Trust securedrop signing key in non-production environments

This will allow us to use prod artifacts in development, specifically the SecureDrop Workstation Qubes Template base.
freedomofpress · Feb 3, 2020 · 5feafda · 5feafda
1 parent 0119438
commit 5feafda
Showing 1 changed file with 60 additions and 11 deletions.
diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls
@@ -14,26 +14,49 @@ include:
 
 # Imports "sdvars" for environment config
 {% from 'sd-default-config.sls' import sdvars with context %}
+# Import config
+{% import_json "sd/config.json" as d %}
+
+# In prod and dev/staging environments, we will use both the prod and the dev
+# GPG singning key. In prod, only packages signed with the release key will be
+# allowed.
+dom0-rpm-signing-key:
+  file.managed:
+    - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-prod
+    - source: "salt://sd/sd-workstation/securedrop-release-signing-pubkey.asc"
+    - user: root
+    - group: root
+    - mode: 644
+
+dom0-rpm-signing-key-import:
+  cmd.run:
+    - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-prod
+    - require:
+      - file: dom0-rpm-signing-key
 
+# In dev and staging environments, we allow packages signed with the test key
+
+{% if d.environment != "prod" %}
 dom0-rpm-test-key:
   file.managed:
     # We write the pubkey to the repos config location, because the repos
     # config location is automatically sent to dom0's UpdateVM. Otherwise,
     # we must place the GPG key inside the fedora-30 TemplateVM, then
     # restart sys-firewall.
-    - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
-    - source: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}"
+    - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
+    - source: "salt://sd/sd-workstation/apt-test-pubkey.asc"
     - user: root
     - group: root
     - mode: 644
 
 dom0-rpm-test-key-import:
   cmd.run:
-    - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
+    - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
     - require:
       - file: dom0-rpm-test-key
 
-dom0-workstation-rpm-repo:
+# The test repo accepts both keys
+dom0-workstation-test-rpm-repo:
   # We use file.managed rather than pkgrepo.managed, because Qubes dom0
   # settings write new repos to /etc/yum.real.repos.d/, but only /etc/yum.repos.d/
   # is copied to the UpdateVM for fetching dom0 packages.
@@ -45,26 +68,52 @@ dom0-workstation-rpm-repo:
     - contents: |
         [securedrop-workstation-dom0]
         gpgcheck=1
-        gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
+        gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-prod
+               file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
         enabled=1
         baseurl={{ sdvars.dom0_yum_repo_url }}
         name=SecureDrop Workstation Qubes dom0 repo
     - require:
       - file: dom0-rpm-test-key
+      - file: dom0-rpm-signing-key
+
+{% else %}
+
+# The environment is prod, the RPM repo configuration should only accept the release key
+dom0-workstation-prod-rpm-repo:
+  # We use file.managed rather than pkgrepo.managed, because Qubes dom0
+  # settings write new repos to /etc/yum.real.repos.d/, but only /etc/yum.repos.d/
+  # is copied to the UpdateVM for fetching dom0 packages.
+  file.managed:
+    - name: /etc/yum.repos.d/securedrop-workstation-dom0.repo
+    - user: root
+    - group: root
+    - mode: 644
+    - contents: |
+        [securedrop-workstation-dom0]
+        gpgcheck=1
+        gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-prod
+        enabled=1
+        baseurl={{ sdvars.dom0_yum_repo_url }}
+        name=SecureDrop Workstation Qubes dom0 repo
+    - require:
+      - file: dom0-rpm-signing-key
+
+{% endif %}
 
 dom0-remove-securedrop-workstation-stretch-template:
   pkg.removed:
     - pkgs:
       - qubes-template-securedrop-workstation
-    - require:
-      - file: dom0-workstation-rpm-repo
+    - require_any:
+      - file: dom0-workstation-prod-rpm-repo
+      - file: dom0-workstation-test-rpm-repo
 
 dom0-install-securedrop-workstation-template:
   pkg.installed:
     - pkgs:
       - qubes-template-securedrop-workstation-buster
     - require:
-      - file: dom0-workstation-rpm-repo
       - pkg: dom0-remove-securedrop-workstation-stretch-template
 
 # Copy script to system location so admins can run ad-hoc
@@ -196,7 +245,6 @@ dom0-securedrop-launcher-desktop-shortcut:
     - group: {{ gui_user }}
     - mode: 755
 
-{% import_json "sd/config.json" as d %}
 {% if d.environment == "dev" %}
 dom0-remove-securedrop-workstation-dom0-config:
   pkg.removed:
@@ -209,7 +257,8 @@ dom0-install-securedrop-workstation-dom0-config:
   pkg.installed:
     - pkgs:
       - securedrop-workstation-dom0-config
-    - require:
-      - file: dom0-workstation-rpm-repo
+    - require_any:
+      - file: dom0-workstation-prod-rpm-repo
+      - file: dom0-workstation-test-rpm-repo
 
 {% endif %}