Skip to content
This repository has been archived by the owner on Jul 2, 2024. It is now read-only.

Commit

Permalink
Adds new signing key to apt repo bootstrap logic
Browse files Browse the repository at this point in the history 
Follow-up to #21, and a crucial requirement for #20.
Ensures that the newest signing key is inserted early in the
VM creation. It's not strictly necessary for the next template build,
but will be required for all template builds after 2021-06-30, when
the old signing key is set to expire.
  • Loading branch information
Conor Schaefer committed Jun 4, 2021
1 parent b952c24 commit e26814e
Show file tree
Hide file tree
Showing 3 changed files with 108 additions and 45 deletions.
43 changes: 43 additions & 0 deletions keys/release-key-LEGACY.asc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFgIrN8BEACnXQFtRVzlePZL/4wfdsAI0FohKj+v17c9U/JNOOwax2DapJe+
pQ7jZ8G2kUDLTNTMgZLze/gmOJF28olplMi9sLwBynKbN2xOq6MybxE9NLLeE7/y
ZfMZrgMSwgHW40udRZEEpe9IYKZP2QXLGFOmRiqiQ0HNp9WKFNTfi03Yx3XEUeeZ
kap9i0+1sktYBrlnUzXUTJHiUjJTEiI9NX23Vey0NtaveJLzdEQmsYQWaMbX4ECD
Hz+UNRNrjXv303bJgSGBm53tsvQzd6Lyzk4RGOKKifm4A2RRXf6zZCpRmOJUD5dH
8eLNeNyJpRY13rzcqp6Sk05n/RJOH9QbClzBT4rAbTtDKIKsutGnPxL+8fwKoaut
xZjcZLNh712nfiMl07rmgD4by0rp8xe29MIUNkjqg01pckfvUXknRhuo7ZmrAphz
ZZKLSApWXbB32ug5WNoGaQmq+hye1i40zu3fx8MRYefkpSSatNuIbrwLLnq0NR+k
qXcP1SPgtoy/EnW0oa/NDiT/rSh1PuAjG7oOpiNdQdmnA+xIYGreeNoPtuh7gJRc
XYrtWI5zzsGwrFE0LMMPw6SVGONfM5M4Efc+oUn3cIn7gQITm31JNTbRpnwT7bMo
Hy+MrILJITj6Rwi8EGyeTBVolM/L0W3WpjJuj6yhcRZURkBMA01aSUG3yQARAQAB
tB5TZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXmJAlcEEwEKAEECGwMFCwkI
BwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQQiJFyB47rrQTizYGExD1YSAPStdwUC
XsZBhAUJCNOEJQAKCRAxD1YSAPStd+ovD/4+jLGlwlLmBpgvohrbiC7xCioVW+Ik
18j+uUSyYBNhvDOZugY+/Z6X99PHvjgjRbTle2NvAx5itdZfiooGSZ8cuiPRbDkQ
xpmZqOdkpN+5/B5dh/bd+P/K2Ggxqkyb80b+xoDviLh6OmIDPILTbz9ACkwu5jdH
0wo0UEt5C+GT8lvBmVXii6vGlTvsv86/yLShvBq6mEJ+7nazWMOShJy3bvyrJRMg
3dZfQSB6WlVCRO9EDBlvTW9Xedva7VDu6Up1BSD+enpXWRLTbqWvxmS7QQ2Usw58
D7CCoJDA+8zL6UkJFrVxTiXQWbOvttkOA9++aJp4IbXsqTyrIkxNRjlKdyET9xbB
HGSgJhhgGUNVZNBxHVZFHvHurXDX0OyfWaYY9ET/EjqMCjUbWh0vh2c6/M3rDh+J
nH+tZUjJ9mM/AJ0hcORPVv3wbWdsfWq9r3t1Q7wlphal7RzgNqPymekj+1ndTs4y
jfsWgLmxYF8knP1+EipoL1Q7vm1JdO0VOb4IyhF+6VUTkjrDy6uHwXc3fMGHEAeU
nZvhVzZSx8h8HVsfnppM2RjNZKPwNQ43he8HllLqsRFsumg6gbBNRgrsVEBjRzxf
OKESJqxVZ5iHUvWPQPuGjuh83HiUxPN4yjZXUVNXv0Alevv1By3ALeVAmaQVw/KA
/sNu9p74VRggjrRFU2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxzZWN1
cmVkcm9wLXJlbGVhc2Uta2V5QGZyZWVkb20ucHJlc3M+iQJUBBMBCgA+AhsDBQsJ
CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcFAl7G
QZQFCQjThCUACgkQMQ9WEgD0rXcWVg/+JJT7J0ycCd2Rl7A2K4YQfJcf6TV05HDf
/sxc+JGs1hh/CFgR5Nt1TDPg7dQfCumQWI+e4A8NSFllIKGEajgxdAg/uszO9UQL
9iVtyNFY69/gfWeNVyOoioYxRSlaIyKUD2PINeHi5KYDe3dkh9aXDA/X4sB8k7Dt
mvDXqNX4/85P9M9JUjWahHqG3giYW9nyvvlMeV82K4BPPhwwqwbRRaIVNcdytDIi
LvXxOZf/TjX3xHbwTHYghclZZX3ZCiZ8OTD+yLkCqTJsT9GVfIlO/algc+7ezz7B
acsSuTa77/+8vy78dA5k9JM6rSZzfl/8T3LOmDLq+RE+DCUXx8ZJ+qnrr5aSruPB
BSlu7S/26NIAtB6LyKtSBpX39y66/9lYCaQWZDcNraq5PWInv0kQqXEc6C8Vi25q
BFE3a4Lt45bZMGCREYvLWXRxzH9rESVVekxZVZEjgmldh94OLRuXRvU8nlu2fq4G
YH0a+Oy/87LemKv7q2IZX6s7uTZg5xMBTaPqFsE/AGQWQfHvj1EWthcaeoIasfxE
lsWi9qHE4N+Jg/L+XC90S0kogDWGdyS+mKf0dE6jq4ioKf29zRJ4629id6VYHeib
i3df/KOdUeeth5X9ann6/KNncX7Us16rV4a6Tl1OLoV7xkwh2Hy8MfClDkTYeoHc
Y6V2vWAk0Rc=
=LOAb
-----END PGP PUBLIC KEY BLOCK-----
90 changes: 50 additions & 40 deletions keys/release-key.asc
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,53 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFgIrN8BEACnXQFtRVzlePZL/4wfdsAI0FohKj+v17c9U/JNOOwax2DapJe+
pQ7jZ8G2kUDLTNTMgZLze/gmOJF28olplMi9sLwBynKbN2xOq6MybxE9NLLeE7/y
ZfMZrgMSwgHW40udRZEEpe9IYKZP2QXLGFOmRiqiQ0HNp9WKFNTfi03Yx3XEUeeZ
kap9i0+1sktYBrlnUzXUTJHiUjJTEiI9NX23Vey0NtaveJLzdEQmsYQWaMbX4ECD
Hz+UNRNrjXv303bJgSGBm53tsvQzd6Lyzk4RGOKKifm4A2RRXf6zZCpRmOJUD5dH
8eLNeNyJpRY13rzcqp6Sk05n/RJOH9QbClzBT4rAbTtDKIKsutGnPxL+8fwKoaut
xZjcZLNh712nfiMl07rmgD4by0rp8xe29MIUNkjqg01pckfvUXknRhuo7ZmrAphz
ZZKLSApWXbB32ug5WNoGaQmq+hye1i40zu3fx8MRYefkpSSatNuIbrwLLnq0NR+k
qXcP1SPgtoy/EnW0oa/NDiT/rSh1PuAjG7oOpiNdQdmnA+xIYGreeNoPtuh7gJRc
XYrtWI5zzsGwrFE0LMMPw6SVGONfM5M4Efc+oUn3cIn7gQITm31JNTbRpnwT7bMo
Hy+MrILJITj6Rwi8EGyeTBVolM/L0W3WpjJuj6yhcRZURkBMA01aSUG3yQARAQAB
tB5TZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXmJAlcEEwEKAEECGwMFCwkI
BwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQQiJFyB47rrQTizYGExD1YSAPStdwUC
XsZBhAUJCNOEJQAKCRAxD1YSAPStd+ovD/4+jLGlwlLmBpgvohrbiC7xCioVW+Ik
18j+uUSyYBNhvDOZugY+/Z6X99PHvjgjRbTle2NvAx5itdZfiooGSZ8cuiPRbDkQ
xpmZqOdkpN+5/B5dh/bd+P/K2Ggxqkyb80b+xoDviLh6OmIDPILTbz9ACkwu5jdH
0wo0UEt5C+GT8lvBmVXii6vGlTvsv86/yLShvBq6mEJ+7nazWMOShJy3bvyrJRMg
3dZfQSB6WlVCRO9EDBlvTW9Xedva7VDu6Up1BSD+enpXWRLTbqWvxmS7QQ2Usw58
D7CCoJDA+8zL6UkJFrVxTiXQWbOvttkOA9++aJp4IbXsqTyrIkxNRjlKdyET9xbB
HGSgJhhgGUNVZNBxHVZFHvHurXDX0OyfWaYY9ET/EjqMCjUbWh0vh2c6/M3rDh+J
nH+tZUjJ9mM/AJ0hcORPVv3wbWdsfWq9r3t1Q7wlphal7RzgNqPymekj+1ndTs4y
jfsWgLmxYF8knP1+EipoL1Q7vm1JdO0VOb4IyhF+6VUTkjrDy6uHwXc3fMGHEAeU
nZvhVzZSx8h8HVsfnppM2RjNZKPwNQ43he8HllLqsRFsumg6gbBNRgrsVEBjRzxf
OKESJqxVZ5iHUvWPQPuGjuh83HiUxPN4yjZXUVNXv0Alevv1By3ALeVAmaQVw/KA
/sNu9p74VRggjrRFU2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxzZWN1
cmVkcm9wLXJlbGVhc2Uta2V5QGZyZWVkb20ucHJlc3M+iQJUBBMBCgA+AhsDBQsJ
CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcFAl7G
QZQFCQjThCUACgkQMQ9WEgD0rXcWVg/+JJT7J0ycCd2Rl7A2K4YQfJcf6TV05HDf
/sxc+JGs1hh/CFgR5Nt1TDPg7dQfCumQWI+e4A8NSFllIKGEajgxdAg/uszO9UQL
9iVtyNFY69/gfWeNVyOoioYxRSlaIyKUD2PINeHi5KYDe3dkh9aXDA/X4sB8k7Dt
mvDXqNX4/85P9M9JUjWahHqG3giYW9nyvvlMeV82K4BPPhwwqwbRRaIVNcdytDIi
LvXxOZf/TjX3xHbwTHYghclZZX3ZCiZ8OTD+yLkCqTJsT9GVfIlO/algc+7ezz7B
acsSuTa77/+8vy78dA5k9JM6rSZzfl/8T3LOmDLq+RE+DCUXx8ZJ+qnrr5aSruPB
BSlu7S/26NIAtB6LyKtSBpX39y66/9lYCaQWZDcNraq5PWInv0kQqXEc6C8Vi25q
BFE3a4Lt45bZMGCREYvLWXRxzH9rESVVekxZVZEjgmldh94OLRuXRvU8nlu2fq4G
YH0a+Oy/87LemKv7q2IZX6s7uTZg5xMBTaPqFsE/AGQWQfHvj1EWthcaeoIasfxE
lsWi9qHE4N+Jg/L+XC90S0kogDWGdyS+mKf0dE6jq4ioKf29zRJ4629id6VYHeib
i3df/KOdUeeth5X9ann6/KNncX7Us16rV4a6Tl1OLoV7xkwh2Hy8MfClDkTYeoHc
Y6V2vWAk0Rc=
=LOAb
mQINBGCZZq0BEAC+wLsE1p+RF7xSHUNSAKS/pFs9Ax0mAAoqdZ1KpB3u1DNTWZd+
aj+TU/L/Yxgxlc5aapJn2LAhiTKRljLAnZXIwa97hvKPWwufphCg6QbyDlndXjLR
LZGkR+Zi6Y2NPN+ryfG0ufCNph3iwJR3nBrRLN4uulFC5ejZsXdC5QXbFxssmWjF
fUyaWwwwJ0Fz6oY2icsntumf8m7JeUNbLUWR7LDWqCOI52JEhswLXHfTbODNfp1K
sGs0HwKmyH68ITRmNSjwz1xoS/ToXpBtiZ0YkczRlljfg4cxI11/7+pQohX9K7G5
K4UT322QB5adtanIjVX7GFWjWxzs3MKE/xyLZN0+8jf/QnIC4K8vrMgWolQmRmJs
RSCGGDoXT36g0kqnLuuFQmrvNnItcmy+5eefSCcjF+NG8xwN9kApRUxkpF3Dt/Bb
PBCuKXghvQxA5V1r29v/gkyTsa6n5NQjix+5Lg0rCycqg4Mg77ZTlCklZ22nUXgB
DWkG/xqMWXVZOtUa+REYrTCg9Zo7qlbIniRGeGfGtXYXI023clJH7QkSOEVbCzju
SMG+mvRVGJVEWmkoD6mUqzgs+VpoJ9/f1OV5iZjeYRN7fDUYgZzYuWJp3fYmlvHj
3oiAN7UrcUwESgoVl+Ga2VFJd+3w0qBLM+3bORq0z1sUp9oJhFpLLtqRuQARAQAB
tEpTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs
ZWFzZS1rZXktMjAyMUBmcmVlZG9tLnByZXNzPokCVAQTAQoAPhYhBCNZ5lOMBhPm
UpVebBiO3Tt7IuajBQJgmWatAhsDBQkCKbYABQsJCAcDBRUKCQgLBRYCAwEAAh4B
AheAAAoJEBiO3Tt7IuajwuMP/3HGnRKTgRLdxeL/8tK4E204N+W3dPYhge1sFLeD
ak0vXQeTzxizU/1Hi1+qLv+XRpKziPE0gvKnc8wThPhJ+G93hEAqI/Es4VIklzbB
f/xhLeE54wk6tqz+wy4ugoq0NrRTLFRXT2SXA/enSxaH16fk/5LcNF0V8CTvoaGn
5kvhZCSPJyw7eqPZGjH2pxy33sktprEAjN7aXuIHw3IiRHmrqgqSCpjn5rEEXO3Y
u8osqh5ZdVQLnmtQiosA4IVNOKRJU9nTDnIVducx+RLG3Bz3Qf7/mmRC+M3hqGWB
skk0c2+DtspsNyZh1E+8II3qVGqFwMBovSI0wPX3IOK4Wb91dz3/n8Ahc2N7pBY3
7wH1GHjT/2Bv80F5d3bbUJVFDLEFFMSUcj4E6dxU38XkbBTODrOYcjzlIT6uK/XH
Q61fE1e7PSVeNqr6eIqqaTdNZaOJNtlO5umYx0WQawKT72eznPW6HJkX5cfuTj9H
ARwRCNOTpipOo499bMtk7UjJcTwc9KOxJeKDkbMUfe/43Zp1njctWuv2e/NPz92J
Ma3BmLluuBR9HJTWKp8L6Ia55vhvtm3+hsgiTCf7gdpxkwRO7470ZeyZMZtARwxp
2wcIrqdOKW8Zwij2Zsi882PPJjR4N07KiEv9pUBtLzlX3VsHBFSu32klxW3cNlSZ
1eK/uQINBGCZZq0BEACq7CxMegB4JuC81VDZKNGgPvRfZYzvE9JGV9G/Gz2Ko8IN
tsBMbIQVXLndeuJZqYPTk5X6dPKJe6ik9WUSpdvpxLdy1FiVjvOMxaXvZCeXB8NS
jicHq8KWRrvgM15GGRo1vBC8BLyjh6tnImkmI86HNJEy3kvN7OjgFeXactO4yXaP
Gu4J8OglAYOLvNjamriY/ExFS5uURrmHgJB9beEFY+XS7FbUj81R3H64XCKlKIVu
ZWmkVHWKqZGdpax9eDWnT7NGrBaZ0DKHKHkim423WAwiqq1YpBpBO586F/ZPdHJE
pOO8U0jc2NPBH5+kw4mpkerhbmd89NKRBccZwYVv04EYtyQz7GayBREa7Kwj5bq3
sAE+DqRgeWFLBVWdaeU98zawLR15Qsx85cGvxFJaE9LyPWHyHSlJeyrT0hNE02HG
3Snvf+ZFqwFgPpYFZ5nO8BTW1S+nrYXZGirslIqfFs0lg1d0B48cTtg4MESouZ+6
bZDWR/47s6jicncfYVNqSH5d1Ifj8guuxDQZyJLEh18kcOH0wezt7lM/H6kXZnDz
slOJUAubUgpZ/IbTgdd49UW93QepI+ynuwSogqIPf521XAU/Or7OY+t7J2e1VaCC
zvez+oiZ6GWh6lBpccPUnDWtti3U2i5hK4swGFa3Uvi6UwbZHihi/iUip4uKxQAR
AQABiQI8BBgBCgAmFiEEI1nmU4wGE+ZSlV5sGI7dO3si5qMFAmCZZq0CGwwFCQIp
tgAACgkQGI7dO3si5qNAJhAAsjrKyJY1A814QI82Jk1BcpbYRpr5D11/Y8okj142
Ury/14yVJ1mdFNIqXiKaazR2UJef+W7EZYXWEUFC4BpYFC75tnGAIuKpdBjd6hiJ
Z+sWi10eit3IejAwHkbzRTCvPEDxaQTK1EEB/AKE+9fJhnjIVIIYLgIRYwvNBT/S
J5A1OhoSHtYppD8FpGFw7Hl/t9DK5YETyvY8vkqAMZ9rxp9ZdLni9NsgHa4SCxb/
1t9ixziUdwbBH0ulHJF3D3Gv6U4Rtcjyi/CLwMaC9pJ7PfISQBYL0USkL9WUYTy7
IPn60fcvrXIx0ZoR0T4L5rbIQpJ89bVvyT2a1BTFo0zp46hzq9O5g6dr3oB94UKf
bYxNOjNwyMmSyT/JVHzS5H8RAk9UdXmJZXuUFGlPJwfqakGOzZm+X8m6bfbALS++
b0CAfkWVLNSASXdkK0du5XpIEFFca2qc0vxgqNFDNJC9lrjIx95Bxiql8kOhhloo
/mXz7rZl9vbXBespZCMosFlatkL6hnFm28IIb8vOwGrOuToxyJUQcD8u6iT8kpWF
j5EBqojf1VEaYOogVX8kBFfNTUWmHslD44f46IqIm/lE/wAGev3Aec+olqdD1B75
hdWwJXNaMxCYVofIgihTMKUeSuXHXNajtwbcUJYyeX4X/LrknXu5EoBfUIXZEZ/J
u3U=
=pCIa
-----END PGP PUBLIC KEY BLOCK-----
20 changes: 15 additions & 5 deletions securedrop-workstation/04_install_qubes_post.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,17 +36,27 @@ mount --bind /dev "${INSTALLDIR}/dev"
aptInstall apt-transport-https qubes-vm-recommended

[ -n "$workstation_repository_suite" ] || workstation_repository_suite="buster"
[ -n "$workstation_signing_key_fingerprint" ] || workstation_signing_key_fingerprint="22245C81E3BAEB4138B36061310F561200F4AD77"
[ -n "$workstation_signing_key_file" ] || workstation_signing_key_file="$BUILDER_DIR/$SRC_DIR/template-securedrop-workstation/keys/release-key.asc"
[ -n "$gpg_keyserver" ] || gpg_keyserver="keys.gnupg.net"
[ -n "$workstation_signing_key_fingerprint_2020" ] || workstation_signing_key_fingerprint="22245C81E3BAEB4138B36061310F561200F4AD77"
[ -n "$workstation_signing_key_file_2020" ] || workstation_signing_key_file="$BUILDER_DIR/$SRC_DIR/template-securedrop-workstation/keys/release-key-LEGACY.asc"
[ -n "$workstation_signing_key_fingerprint_2021" ] || workstation_signing_key_fingerprint="2359E6538C0613E652955E6C188EDD3B7B22E6A3"
[ -n "$workstation_signing_key_file_2021" ] || workstation_signing_key_file="$BUILDER_DIR/$SRC_DIR/template-securedrop-workstation/keys/release-key.asc"
[ -n "$workstation_repository_uri" ] || workstation_repository_uri="https://apt.freedom.press"
[ -n "$workstation_repository_components" ] || workstation_repository_components="main"
[ -n "$workstation_repository_apt_line" ] || workstation_repository_apt_line="deb $workstation_repository_uri $workstation_repository_suite $workstation_repository_components"
[ -n "$workstation_repository_list" ] || workstation_repository_list="/etc/apt/sources.list.d/securedrop_workstation.list"

cat "$workstation_signing_key_file" | $chroot_cmd apt-key add -
# These keys are necessary only for bootstrapping the FPF apt repo config.
# Below, the 'securedrop-keyring' package is installed, which will manage
# key rotation for the life of the template.
# Add old, 2020-era signing key, for support during rotation window
cat "$workstation_signing_key_file_2020" | $chroot_cmd apt-key add -
## Sanity test. apt-key adv would exit non-zero if not exactly that fingerprint in apt's keyring.
$chroot_cmd apt-key adv --fingerprint "$workstation_signing_key_fingerprint"
$chroot_cmd apt-key adv --fingerprint "$workstation_signing_key_fingerprint_2020"
# Add new, 2021-era signing key, for support going forward
cat "$workstation_signing_key_file_2021" | $chroot_cmd apt-key add -
## Sanity test. apt-key adv would exit non-zero if not exactly that fingerprint in apt's keyring.
$chroot_cmd apt-key adv --fingerprint "$workstation_signing_key_fingerprint_2021"

echo "${INSTALLDIR}/$workstation_repository_list"
echo "$workstation_repository_apt_line" > "${INSTALLDIR}/$workstation_repository_list"

Expand Down

0 comments on commit e26814e

Please sign in to comment.