remove test version, add release key signed securedrop HTTPS everywhere ruleset channel

.gitignore

@@ -1,5 +1,9 @@
-# Don't commit keys
-*.pem
+# Don't commit private keys
+key.pem
+private.pem
+
+# Don't commit test keys
+test-key.jwk
 
 # Byte-compiled / optimized / DLL files
 __pycache__/

Makefile

@@ -0,0 +1,9 @@
+.PHONY: test-key
+test-key: ## Generates a test key for development/testing purposes locally.
+	openssl genrsa -out key.pem 4096
+	openssl rsa -in key.pem -outform PEM -pubout -out public.pem
+	python jwk.py > test-key.jwk
+
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

README.md

@@ -1,51 +1,56 @@
 # HTTPS-Everywhere Rulesets for SecureDrop
 
-:warning: These rulesets are for testing and development only and are not to be used in production.
+## Development
 
-## Generate SecureDrop rulesets
-
-setup:
+Setup:
 
 ```
 virtualenv --python=python3 .venv
 source .venv/bin/activate
 pip install -r requirements.txt
 ```
 
-generate rulesets from securedrop directory:
+You can create a test key for signing using:
 
 ```
-python sddir.py
+make test-key
 ```
 
-This populates the `rulesets` directory.
+which will create `test-key.jwk` in your current working directory.
 
-## Generating signing keys and signing the rulesets
+## Updating Rulesets
 
-Also see HTTPS Everywhere docs [here](https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md).
+### Adding a new organization
 
-Generate a private key for signing ruleset releases:
+1. Ensure they are in the official SecureDrop directory. If they are not, go through the IVF process with the organization.
 
-```
-openssl genrsa -out key.pem 4096
-```
+2. Add their domain to `onboarded.txt` via PR into this repository. We match the domain based on the landing page of the organization, comparing the `netloc` in a URL with structure `scheme://netloc/path;parameters?query#fragment`.
 
-Now generate the corresponding public key:
+3. Next, perform a ruleset release as described below.
 
-```
-openssl rsa -in key.pem -outform PEM -pubout -out public.pem
-```
+### Updating the onion URL for an organization (e.g. if they transition to v3 or rotate URLs)
+
+1. First update their onion URL in the official SecureDrop directory using the existing process.
 
-Now dump the key in the JWK format which assumes the public key is located in `public.pem` in the same directory:
+2. Next, perform a ruleset release as described below.
+
+### Release process
+
+Generate rulesets via the securedrop.org directory using the `sddir.py` script:
 
 ```
-python jwk.py > key.jwk
+source .venv/bin/activate
+python sddir.py
 ```
 
-(in production this would be done via airgap signing)
+This populates the `rulesets` directory. Inspect them and check all looks sane.
+
+To sign the rules, see HTTPS Everywhere docs [here](https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#2-signing-rulesets-with-this-key) for the signing process. In the step where you remove all HTTPS Everywhere rules from `rules` in the git checkout of the `https-everywhere` git repo, you should copy all rules from `rulesets` generated from the above Python script. You do not need to create a trivial rule as described in the HTTPS Everywhere docs.
 
-## Updating the channel
+For the production rules this signing must be done via the official signing ceremony and the existing SD release key (JWK formatted version of the pubkey is in `release-pubkey.jwk`). There is some internal documentation with more detailed instructions on this, ping `@redshiftzero` if you need to do this.
 
-If you've updated the rules, resign them (described in HTTPS everywhere docs), and then place the files to serve in the root of the git tree, then update the directory listing in `index.html`.
+Once you have the signature, place the files to serve in the root of the git tree in this repository,and then update the directory listing in `index.html`.
 
 Commit the resulting `index.html` and all files to be served.
+
+Upon merge the ruleset release will be live.

index.html

@@ -1,7 +1,5 @@
 <html>
-    <a href='rulesets-signature.1582940785.sha256'>rulesets-signature.1582940785.sha256</a><br>
-    <a href='default.rulesets.1582940785.gz'>default.rulesets.1582940785.gz</a><br>
+    <a href='rulesets-signature.1586899568.sha256'>rulesets-signature.1586899568.sha256</a><br>
     <a href='latest-rulesets-timestamp'>latest-rulesets-timestamp</a><br>
-    <a href='rulesets-signature.1567398063.sha256'>rulesets-signature.1567398063.sha256</a><br>
-    <a href='default.rulesets.1567398063.gz'>default.rulesets.1567398063.gz</a><br>
-</html>
+    <a href='default.rulesets.1586899568.gz'>default.rulesets.1586899568.gz</a><br>
+</html>

latest-rulesets-timestamp

@@ -1 +1 @@
-1582940785
+1586899568

onboarded.txt

@@ -0,0 +1 @@
+lucyparsonslabs.com

pgppubkey_to_jwk.py

@@ -0,0 +1,17 @@
+from authlib.common.encoding import int_to_base64
+import json
+import pgpy
+
+
+# Input is PGP armored pubkey
+key, _ = pgpy.PGPKey.from_file('key.asc')
+n = int(key._key.keymaterial.n)
+e = int(key._key.keymaterial.e)
+
+# Expected JWK format according to https://tools.ietf.org/html/rfc7518#section-6.1
+pubkey = {
+    'kty': 'RSA',
+    'e': int_to_base64(e),
+    'n': int_to_base64(n)
+}
+print(json.dumps(pubkey))

public_release.pem

@@ -0,0 +1,15 @@
+-----BEGIN PUBLIC KEY-----
+MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp10BbUVc5Xj2S/+MH3bA
+CNBaISo/r9e3PVPyTTjsGsdg2qSXvqUO42fBtpFAy0zUzIGS83v4JjiRdvKJaZTI
+vbC8AcpymzdsTqujMm8RPTSy3hO/8mXzGa4DEsIB1uNLnUWRBKXvSGCmT9kFyxhT
+pkYqokNBzafVihTU34tN2Md1xFHnmZGqfYtPtbJLWAa5Z1M11EyR4lIyUxIiPTV9
+t1XstDbWr3iS83REJrGEFmjG1+BAgx8/lDUTa41799N2yYEhgZud7bL0M3ei8s5O
+ERjiion5uANkUV3+s2QqUZjiVA+XR/HizXjciaUWNd683KqekpNOZ/0STh/UGwpc
+wU+KwG07QyiCrLrRpz8S/vH8CqGrrcWY3GSzYe9dp34jJdO65oA+G8tK6fMXtvTC
+FDZI6oNNaXJH71F5J0YbqO2ZqwKYc2WSi0gKVl2wd9roOVjaBmkJqvocntYuNM7t
+38fDEWHn5KUkmrTbiG68Cy56tDUfpKl3D9Uj4LaMvxJ1tKGvzQ4k/60odT7gIxu6
+DqYjXUHZpwPsSGBq3njaD7boe4CUXF2K7ViOc87BsKxRNCzDD8OklRjjXzOTOBH3
+PqFJ93CJ+4ECE5t9STU20aZ8E+2zKB8vjKyCySE4+kcIvBBsnkwVaJTPy9Ft1qYy
+bo+soXEWVEZATANNWklBt8kCAwEAAQ==
+-----END PUBLIC KEY-----
+

release-pubkey.jwk

@@ -0,0 +1 @@
+{"kty": "RSA", "e": "AQAB", "n": "p10BbUVc5Xj2S_-MH3bACNBaISo_r9e3PVPyTTjsGsdg2qSXvqUO42fBtpFAy0zUzIGS83v4JjiRdvKJaZTIvbC8AcpymzdsTqujMm8RPTSy3hO_8mXzGa4DEsIB1uNLnUWRBKXvSGCmT9kFyxhTpkYqokNBzafVihTU34tN2Md1xFHnmZGqfYtPtbJLWAa5Z1M11EyR4lIyUxIiPTV9t1XstDbWr3iS83REJrGEFmjG1-BAgx8_lDUTa41799N2yYEhgZud7bL0M3ei8s5OERjiion5uANkUV3-s2QqUZjiVA-XR_HizXjciaUWNd683KqekpNOZ_0STh_UGwpcwU-KwG07QyiCrLrRpz8S_vH8CqGrrcWY3GSzYe9dp34jJdO65oA-G8tK6fMXtvTCFDZI6oNNaXJH71F5J0YbqO2ZqwKYc2WSi0gKVl2wd9roOVjaBmkJqvocntYuNM7t38fDEWHn5KUkmrTbiG68Cy56tDUfpKl3D9Uj4LaMvxJ1tKGvzQ4k_60odT7gIxu6DqYjXUHZpwPsSGBq3njaD7boe4CUXF2K7ViOc87BsKxRNCzDD8OklRjjXzOTOBH3PqFJ93CJ-4ECE5t9STU20aZ8E-2zKB8vjKyCySE4-kcIvBBsnkwVaJTPy9Ft1qYybo-soXEWVEZATANNWklBt8k"}

requirements.txt

@@ -1,2 +1,3 @@
 authlib
 requests
+pgpy

rulesets/lucy-parsons-labs-securedrop-ruleset.xml

@@ -1,5 +1,5 @@
 <ruleset name="Lucy Parsons Labs">
 	<target host="lucyparsonslabs.com.securedrop.tor.onion" />
 	<rule from="^http[s]?://lucyparsonslabs.com.securedrop.tor.onion"
-        to="http://qn4qfeeslglmwxgb.onion" />
+    to="http://qn4qfeeslglmwxgb.onion" />
 </ruleset>