Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add documentation on updating the SecureDrop release key expiration date #52

Closed
2 tasks
redshiftzero opened this issue Oct 11, 2018 · 3 comments
Closed
2 tasks

Add documentation on updating the SecureDrop release key expiration date #52

redshiftzero opened this issue Oct 11, 2018 · 3 comments

Comments

@redshiftzero
Copy link
Contributor

Description

For bus factor reasons, we should document the process of bumping the expiration date for the SecureDrop release signing key (via the securedrop-keyring package). This guide should also include tasks like:

  • Ensuring we've pushed the updated key to keyservers
  • Ensuring we have updated the armored pub key that is on securedrop.org
@redshiftzero redshiftzero changed the title Release key update documentation Add documentation on updating the SecureDrop release key expiration date Oct 11, 2018
@sssoleileraaa
Copy link
Contributor

sssoleileraaa commented Jun 9, 2020
edited
Loading

hey, just found this issue. i didn't participate in the first half of this update process but i want to point out how we are testing that the keyserver and securedrop.org have the new keys during QA.

Since we can't rely on the updater to get the new key until the release object is published (see https://github.com/zenmonkeykstop/securedrop/blob/ee9b16e39908b1bac9d9aba202eb9a50193a0923/admin/securedrop_admin/__init__.py#L665-L667), we will need to create temporary keyrings for each check.

  • Verify the SecureDrop Release signing key is present with the new expiration date of 2021-06-30 on the keyserver

    • mkdir /tmp/qa-new-key-on-keyserver && chmod 700 /tmp/qa-new-key-on-keyserver
    • gpg --homedir /tmp/qa-new-key-on-keyserver --keyserver hkps://keys.openpgp.org --recv-keys 22245C81E3BAEB4138B36061310F561200F4AD77
    • gpg --homedir /tmp/qa-new-key-on-keyserver -k

  • Verify the SecureDrop Release signing key is present with the new expiration date of 2021-06-30 on securedrop.org

    • mkdir /tmp/qa-new-key-on-website && chmod 700 /tmp/qa-new-key-on-website
    • curl -LO https://securedrop.org/securedrop-release-key.asc
    • gpg --homedir /tmp/qa-new-key-on-website --import securedrop-release-key.asc

@redshiftzero
Copy link
Contributor Author

redshiftzero commented Jun 10, 2020
edited
Loading

There are two pieces to this:

  1. Internal docs on how to update the signing key - this is documented internally
  2. Docs that can be public about that we need to do a securedrop-keyring package update, and all the places to publish the new key: old keyservers, hagrid keyservers, securedrop.org

@eloquence eloquence transferred this issue from freedomofpress/securedrop Oct 20, 2020
@zenmonkeykstop
Copy link
Contributor

Internal docs also outline the packaging and publishing steps. For now I think we can close this.

nathandyer pushed a commit that referenced this issue Jul 18, 2023
@eloquence
Merge pull request #52 from freedomofpress/dependabot/pip/packaging-23.1
51b27c4 
Bump packaging from 23.0 to 23.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zenmonkeykstop @sssoleileraaa @redshiftzero