From 1ae766c328718b2e806b23b0ec078fe2e0e9351f Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Thu, 11 Mar 2021 11:36:37 -0800 Subject: [PATCH 1/2] Add 1.7.1->1.8.0 upgrade guide; Tails 3 guide fix --- docs/index.rst | 2 +- docs/update_tails_usbs.rst | 2 + docs/upgrade/1.5.0_to_1.6.0.rst | 98 ---------------------------- docs/upgrade/1.7.1_to_1.8.0.rst | 109 ++++++++++++++++++++++++++++++++ docs/upgrade_to_tails_4.rst | 25 ++++---- 5 files changed, 126 insertions(+), 110 deletions(-) delete mode 100644 docs/upgrade/1.5.0_to_1.6.0.rst create mode 100644 docs/upgrade/1.7.1_to_1.8.0.rst diff --git a/docs/index.rst b/docs/index.rst index 54d01e63b..ed27ded70 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -93,9 +93,9 @@ anonymous sources. :maxdepth: 2 upgrade/focal_migration.rst + upgrade/1.7.1_to_1.8.0.rst upgrade/1.7.0_to_1.7.1.rst upgrade/1.6.0_to_1.7.0.rst - upgrade/1.5.0_to_1.6.0.rst .. toctree:: :caption: Developer Documentation diff --git a/docs/update_tails_usbs.rst b/docs/update_tails_usbs.rst index 26a1f5a1c..72ef11c3a 100644 --- a/docs/update_tails_usbs.rst +++ b/docs/update_tails_usbs.rst @@ -30,6 +30,8 @@ We recommend that you :ref:`back up your existing configuration `_ -on the Tails welcome screen in order to use the graphical updater. - -Perform the update to 1.6.0 by clicking "Update Now": - -.. image:: ../images/securedrop-updater.png - -Performing a manual update -~~~~~~~~~~~~~~~~~~~~~~~~~~ -If the graphical updater fails and you want to perform a manual update instead, -first delete the graphical updater's temporary flag file, if it exists (the -``.`` before ``securedrop`` is not a typo): :: - - rm ~/Persistent/.securedrop/securedrop_update.flag - -This will prevent the graphical updater from attempting to re-apply the failed -update and has no bearing on future updates. You can now perform a manual -update by running the following commands: :: - - cd ~/Persistent/securedrop - git fetch --tags - gpg --keyserver hkps://keys.openpgp.org --recv-key \ - "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" - git tag -v 1.6.0 - -The output should include the following two lines: :: - - gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 - gpg: Good signature from "SecureDrop Release Signing Key" - -Please verify that each character of the fingerprint above matches what is -on the screen of your workstation. If it does, you can check out the -new release: :: - - git checkout 1.6.0 - -.. important:: If you do see the warning "refname '1.6.0' is ambiguous" in the - output, we recommend that you contact us immediately at securedrop@freedom.press - (`GPG encrypted `__). - -Finally, run the following commands: :: - - ./securedrop-admin setup - ./securedrop-admin tailsconfig - -Upgrading Tails ---------------- - -If you have already upgraded your workstations to the Tails 4 series, follow the -graphical prompts to update to the latest version. - -.. important:: - - If you are still running Tails 3.x on any workstation, we urge you to update - to the Tails 4 series as soon as possible. Tails 3.x is no longer receiving - security updates, and is no longer supported by the SecureDrop team. - Please see our - :doc:`instructions for upgrading to Tails 4 <../upgrade_to_tails_4>`. - - These instructions will be removed from a future version of this - documentation. - - -.. include:: ../includes/always-backup.txt - -V3 Onion Services ------------------ - -Due to security and anonymity improvements in v3 of the onion services protocol, -support for v2 onion services will be removed from SecureDrop in March 2021. If -your SecureDrop instance is still using 16-character v2 onion URLs, you should -migrate to v3 onion services at the earliest opportunity, and contact us via -the Support Portal if you require assistance doing so. For more information, -see :doc:`our migration documentation <../v3_services>`. - -Getting Support ---------------- - -Should you require further support with your SecureDrop installation, we are -happy to help! - -.. include:: ../includes/getting-support.txt diff --git a/docs/upgrade/1.7.1_to_1.8.0.rst b/docs/upgrade/1.7.1_to_1.8.0.rst new file mode 100644 index 000000000..68c5126d2 --- /dev/null +++ b/docs/upgrade/1.7.1_to_1.8.0.rst @@ -0,0 +1,109 @@ +Upgrade from 1.7.1 to 1.8.0 +=========================== + +.. important:: + + You must migrate your SecureDrop servers to Ubuntu 20.04 before **April 30, + 2021** to keep your SecureDrop instance operational. This migration will require + physical access to the servers. Please see our :doc:`migration guide ` + for instructions. + +Updating Servers to SecureDrop 1.8.0 +------------------------------------ +Your servers will be updated to the latest version of SecureDrop automatically +within 24 hours of the release. + +.. _updating_workstations_180: + +Updating Workstations to SecureDrop 1.8.0 +----------------------------------------- + +Using the graphical updater +~~~~~~~~~~~~~~~~~~~~~~~~~~~ +On the next boot of your SecureDrop *Journalist* and *Admin Workstations*, +the *SecureDrop Workstation Updater* will alert you to workstation updates. You +must have `configured an administrator password `_ +on the Tails welcome screen in order to use the graphical updater. + +Perform the update to 1.8.0 by clicking "Update Now": + +.. image:: ../images/securedrop-updater.png + +Performing a manual update +~~~~~~~~~~~~~~~~~~~~~~~~~~ +If the graphical updater fails and you want to perform a manual update instead, +first delete the graphical updater's temporary flag file, if it exists (the +``.`` before ``securedrop`` is not a typo): :: + + rm ~/Persistent/.securedrop/securedrop_update.flag + +This will prevent the graphical updater from attempting to re-apply the failed +update and has no bearing on future updates. You can now perform a manual +update by running the following commands: :: + + cd ~/Persistent/securedrop + git fetch --tags + gpg --keyserver hkps://keys.openpgp.org --recv-key \ + "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" + git tag -v 1.8.0 + +The output should include the following two lines: :: + + gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 + gpg: Good signature from "SecureDrop Release Signing Key" + +Please verify that each character of the fingerprint above matches what is +on the screen of your workstation. If it does, you can check out the +new release: :: + + git checkout 1.8.0 + +.. important:: If you do see the warning "refname '1.8.0' is ambiguous" in the + output, we recommend that you contact us immediately at securedrop@freedom.press + (`GPG encrypted `__). + +Finally, run the following commands: :: + + ./securedrop-admin setup + ./securedrop-admin tailsconfig + +.. include:: ../includes/always-backup.txt + +Updating Tails +-------------- +Check the version of Tails on your *Admin* and *Journalist Workstations* +(**Applications ▸ Tails ▸ About Tails**). If your workstations are running Tails +version 4.14 or earlier, you will not receive an update notification due to a +bug. Perform a :ref:`manual update `, or reinstate +automatic updates by following the steps in the +`Tails advisory `__. + +If you are running Tails 4.15 or later, follow the graphical prompts to update +to the latest version. + +Migration to Ubuntu 20.04 and to v3 onion services +-------------------------------------------------- +The operating system running on your *Application* and *Monitor Servers*, +Ubuntu 16.04 (Xenial), reaches its end-of-life for security updates on April 30, +2021. You must migrate your servers to Ubuntu 20.04 before April 30, 2021 to +remain secure. Please see our :doc:`migration guide ` for detailed +instructions. + +.. important :: + + If your servers are running Ubuntu 16.04 after **April 30, 2021**, the + *Source Interface* will be automatically disabled as a security precaution. + +Because v2 :ref:`onion services ` are deprecated, +SecureDrop does not support enabling them on Ubuntu 20.04. If you are not already +running v3 onion services (easily recognizable by their 56 character ``.onion`` +addresses), you can :doc:`enable them <../v3_services>` prior to the migration +to Ubuntu 20.04, or as part of the same maintenance window. + +Getting Support +--------------- + +Should you require further support with your SecureDrop installation, we are +happy to help! + +.. include:: ../includes/getting-support.txt diff --git a/docs/upgrade_to_tails_4.rst b/docs/upgrade_to_tails_4.rst index 6ee16765b..ade7e63f9 100644 --- a/docs/upgrade_to_tails_4.rst +++ b/docs/upgrade_to_tails_4.rst @@ -1,18 +1,12 @@ Upgrading workstations from Tails 3 to Tails 4 ---------------------------------------------- -.. important:: - - Before upgrading your *Admin Workstation* and your *Journalist Workstation* - to Tails 4, you must first ensure that the version of the SecureDrop code on - the workstation (which is used for administrative tasks and for configuring - the Tails desktop) is at |version|. +.. note:: - If unsure, you can always run the ``git status`` command in the - ``~/Persistent/securedrop`` directory to determine the current version. If - the output is not "HEAD detached at |version|", you are *not* - ready to proceed with the upgrade to Tails 4, and you must first update the - workstation using the procedure described in our upgrade guides. + This guide will be removed in a future release of this documentation, and + is no longer actively tested as part of SecureDrop QA. If you still use older + Tails USB drives and encounter issues during the upgrade, please get in + touch. As a precaution, we recommend backing up your workstations before the upgrade to Tails 4. See our :doc:`Workstation Backup Guide <../backup_workstations>` for @@ -37,6 +31,7 @@ On the *Admin* and *Journalist Workstation* USBs, set an administrator password following commands: :: cd ~/Persistent/securedrop + ./securedrop-admin update ./securedrop-admin setup ./securedrop-admin tailsconfig @@ -56,3 +51,11 @@ to restore from a backup, see our :ref:`guide for restoring workstations Date: Thu, 11 Mar 2021 11:46:31 -0800 Subject: [PATCH 2/2] Bump docs version to 1.8.0 --- docs/backup_and_restore.rst | 12 ++++++------ docs/conf.py | 4 ++-- docs/set_up_admin_tails.rst | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/backup_and_restore.rst b/docs/backup_and_restore.rst index a6492cdd1..a185672c0 100644 --- a/docs/backup_and_restore.rst +++ b/docs/backup_and_restore.rst @@ -218,7 +218,7 @@ Migrating Using a V2+V3 or V3-Only Backup cd ~/Persistent/securedrop/ git fetch --tags - git tag -v 1.7.1 + git tag -v 1.8.0 The output should include the following two lines: @@ -239,10 +239,10 @@ Migrating Using a V2+V3 or V3-Only Backup .. code:: sh - git checkout 1.7.1 + git checkout 1.8.0 .. important:: - If you see the warning ``refname '1.7.1' is ambiguous`` in the + If you see the warning ``refname '1.8.0' is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (`GPG encrypted `__). @@ -385,7 +385,7 @@ source accounts, and journalist accounts. To do so, follow the steps below: cd ~/Persistent/securedrop/ git fetch --tags - git tag -v 1.7.1 + git tag -v 1.8.0 The output should include the following two lines: @@ -405,11 +405,11 @@ source accounts, and journalist accounts. To do so, follow the steps below: .. code:: sh - git checkout 1.7.1 + git checkout 1.8.0 .. important:: - If you see the warning ``refname '1.7.1' is ambiguous`` in the + If you see the warning ``refname '1.8.0' is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (`GPG encrypted `__). diff --git a/docs/conf.py b/docs/conf.py index 9d1764847..d10499ed2 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -68,9 +68,9 @@ # built documents. # # The short X.Y version. -version = "1.7.1" +version = "1.8.0" # The full version, including alpha/beta/rc tags. -release = "1.7.1" +release = "1.8.0" # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst index 1a1e7d495..6071d6d8b 100644 --- a/docs/set_up_admin_tails.rst +++ b/docs/set_up_admin_tails.rst @@ -137,7 +137,7 @@ signed with the release signing key: cd ~/Persistent/securedrop/ git fetch --tags - git tag -v 1.7.1 + git tag -v 1.8.0 The output should include the following two lines: @@ -158,9 +158,9 @@ screen of your workstation. If it does, you can check out the new release: .. code:: sh - git checkout 1.7.1 + git checkout 1.8.0 -.. important:: If you see the warning ``refname '1.7.1' is ambiguous`` in the +.. important:: If you see the warning ``refname '1.8.0' is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (`GPG encrypted `__).