Merge pull request #5930 from freedomofpress/5923-add-new-signing-pubkey

Adds new pubkey for Release Signing Key
freedomofpress · May 11, 2021 · 6eb5ac8 · 6eb5ac8
2 parents 67f77a3 + dd84f81
commit 6eb5ac8
Show file tree

Hide file tree

Showing 9 changed files with 85 additions and 19 deletions.
diff --git a/admin/securedrop_admin/__init__.py b/admin/securedrop_admin/__init__.py
@@ -62,7 +62,14 @@
 from typing import Type
 
 sdlog = logging.getLogger(__name__)
-RELEASE_KEY = '22245C81E3BAEB4138B36061310F561200F4AD77'
+
+# We list two (2) pubkeys as authorized to sign SecureDrop release artifacts,
+# to provide a transition window during key rotation. On or around v2.0.0,
+# we can remove the older of the two keys and only trust the newer going forward.
+RELEASE_KEYS = [
+    '22245C81E3BAEB4138B36061310F561200F4AD77',
+    '2359E6538C0613E652955E6C188EDD3B7B22E6A3',
+]
 DEFAULT_KEYSERVER = 'hkps://keys.openpgp.org'
 SUPPORT_ONION_URL = 'http://sup6h5iyiyenvjkfxbgrjynm5wsgijjoatvnvdgyyi7je3xqm4kh6uqd.onion'
 SUPPORT_URL = 'https://support.freedom.press'
@@ -906,15 +913,14 @@ def get_release_key_from_keyserver(
 ) -> None:
     gpg_recv = ['timeout', str(timeout), 'gpg', '--batch', '--no-tty',
                 '--recv-key']
-    release_key = [RELEASE_KEY]
-
-    # We construct the gpg --recv-key command based on optional keyserver arg.
-    if keyserver:
-        get_key_cmd = gpg_recv + ['--keyserver', keyserver] + release_key
-    else:
-        get_key_cmd = gpg_recv + release_key
+    for release_key in RELEASE_KEYS:
+        # We construct the gpg --recv-key command based on optional keyserver arg.
+        if keyserver:
+            get_key_cmd = gpg_recv + ['--keyserver', keyserver] + [release_key]
+        else:
+            get_key_cmd = gpg_recv + [release_key]
 
-    subprocess.check_call(get_key_cmd, cwd=args.root)
+        subprocess.check_call(get_key_cmd, cwd=args.root)
 
 
 def update(args: argparse.Namespace) -> int:
@@ -954,7 +960,7 @@ def update(args: argparse.Namespace) -> int:
         # we check that bad_sig_text does not appear, that the release key
         # appears on the second line of the output, and that there is a single
         # match from good_sig_text[]
-        if RELEASE_KEY in gpg_lines[1] and \
+        if (RELEASE_KEYS[0] in gpg_lines[1] or RELEASE_KEYS[1] in gpg_lines[1]) and \
                 len(good_sig_matches) == 1 and \
                 bad_sig_text not in sig_result:
             # Finally, we check that there is no branch of the same name

diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -6,7 +6,7 @@ ip_info:
 
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
-  - "securedrop-keyring-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
+  - "securedrop-keyring-0.1.5+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - "securedrop-config-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - "securedrop-ossec-agent-3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   -  securedrop-grsec-{{ grsec_version }}+{{ securedrop_target_distribution }}-amd64.deb

diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -6,7 +6,7 @@ ip_info:
 
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
-  - "securedrop-keyring-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
+  - "securedrop-keyring-0.1.5+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - "securedrop-config-0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - "securedrop-ossec-server-3.6.0+{{ securedrop_version }}+{{ securedrop_target_distribution }}-amd64.deb"
   - securedrop-grsec-{{ grsec_version }}+{{ securedrop_target_distribution }}-amd64.deb

diff --git a/install_files/ansible-base/roles/install-fpf-repo/defaults/main.yml b/install_files/ansible-base/roles/install-fpf-repo/defaults/main.yml
@@ -21,6 +21,7 @@ install_local_packages: False
 # the Release file for which will *not* be signed with the prod key.
 apt_repo_pubkey_files:
   - fpf-signing-key.pub
+  - fpf-signing-key-2021.pub
 
 # As of v2.0.0, only Focal is supported.
 apt_repo_target_distro: "{{ ansible_distribution_release }}"
diff --git a/install_files/ansible-base/roles/install-fpf-repo/files/fpf-signing-key-2021.pub b/install_files/ansible-base/roles/install-fpf-repo/files/fpf-signing-key-2021.pub
@@ -0,0 +1,53 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGCZZq0BEAC+wLsE1p+RF7xSHUNSAKS/pFs9Ax0mAAoqdZ1KpB3u1DNTWZd+
+aj+TU/L/Yxgxlc5aapJn2LAhiTKRljLAnZXIwa97hvKPWwufphCg6QbyDlndXjLR
+LZGkR+Zi6Y2NPN+ryfG0ufCNph3iwJR3nBrRLN4uulFC5ejZsXdC5QXbFxssmWjF
+fUyaWwwwJ0Fz6oY2icsntumf8m7JeUNbLUWR7LDWqCOI52JEhswLXHfTbODNfp1K
+sGs0HwKmyH68ITRmNSjwz1xoS/ToXpBtiZ0YkczRlljfg4cxI11/7+pQohX9K7G5
+K4UT322QB5adtanIjVX7GFWjWxzs3MKE/xyLZN0+8jf/QnIC4K8vrMgWolQmRmJs
+RSCGGDoXT36g0kqnLuuFQmrvNnItcmy+5eefSCcjF+NG8xwN9kApRUxkpF3Dt/Bb
+PBCuKXghvQxA5V1r29v/gkyTsa6n5NQjix+5Lg0rCycqg4Mg77ZTlCklZ22nUXgB
+DWkG/xqMWXVZOtUa+REYrTCg9Zo7qlbIniRGeGfGtXYXI023clJH7QkSOEVbCzju
+SMG+mvRVGJVEWmkoD6mUqzgs+VpoJ9/f1OV5iZjeYRN7fDUYgZzYuWJp3fYmlvHj
+3oiAN7UrcUwESgoVl+Ga2VFJd+3w0qBLM+3bORq0z1sUp9oJhFpLLtqRuQARAQAB
+tEpTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs
+ZWFzZS1rZXktMjAyMUBmcmVlZG9tLnByZXNzPokCVAQTAQoAPhYhBCNZ5lOMBhPm
+UpVebBiO3Tt7IuajBQJgmWatAhsDBQkCKbYABQsJCAcDBRUKCQgLBRYCAwEAAh4B
+AheAAAoJEBiO3Tt7IuajwuMP/3HGnRKTgRLdxeL/8tK4E204N+W3dPYhge1sFLeD
+ak0vXQeTzxizU/1Hi1+qLv+XRpKziPE0gvKnc8wThPhJ+G93hEAqI/Es4VIklzbB
+f/xhLeE54wk6tqz+wy4ugoq0NrRTLFRXT2SXA/enSxaH16fk/5LcNF0V8CTvoaGn
+5kvhZCSPJyw7eqPZGjH2pxy33sktprEAjN7aXuIHw3IiRHmrqgqSCpjn5rEEXO3Y
+u8osqh5ZdVQLnmtQiosA4IVNOKRJU9nTDnIVducx+RLG3Bz3Qf7/mmRC+M3hqGWB
+skk0c2+DtspsNyZh1E+8II3qVGqFwMBovSI0wPX3IOK4Wb91dz3/n8Ahc2N7pBY3
+7wH1GHjT/2Bv80F5d3bbUJVFDLEFFMSUcj4E6dxU38XkbBTODrOYcjzlIT6uK/XH
+Q61fE1e7PSVeNqr6eIqqaTdNZaOJNtlO5umYx0WQawKT72eznPW6HJkX5cfuTj9H
+ARwRCNOTpipOo499bMtk7UjJcTwc9KOxJeKDkbMUfe/43Zp1njctWuv2e/NPz92J
+Ma3BmLluuBR9HJTWKp8L6Ia55vhvtm3+hsgiTCf7gdpxkwRO7470ZeyZMZtARwxp
+2wcIrqdOKW8Zwij2Zsi882PPJjR4N07KiEv9pUBtLzlX3VsHBFSu32klxW3cNlSZ
+1eK/uQINBGCZZq0BEACq7CxMegB4JuC81VDZKNGgPvRfZYzvE9JGV9G/Gz2Ko8IN
+tsBMbIQVXLndeuJZqYPTk5X6dPKJe6ik9WUSpdvpxLdy1FiVjvOMxaXvZCeXB8NS
+jicHq8KWRrvgM15GGRo1vBC8BLyjh6tnImkmI86HNJEy3kvN7OjgFeXactO4yXaP
+Gu4J8OglAYOLvNjamriY/ExFS5uURrmHgJB9beEFY+XS7FbUj81R3H64XCKlKIVu
+ZWmkVHWKqZGdpax9eDWnT7NGrBaZ0DKHKHkim423WAwiqq1YpBpBO586F/ZPdHJE
+pOO8U0jc2NPBH5+kw4mpkerhbmd89NKRBccZwYVv04EYtyQz7GayBREa7Kwj5bq3
+sAE+DqRgeWFLBVWdaeU98zawLR15Qsx85cGvxFJaE9LyPWHyHSlJeyrT0hNE02HG
+3Snvf+ZFqwFgPpYFZ5nO8BTW1S+nrYXZGirslIqfFs0lg1d0B48cTtg4MESouZ+6
+bZDWR/47s6jicncfYVNqSH5d1Ifj8guuxDQZyJLEh18kcOH0wezt7lM/H6kXZnDz
+slOJUAubUgpZ/IbTgdd49UW93QepI+ynuwSogqIPf521XAU/Or7OY+t7J2e1VaCC
+zvez+oiZ6GWh6lBpccPUnDWtti3U2i5hK4swGFa3Uvi6UwbZHihi/iUip4uKxQAR
+AQABiQI8BBgBCgAmFiEEI1nmU4wGE+ZSlV5sGI7dO3si5qMFAmCZZq0CGwwFCQIp
+tgAACgkQGI7dO3si5qNAJhAAsjrKyJY1A814QI82Jk1BcpbYRpr5D11/Y8okj142
+Ury/14yVJ1mdFNIqXiKaazR2UJef+W7EZYXWEUFC4BpYFC75tnGAIuKpdBjd6hiJ
+Z+sWi10eit3IejAwHkbzRTCvPEDxaQTK1EEB/AKE+9fJhnjIVIIYLgIRYwvNBT/S
+J5A1OhoSHtYppD8FpGFw7Hl/t9DK5YETyvY8vkqAMZ9rxp9ZdLni9NsgHa4SCxb/
+1t9ixziUdwbBH0ulHJF3D3Gv6U4Rtcjyi/CLwMaC9pJ7PfISQBYL0USkL9WUYTy7
+IPn60fcvrXIx0ZoR0T4L5rbIQpJ89bVvyT2a1BTFo0zp46hzq9O5g6dr3oB94UKf
+bYxNOjNwyMmSyT/JVHzS5H8RAk9UdXmJZXuUFGlPJwfqakGOzZm+X8m6bfbALS++
+b0CAfkWVLNSASXdkK0du5XpIEFFca2qc0vxgqNFDNJC9lrjIx95Bxiql8kOhhloo
+/mXz7rZl9vbXBespZCMosFlatkL6hnFm28IIb8vOwGrOuToxyJUQcD8u6iT8kpWF
+j5EBqojf1VEaYOogVX8kBFfNTUWmHslD44f46IqIm/lE/wAGev3Aec+olqdD1B75
+hdWwJXNaMxCYVofIgihTMKUeSuXHXNajtwbcUJYyeX4X/LrknXu5EoBfUIXZEZ/J
+u3U=
+=pCIa
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/install_files/securedrop-keyring/DEBIAN/control.j2 b/install_files/securedrop-keyring/DEBIAN/control.j2
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-keyring
-Version: 0.1.4+{{ securedrop_version }}+{{ securedrop_target_distribution }}
+Version: 0.1.5+{{ securedrop_version }}+{{ securedrop_target_distribution }}
 Architecture: amd64
 Depends: gnupg
 Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.
diff --git a/install_files/securedrop-keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg b/install_files/securedrop-keyring/etc/apt/trusted.gpg.d/securedrop-keyring.gpg
diff --git a/molecule/builder-focal/tests/vars.yml b/molecule/builder-focal/tests/vars.yml
@@ -1,7 +1,7 @@
 ---
 securedrop_version: "1.9.0~rc1"
 ossec_version: "3.6.0"
-keyring_version: "0.1.4"
+keyring_version: "0.1.5"
 config_version: "0.1.4"
 grsec_version_focal: "5.4.97"
 

diff --git a/molecule/testinfra/common/test_fpf_apt_repo.py b/molecule/testinfra/common/test_fpf_apt_repo.py
@@ -38,17 +38,23 @@ def test_fpf_apt_repo_present(host):
 def test_fpf_apt_repo_fingerprint(host):
     """
     Ensure the FPF apt repo has the correct fingerprint on the associated
-    signing pubkey. The key changed in October 2016, so test for the
-    newest fingerprint, which is installed on systems via the
-    `securedrop-keyring` package.
+    signing pubkey. Recent key rotations have taken place in:
+
+      * 2016-10
+      * 2021-06
+
+    So let's make sure that the fingerprints accepted by the system covers both
+    in the interim.
     """
 
     c = host.run('apt-key finger')
 
-    fpf_gpg_pub_key_info = "2224 5C81 E3BA EB41 38B3  6061 310F 5612 00F4 AD77"
+    fpf_gpg_pub_key_info_old = "2224 5C81 E3BA EB41 38B3  6061 310F 5612 00F4 AD77"
+    fpf_gpg_pub_key_info_new = "2359 E653 8C06 13E6 5295  5E6C 188E DD3B 7B22 E6A3"
 
     assert c.rc == 0
-    assert fpf_gpg_pub_key_info in c.stdout
+    assert fpf_gpg_pub_key_info_old in c.stdout
+    assert fpf_gpg_pub_key_info_new in c.stdout
 
 
 @pytest.mark.parametrize('old_pubkey', [