as ready for review July 8, 2021 20:55
@conorsch conorsch self-assigned this Aug 13, 2021
@conorsch
Copy link
Contributor

Testing locally:

$ mkdir -m 700 -p /tmp/sd-keyring-test
$ gpg --homedir /tmp/sd-keyring-test --no-default-keyring --import install_files/securedrop-keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg gpg: keybox '/tmp/sd-keyring-test/pubring.kbx' created
gpg: /tmp/sd-keyring-test/trustdb.gpg: trustdb created
gpg: key 188EDD3B7B22E6A3: public key "SecureDrop Release Signing Key <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --homedir /tmp/sd-keyring-test --no-default-keyring --keyring /tmp/sd-keyring-test/pubring.kbx -k
/tmp/sd-keyring-test/pubring.kbx
--------------------------------
pub   rsa4096 2021-05-10 [SC] [expires: 2022-07-04]
      2359E6538C0613E652955E6C188EDD3B7B22E6A3
uid           [ unknown] SecureDrop Release Signing Key <[email protected]>
sub   rsa4096 2021-05-10 [E] [expires: 2022-07-04]
$

That's what we want!

conorsch
conorsch approved these changes Aug 13, 2021
View reviewed changes
Copy link
Contributor

@conorsch conorsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, let's queue it up for 2.1.0.

@conorsch conorsch merged commit 57aa2d4 into develop Aug 13, 2021
@conorsch conorsch mentioned this pull request Aug 18, 2021
Closed
27 tasks
@cfm cfm mentioned this pull request Oct 8, 2021
Closed
26 tasks
conorsch pushed a commit that referenced this pull request Oct 12, 2021
Remove old apt key from Ansible logic
671c6c8 
Follow-up to #5979. Removes the old, i.e.
22245C81E3BAEB4138B36061310F561200F4AD77, apt key from the Ansible
install-time logic. The key has been expired since 2021-06-30.
conorsch pushed a commit that referenced this pull request Oct 12, 2021
Remove old apt key from Ansible logic
8780cae 
Follow-up to #5979. Removes the old, i.e.
22245C81E3BAEB4138B36061310F561200F4AD77, apt key from the Ansible
install-time logic. The key has been expired since 2021-06-30.
@conorsch conorsch mentioned this pull request Oct 12, 2021
Merged
zenmonkeykstop pushed a commit that referenced this pull request Oct 12, 2021
@zenmonkeykstop
Remove old apt key from Ansible logic
30b34ac 
Follow-up to #5979. Removes the old, i.e.
22245C81E3BAEB4138B36061310F561200F4AD77, apt key from the Ansible
install-time logic. The key has been expired since 2021-06-30.

(cherry picked from commit 8780cae)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conorsch conorsch conorsch approved these changes

Assignees

@conorsch conorsch

Labels
None yet
Projects
None yet
Milestone
2.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@zenmonkeykstop @conorsch