Merge pull request #232 from freedomofpress/182-to-200

Add 1.8.2->2.0.0 update guide; bump version
freedomofpress · Jun 23, 2021 · 3877932 · 3877932
2 parents 86e1f5c + fddd7df
commit 3877932
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 131 deletions.
diff --git a/docs/backup_and_restore.rst b/docs/backup_and_restore.rst
@@ -229,7 +229,7 @@ Migrating Using a V2+V3 or V3-Only Backup
 
       cd ~/Persistent/securedrop/
       git fetch --tags
-      git tag -v 1.8.2
+      git tag -v 2.0.0
 
    The output should include the following two lines:
 
@@ -239,6 +239,7 @@ Migrating Using a V2+V3 or V3-Only Backup
       gpg: Good signature from "SecureDrop Release Signing Key"
 
 
+   .. include:: includes/release-key-transition.txt
    .. important::
       If you do not see the message above, signature verification has failed
       and you should **not** proceed with the installation. If this happens,
@@ -250,10 +251,10 @@ Migrating Using a V2+V3 or V3-Only Backup
 
    .. code:: sh
 
-      git checkout 1.8.2
+      git checkout 2.0.0
 
    .. important::
-      If you see the warning ``refname '1.8.2' is ambiguous`` in the
+      If you see the warning ``refname '2.0.0' is ambiguous`` in the
       output, we recommend that you contact us immediately at
       securedrop@freedom.press
       (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
@@ -471,7 +472,7 @@ source accounts, and journalist accounts. To do so, follow the steps below:
 
       cd ~/Persistent/securedrop/
       git fetch --tags
-      git tag -v 1.8.2
+      git tag -v 2.0.0
 
    The output should include the following two lines:
 
@@ -480,7 +481,7 @@ source accounts, and journalist accounts. To do so, follow the steps below:
       gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
       gpg: Good signature from "SecureDrop Release Signing Key"
 
-
+   .. include:: includes/release-key-transition.txt
    .. important::
        If you do not see the message above, signature verification has failed
        and you should **not** proceed with the installation. If this happens,
@@ -491,11 +492,11 @@ source accounts, and journalist accounts. To do so, follow the steps below:
 
    .. code:: sh
 
-      git checkout 1.8.2
+      git checkout 2.0.0
 
 
    .. important::
-      If you see the warning ``refname '1.8.2' is ambiguous`` in the
+      If you see the warning ``refname '2.0.0' is ambiguous`` in the
       output, we recommend that you contact us immediately at
       securedrop@freedom.press (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
 
@@ -530,7 +531,7 @@ source accounts, and journalist accounts. To do so, follow the steps below:
 
    .. note::
 
-      You may need to wait approximately 10-15 minutes after installing 
+      You may need to wait approximately 10-15 minutes after installing
       Ubuntu 20.04 for the servers to become reachable via SSH.
 
 #. Reinstall SecureDrop on the servers, following the :doc:`installation

diff --git a/docs/conf.py b/docs/conf.py
@@ -68,9 +68,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = "1.8.2"
+version = "2.0.0"
 # The full version, including alpha/beta/rc tags.
-release = "1.8.2"
+release = "2.0.0"
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

diff --git a/docs/includes/release-key-transition.txt b/docs/includes/release-key-transition.txt
@@ -0,0 +1,8 @@
+.. note::
+
+   The release key above will be allowed to expire on June 30, 2021. This means
+   that you will see the output "Note: This key has expired!" when verifying
+   tag ``2.0.0`` or any older tag after the expiration date.
+
+   Future releases will be signed using a new key with a new fingerprint. See our dual-signed
+   `transition statement <https://media.securedrop.org/media/documents/signing-key-transition.txt>`_.
diff --git a/docs/index.rst b/docs/index.rst
@@ -85,10 +85,9 @@ anonymous sources.
    :maxdepth: 2
 
    upgrade/focal_migration.rst
+   upgrade/1.8.2_to_2.0.0.rst
    upgrade/1.8.1_to_1.8.2.rst
    upgrade/1.8.0_to_1.8.1.rst
-   upgrade/1.7.1_to_1.8.0.rst
-   upgrade/1.7.0_to_1.7.1.rst
 
 .. toctree::
    :caption: Developer Documentation

diff --git a/docs/set_up_admin_tails.rst b/docs/set_up_admin_tails.rst
@@ -83,6 +83,8 @@ command:
    gpg --keyserver hkps://keys.openpgp.org --recv-key \
     "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
 
+.. include:: includes/release-key-transition.txt
+
 If you are not copy-pasting this command, we recommend you double-check you have
 entered it correctly before pressing enter. GPG will implicitly verify that the
 fingerprint of the key received matches the argument passed.
@@ -137,7 +139,7 @@ signed with the release signing key:
 
     cd ~/Persistent/securedrop/
     git fetch --tags
-    git tag -v 1.8.2
+    git tag -v 2.0.0
 
 The output should include the following two lines:
 
@@ -158,9 +160,9 @@ screen of your workstation. If it does, you can check out the new release:
 
 .. code:: sh
 
-    git checkout 1.8.2
+    git checkout 2.0.0
 
-.. important:: If you see the warning ``refname '1.8.2' is ambiguous`` in the
+.. important:: If you see the warning ``refname '2.0.0' is ambiguous`` in the
                output, we recommend that you contact us immediately at
                securedrop@freedom.press (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
 

diff --git a/docs/upgrade/1.7.0_to_1.7.1.rst b/docs/upgrade/1.7.0_to_1.7.1.rst
diff --git a/docs/upgrade/1.7.1_to_1.8.0.rst → docs/upgrade/1.8.2_to_2.0.0.rst b/docs/upgrade/1.7.1_to_1.8.0.rst → docs/upgrade/1.8.2_to_2.0.0.rst
@@ -1,37 +1,49 @@
-Upgrade from 1.7.1 to 1.8.0
+Upgrade from 1.8.2 to 2.0.0
 ===========================
 
-.. important::
+.. note::
+
+   If you are not already using Tails 4.19 or greater on your workstations, you
+   will need to :ref:`update manually due to a bug <Tails Broken Updates 2021>`.
 
-  You must migrate your SecureDrop servers to Ubuntu 20.04 before **April 30,
-  2021** to keep your SecureDrop instance operational. This migration will require
-  physical access to the servers. Please see our :doc:`migration guide <focal_migration>`
-  for instructions.
 
-Updating Servers to SecureDrop 1.8.0
+Updating Servers to SecureDrop 2.0.0
 ------------------------------------
-Your servers will be updated to the latest version of SecureDrop automatically
-within 24 hours of the release.
+Servers running Ubuntu 20.04 will be updated to the latest version of SecureDrop
+automatically within 24 hours of the release.
+
+.. important::
 
-.. _updating_workstations_180:
+   If your servers are still running Ubuntu 16.04, you will not receive this
+   update, as the operating system has reached its end-of-life. Please
+   contact us if you require assistance reinstalling SecureDrop.
 
-Updating Workstations to SecureDrop 1.8.0
+Updating Workstations to SecureDrop 2.0.0
 -----------------------------------------
 
 Using the graphical updater
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. important::
+
+   Attempting to update to 2.0.0 using the graphical updater will fail
+   after June 29, 2021. This is due to the expiry of the signing key used for
+   this release. If you are updating a *Journalist Workstation* or
+   *Admin Workstation* after June 29, you must do so manually; see below.
+
 On the next boot of your SecureDrop *Journalist* and *Admin Workstations*,
 the *SecureDrop Workstation Updater* will alert you to workstation updates. You
 must have `configured an administrator password <https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/>`_
 on the Tails welcome screen in order to use the graphical updater.
 
-Perform the update to 1.8.0 by clicking "Update Now":
+Perform the update to 2.0.0 by clicking "Update Now":
 
 .. image:: ../images/securedrop-updater.png
 
 Performing a manual update
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
-If the graphical updater fails and you want to perform a manual update instead,
+
+If the graphical updater fails and you need to perform a manual update instead,
 first delete the graphical updater's temporary flag file, if it exists (the
 ``.`` before ``securedrop`` is not a typo): ::
 
@@ -45,20 +57,23 @@ update by running the following commands: ::
   git fetch --tags
   gpg --keyserver hkps://keys.openpgp.org --recv-key \
    "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
-  git tag -v 1.8.0
+  git tag -v 2.0.0
 
 The output should include the following two lines: ::
 
     gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
     gpg: Good signature from "SecureDrop Release Signing Key"
 
+
+.. include:: ../includes/release-key-transition.txt
+
 Please verify that each character of the fingerprint above matches what is
 on the screen of your workstation. If it does, you can check out the
 new release: ::
 
-    git checkout 1.8.0
+    git checkout 2.0.0
 
-.. important:: If you do see the warning "refname '1.8.0' is ambiguous" in the
+.. important:: If you do see the warning "refname '2.0.0' is ambiguous" in the
   output, we recommend that you contact us immediately at securedrop@freedom.press
   (`GPG encrypted <https://securedrop.org/sites/default/files/fpf-email.asc>`__).
 
@@ -69,36 +84,24 @@ Finally, run the following commands: ::
 
 .. include:: ../includes/always-backup.txt
 
+.. _Tails Broken Updates 2021:
+
 Updating Tails
 --------------
 Check the version of Tails on your *Admin* and *Journalist Workstations*
 (**Applications ▸ Tails ▸ About Tails**). If your workstations are running Tails
-version 4.14 or earlier, you will not receive an update notification due to a
-bug. Perform a :ref:`manual update <Update Tails Manually>`, or reinstate
-automatic updates by following the steps in the
-`Tails advisory <https://tails.boum.org/news/version_4.14/broken_upgrades/index.en.html>`__.
-
-If you are running Tails 4.15 or later, follow the graphical prompts to update
-to the latest version.
-
-Migration to Ubuntu 20.04 and to v3 onion services
---------------------------------------------------
-The operating system running on your *Application* and *Monitor Servers*,
-Ubuntu 16.04 (Xenial), reaches its end-of-life for security updates on April 30,
-2021. You must migrate your servers to Ubuntu 20.04 before April 30, 2021 to
-remain secure. Please see our :doc:`migration guide <focal_migration>` for detailed
-instructions.
-
-.. important ::
-
-   If your servers are running Ubuntu 16.04 after **April 30, 2021**, the
-   *Source Interface* will be automatically disabled as a security precaution.
-
-Because  v2 :ref:`onion services <glossary_onion_service>` are deprecated,
-SecureDrop does not support enabling them on Ubuntu 20.04. If you are not already
-running v3 onion services (easily recognizable by their 56 character ``.onion``
-addresses), you can :doc:`enable them <../v3_services>` prior to the migration
-to Ubuntu 20.04, or as part of the same maintenance window.
+version 4.18 or earlier, Tails may fail to notify you of updates, or may display
+an error message.
+
+Perform a :ref:`manual update <Update Tails Manually>`, or reinstate
+automatic updates by running the following command: ::
+
+  torsocks curl --silent https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem | \
+  sudo tee --append /usr/local/etc/ssl/certs/tails.boum.org-CA.pem && \
+  systemctl --user restart tails-upgrade-frontend
+
+After a short delay, Tails should notify you about the availability of updates,
+allowing you to use the Tails graphical updater.
 
 Getting Support
 ---------------