Add support for trusted PDF generation

[eloquence]

Export (#21) is a must-have feature for the beta; if we limit export to originals, we risk malware exposure once a PDF or other potentially problematic document is copied to another environment.

Qubes has first-class support for the creation of trusted PDFs (repo, technical background) in disposable VMs which is a good early functional target to integrate.

For simplicity, this could be integrated into the export processing workflow, so that any document that lands in the USB-connected export VM is already sanitized.

User Stories

As a journalist, I want to make sure that a PDF I export to another computer is safe, so that I do not accidentally compromise my news organization's security when sharing submissions from anonymous sources.

[eloquence]

An architectural decision here will be whether or not the client should keep track of processing steps and derivatives, e.g., hold on to trusted PDFs. Processing pipelines can get quite complex (redact -> generate trusted PDF; remove image metadata -> convert file format -> rename, etc.); if the client needs to hold on to all derivatives and the hierarchical and chronological relationship between them, that could get very complicated very fast.

If we treat disposable export VMs are the point of alteration of documents, and leave it up to the news organization to organize them in a manner that makes sense outside of the context of the client, that may be much more manageable, and more realistic and in line with their real-world usage. The client, in this model, would be the source of truth for all file originals, but never for derivatives.

[ninavizz]

^ The ux kid personally favors the latter option. Would love a step-thru on Qubes tomorrow, of what their current "Create Trusted PDF" workflow looks like, from File Manager!

[eloquence]

For the beta, the current plan of record is to strongly encourage use of print, and to add appropriate security warnings to the export dialogs. We may not be able to do much beyond that.

I do think it's worth thinking about a safe way to export documents to a work VM, where such tools can be installed, and from which they can be sent to the USB drive. It would be simplest for this to be sd-export-usb itself, but I understand there's a security argument for adding another VM for this purpose.

As we did with the very first export iteration for the alpha, this could be the kind of process we document manual steps for, and then think about supporting explicitly in the client.

[eloquence]

Closing for now in favor of freedomofpress/securedrop-workstation#26 , we can open a more clearly scoped issue once we have a plan for implementation.