Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added new public key for planned rotation and bumped securedrop-keyri… #250

Merged
merged 1 commit into from
May 27, 2021
Merged

Added new public key for planned rotation and bumped securedrop-keyri… #250

merged 1 commit into from
May 27, 2021

Conversation

zenmonkeykstop
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop commented May 25, 2021
edited by conorsch
Loading

Status

Ready for review

Description

Updates securedrop-keyring, adding the new public key for the 2021 rotation, and bumping its version to 0.1.5.

Test plan

  • clone https://github.com/freedomofpress/securedrop, verify and check out the tag 1.8.2
  • verify that the securdrop keyring (../securedrop/install_files/securedrop/etc/apt/trusted.gpg.d/securedrop-keyring.gpg) is identical to securedrop-keyring/securedrop-keyring.gpg
  • build the securedrop-keyring package with PKG_VERSION=0.1.5 make securedrop-keyring successfully
  • Set up a securedrop-workstation dev environment if not already available
  • Copy the securedrop-keyring package to sd-small-buster-template and sd-large-buster-templateand install it usingdpkg`, restart the templates and all workstation VMs
  • Confirm that both the original and new public keys (fingerprints '22245C81E3BAEB4138B36061310F561200F4AD77' and '2359E6538C0613E652955E6C188EDD3B7B22E6A3') are available via sudo apt-key list on the template VMs and their child workstation VMs
  • Confirm that sudo apt-get update completes without errors on the VMs

@zenmonkeykstop zenmonkeykstop marked this pull request as ready for review May 26, 2021 03:05
@conorsch conorsch self-requested a review May 27, 2021 00:00
conorsch
conorsch approved these changes May 27, 2021
View reviewed changes
Copy link
Contributor

@conorsch conorsch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works beautifully.

Reminder that we don't have automatic nightlies for the keyring package, so we'll need to sign the packaging repo, build the new keyring package, and upload to apt-test manually. The package is reproducible, so we can promote the same artifact from apt-test to prod once it's ready for final release.

@conorsch conorsch merged commit 048e0a1 into main May 27, 2021
@conorsch conorsch mentioned this pull request May 27, 2021
Closed
9 tasks
@zenmonkeykstop
Copy link
Contributor Author

Is it worth holding off on signing+tagging the packaging repo until other queued changes are ready and releasing them all of a piece, or should we just go ahead and get this one done?

@conorsch
Copy link
Contributor

My initial hesitation was the same: wait to tag until all pieces are in place. But given that the changes to securedrop-keyring are "ready", and the versioning scheme on this packaging repo is independent, it feels right to proceed with tagging the packaging repo and preparing a prod-ready artifact for the keyring. We'll post to apt-test first, then promote to apt prod if no problems.

@conorsch conorsch mentioned this pull request May 28, 2021
Merged
@eloquence eloquence mentioned this pull request May 29, 2021
Closed
@zenmonkeykstop zenmonkeykstop mentioned this pull request May 31, 2021
Merged
2 tasks
@sssoleileraaa sssoleileraaa deleted the add-2021-signing-key branch September 13, 2021 23:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@conorsch conorsch conorsch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zenmonkeykstop @conorsch