Signature error during prod install

[conorsch]

During a recent prod install (for testing #705), I observed a failure related to the FPF apt repo:

  ----------
            ID: configure-apt-test-apt-repo
      Function: pkgrepo.managed
          Name: deb [arch=amd64] https://apt.freedom.press buster main
        Result: False
       Comment: Failed to configure repo 'deb [arch=amd64] https://apt.freedom.press buster main': W: GPG error: https://apt.freedom.press buster Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 310F561200F4AD77
                E: The repository 'https://apt.freedom.press buster Release' is not signed.
       Started: 21:47:56.138879
      Duration: 5054.719 ms
       Changes:   
  ---------- 

Clearly related to #700, although we were careful to update the securedrop-keyring package to ensure both keys were present. The NO_PUBKEY message refers to the old/current key, suggesting that only the new key is present in the template.

The error output above is from the provisioning of whonix-gw-15, where we do install the keyring package, but only after initial provisioning. Unlike the SDW templates, there is no SD/FPF key present inside the template before we add packages to it, so the initial bootstrapping fails, since it used only the new key.

Solution would be to resign the buster Release file with the new key pronto.

[conorsch]

As a temporary workaround, first-time installers can copy the old/current pubkey into whonix-gw-15 directly from dom0, at /srv/salt/sd/sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc, then apt-key add - it in the TemplateVM.

[eloquence]

This should no longer be an issue; the Release file is now exclusively signed with the new key (https://github.com/freedomofpress/securedrop-debian-packages-lfs/pull/54).