From e62ff60d207c8457a18bef8022a61f33abced29f Mon Sep 17 00:00:00 2001 From: Nathan Dyer Date: Tue, 7 Nov 2023 22:01:32 +0000 Subject: [PATCH] Update version numbers and add upgrade guide for 2.7.0 (#513) * Add upgrade guide for 2.7.0 * Add advisory about SHA-1 keys to 2.7.0 upgrade guide. --- .../admin/installation/set_up_admin_tails.rst | 6 +- docs/admin/maintenance/backup_and_restore.rst | 12 +- .../admin/maintenance/update_workstations.rst | 6 +- docs/conf.py | 2 +- docs/index.rst | 1 + docs/upgrade/2.6.0_to_2.6.1.rst | 2 - docs/upgrade/2.6.1_to_2.7.0.rst | 110 ++++++++++++++++++ pyproject.toml | 2 +- 8 files changed, 125 insertions(+), 16 deletions(-) create mode 100644 docs/upgrade/2.6.1_to_2.7.0.rst diff --git a/docs/admin/installation/set_up_admin_tails.rst b/docs/admin/installation/set_up_admin_tails.rst index e9df956e2..bd2ef50f8 100644 --- a/docs/admin/installation/set_up_admin_tails.rst +++ b/docs/admin/installation/set_up_admin_tails.rst @@ -139,7 +139,7 @@ signed with the release signing key: cd ~/Persistent/securedrop/ git fetch --tags - git tag -v 2.6.1 + git tag -v 2.7.0 The output should include the following two lines: @@ -160,9 +160,9 @@ screen of your workstation. If it does, you can check out the new release: .. code:: sh - git checkout 2.6.1 + git checkout 2.7.0 -.. important:: If you see the warning ``refname '2.6.1' is ambiguous`` in the +.. important:: If you see the warning ``refname '2.7.0' is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (`GPG encrypted `__). diff --git a/docs/admin/maintenance/backup_and_restore.rst b/docs/admin/maintenance/backup_and_restore.rst index 78571afee..0ceb7c971 100644 --- a/docs/admin/maintenance/backup_and_restore.rst +++ b/docs/admin/maintenance/backup_and_restore.rst @@ -229,7 +229,7 @@ Migrating Using a V2+V3 or V3-Only Backup cd ~/Persistent/securedrop/ git fetch --tags - git tag -v 2.6.1 + git tag -v 2.7.0 The output should include the following two lines: @@ -250,10 +250,10 @@ Migrating Using a V2+V3 or V3-Only Backup .. code:: sh - git checkout 2.6.1 + git checkout 2.7.0 .. important:: - If you see the warning ``refname '2.6.1' is ambiguous`` in the + If you see the warning ``refname '2.7.0' is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (`GPG encrypted `__). @@ -472,7 +472,7 @@ source accounts, and journalist accounts. To do so, follow the steps below: cd ~/Persistent/securedrop/ git fetch --tags - git tag -v 2.6.1 + git tag -v 2.7.0 The output should include the following two lines: @@ -491,11 +491,11 @@ source accounts, and journalist accounts. To do so, follow the steps below: .. code:: sh - git checkout 2.6.1 + git checkout 2.7.0 .. important:: - If you see the warning ``refname '2.6.1' is ambiguous`` in the + If you see the warning ``refname '2.7.0' is ambiguous`` in the output, we recommend that you contact us immediately at securedrop@freedom.press (`GPG encrypted `__). diff --git a/docs/admin/maintenance/update_workstations.rst b/docs/admin/maintenance/update_workstations.rst index 6f92eb83b..d5c0774df 100644 --- a/docs/admin/maintenance/update_workstations.rst +++ b/docs/admin/maintenance/update_workstations.rst @@ -24,7 +24,7 @@ update by running the following commands: :: git fetch --tags gpg --keyserver hkps://keys.openpgp.org --recv-key \ "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3" - git tag -v 2.6.1 + git tag -v 2.7.0 The output should include the following two lines: :: @@ -37,9 +37,9 @@ on the screen of your workstation. A warning that the key is not certified is normal and expected. If the output includes the lines above, you can check out the new release: :: - git checkout 2.6.1 + git checkout 2.7.0 -.. important:: If you do see the warning "refname '2.6.1' is ambiguous" in the +.. important:: If you do see the warning "refname '2.7.0' is ambiguous" in the output, we recommend that you contact us immediately at securedrop@freedom.press (`GPG encrypted `__). diff --git a/docs/conf.py b/docs/conf.py index efb92f3f1..06e5e5af4 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -46,7 +46,7 @@ # built documents. # # The short X.Y version. -version = "2.6.1" +version = "2.7.0" # The full version, including alpha/beta/rc tags. # On the live site, this will be overridden to "stable" or "latest". release = os.environ.get("SECUREDROP_DOCS_RELEASE", version) diff --git a/docs/index.rst b/docs/index.rst index 704eefdf6..071ff8c89 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -150,6 +150,7 @@ Get Started :maxdepth: 2 :hidden: + upgrade/2.6.1_to_2.7.0.rst upgrade/2.6.0_to_2.6.1.rst upgrade/2.5.2_to_2.6.0.rst upgrade/2.5.1_to_2.5.2.rst diff --git a/docs/upgrade/2.6.0_to_2.6.1.rst b/docs/upgrade/2.6.0_to_2.6.1.rst index 06a91c433..bec9d241b 100644 --- a/docs/upgrade/2.6.0_to_2.6.1.rst +++ b/docs/upgrade/2.6.0_to_2.6.1.rst @@ -1,5 +1,3 @@ -.. _latest_upgrade_guide: - Upgrade from 2.6.0 to 2.6.1 =========================== diff --git a/docs/upgrade/2.6.1_to_2.7.0.rst b/docs/upgrade/2.6.1_to_2.7.0.rst new file mode 100644 index 000000000..dbf52156f --- /dev/null +++ b/docs/upgrade/2.6.1_to_2.7.0.rst @@ -0,0 +1,110 @@ +.. _latest_upgrade_guide: + +Upgrade from 2.6.1 to 2.7.0 +=========================== + +.. note:: + + This release will remove support for Submission Public Keys with legacy + SHA-1-based binding signatures. The SecureDrop Journalist Interface + will not start when the instance has been configured with such a key, + and the Source Interface will state that the instance is temporarily + offline. If you have set up SecureDrop according to our documentation, + you are not using such keys; no SecureDrop instances known to us are + affected by this change. + + If you are unsure if you will be affected by this change, you can + reach out to us for support. Our recommended course of action is to + check your Submission Public Key, available at the /public-key + endpoint of your SecureDrop Source Interface onion url, using the + ``sq-keyring-linter`` program, which is available by default on your + Admin Workstation starting with Tails version 5.19. + If your key contains insecure SHA-1-based signatures, we suggest + creating a new Submission Keypair according to our documentation. + You should not delete the old key from your Secure Viewing Station, + so that you can still decrypt old submissions. We are happy to + assist you with this process. As a reminder, all key material should + be generated on an air-gapped machine, and should never reside on a + network-connected device. + + For more detailed information about why keys with SHA-1 signatures are + insecure, see https://sequoia-pgp.org/blog/2023/02/01/202302-happy-sha1-day/. + +Update Servers to SecureDrop 2.7.0 +---------------------------------- +Servers running Ubuntu 20.04 will be updated to the latest version of SecureDrop +automatically within 24 hours of the release. + +Update Workstations to SecureDrop 2.7.0 +--------------------------------------- + +Updating Tails and replacing short passphrases +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Before upgrading your Workstations to SecureDrop 2.7.0, we +strongly recommend that you first upgrade to Tails 5.19. + +Using the graphical updater +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +.. note:: + + If you encounter errors with the graphical updater, perform a + manual update. This will ensure that you have imported the new + `SecureDrop release signing key `_. + +On the next boot of your SecureDrop *Journalist* and *Admin Workstations*, +the *SecureDrop Workstation Updater* will alert you to workstation updates. You +must have `configured an administrator password `_ +on the Tails welcome screen in order to use the graphical updater. + +Perform the update to 2.7.0 by clicking "Update Now": + +.. image:: ../images/securedrop-updater.png + +Performing a manual update +~~~~~~~~~~~~~~~~~~~~~~~~~~ +If the graphical updater fails and you want to perform a manual update instead, +first delete the graphical updater's temporary flag file, if it exists (the +``.`` before ``securedrop`` is not a typo): :: + + rm ~/Persistent/.securedrop/securedrop_update.flag + +This will prevent the graphical updater from attempting to re-apply the failed +update and has no bearing on future updates. You can now perform a manual +update by running the following commands: :: + + cd ~/Persistent/securedrop + git fetch --tags + gpg --keyserver hkps://keys.openpgp.org --recv-key \ + "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3" + git tag -v 2.7.0 + +The output should include the following two lines: :: + + gpg: using RSA key 2359E6538C0613E652955E6C188EDD3B7B22E6A3 + gpg: Good signature from "SecureDrop Release Signing Key " [unknown] + + +Please verify that each character of the fingerprint above matches what is +on the screen of your workstation. A warning that the key is not certified +is normal and expected. If the output includes the lines above, you can check +out the new release: :: + + git checkout 2.7.0 + +.. important:: If you do see the warning "refname '2.7.0' is ambiguous" in the + output, we recommend that you contact us immediately at securedrop@freedom.press + (`GPG encrypted `__). + +Finally, run the following commands: :: + + ./securedrop-admin setup + ./securedrop-admin tailsconfig + +Getting Support +--------------- + +Should you require further support with your SecureDrop installation, we are +happy to help! + +.. include:: ../includes/getting-support.txt diff --git a/pyproject.toml b/pyproject.toml index dd54263a8..9328630bf 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "securedrop-docs" -version = "2.6.1" +version = "2.7.0" description = "SecureDrop documentation for journalists, sources and administrators" authors = ["SecureDrop team "] readme = "README.md"