Skip to content

0.3.1 Test Plan

Jump to bottom
Conor Schaefer edited this page Jun 15, 2020 · 1 revision

See release ticket: Release SecureDrop Workstation 0.3.1 #571

Release-specific test plan

Qubes staging environment

The staging environment will always enforce the test key, used for the yum-test repo, so not possible to observe pubkey changes for dom0 & sys-firewall on staging. It is, however, possible to verify the TemplateVM/AppVM changes.

  • Make sure signing pubkey has is updated in TemplateVMs, via sudo apt-key finger securedrop-release-key.
    • There should be only one key, with fingerprint
    • Expiration date is 2021-06-30 (not 2020)

You can list the pubkey for all SDW VMs like so:

for vm in $(qvm-ls --tags sd-workstation --raw-list); do echo "VM: $vm" ; qvm-run -p $vm 'sudo apt-key finger securedrop-release-key' ; qvm-shutdown $vm; done

You'll need to review each VM's output individually, to confirm you see the "2021-06-30" expiry date. The sd-whonix VM is based on whonix-gw-15, so checking sd-whonix should be sufficient, but for the sake of completeness:

qvm-run -p whonix-gw-15 'sudo apt-key finger securedrop-release-key'

Should also show the 2021-06-30 expiry date.

Qubes prod environment

The prod environment for Qubes uses the production test key, enforced via securedrop-admin --apply, so the prod environment must be used to verify changes to dom0 & sys-firewall. The prod environment won't have the new pubkey applied to TemplateVMs, though, since the TemplateVMs track apt.freedom.press.

  • Ensure you've got the latest stable version installed (or else perform a fresh prod install)
    • sudo dnf info securedrop-workstation-dom0-config shows 0.3.0 in the version info
    • grep environment /usr/share/securedrop-workstation-dom0-config/config.json shows prod
  • Manually install the rc1 package, following the staging RPM instructions in https://github.com/freedomofpress/securedrop-workstation#staging-environment, then confirm you've got the proper version for testing:
    • Run sudo dnf info securedrop-workstation-dom0-config
    • Confirm 0.3.1 in the Version field
    • Confirm 0.rc1.1.fc25 in the Release field
  • Run securedrop-admin --apply to enforce the upgrade
  • Make sure signing pubkey is updated in dom0
    • Check dom0 keyring:
      • mkdir -m 700 /tmp/fake-gpg-rpm-home
      • gpg --homedir /tmp/fake-gpg-rpm-home --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
      • gpg --homedir /tmp/fake-gpg-rpm-home -k
      • Confirm pubkey shows 2021-06-30 expiry
    • Check sys-firewall keyring
      • qvm-run sys-firewall gnome-terminal to open a terminal, then:
      • mkdir -m 700 /tmp/fake-gpg-rpm-home
      • gpg --homedir /tmp/fake-gpg-rpm-home --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
      • gpg --homedir /tmp/fake-gpg-rpm-home -k
      • Confirm pubkey shows 2021-06-30 expiry
Clone this wiki locally