WIP: Have JI validate journalist key is valid

freedomofpress · Oct 26, 2023 · 689eeb3 · 689eeb3
1 parent 3a665de
commit 689eeb3
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 35 deletions.
diff --git a/securedrop/debian/securedrop-app-code.postinst b/securedrop/debian/securedrop-app-code.postinst
@@ -186,8 +186,7 @@ export_journalist_public_key() {
             # Export the GPG public key
             # shellcheck disable=SC2024
             sudo -u www-data gpg2 --homedir=/var/lib/securedrop/keys --export --armor "$fingerprint" > $journalist_pub
-            # Verify integrity of what we just exported
-            sudo -u www-data /var/www/securedrop/scripts/validate-pgp-key "$journalist_pub" "$fingerprint"
+            # We explicitly do not validate the exported key here, that is done during JI startup
         fi
     fi
 

diff --git a/securedrop/journalist.py b/securedrop/journalist.py
@@ -1,9 +1,13 @@
+import sys
+
 from encryption import EncryptionManager, GpgKeyNotFoundError
 from execution import asynchronous
 from journalist_app import create_app
 from models import Source
 from sdconfig import SecureDropConfig
 
+import redwood
+
 config = SecureDropConfig.get_current()
 # app is imported by journalist.wsgi
 app = create_app(config)
@@ -21,10 +25,28 @@ def prime_keycache() -> None:
                 pass
 
 
-prime_keycache()
+def validate_journalist_key() -> None:
+    """Verify the journalist PGP key is valid"""
+    encryption_mgr = EncryptionManager.get_default()
+    # First check that we can read it
+    try:
+        journalist_key = encryption_mgr.get_journalist_public_key()
+    except Exception as e:
+        print(f"ERROR: Unable to read journalist public key: {e}", file=sys.stderr)
+        app.logger.error(f"ERROR: Unable to read journalist public key: {e}")
+        sys.exit(1)
+    # And then what we read is valid
+    try:
+        redwood.is_valid_public_key(journalist_key)
+    except redwood.RedwoodError as e:
+        print(f"ERROR: Journalist public key is not valid: {e}", file=sys.stderr)
+        app.logger.error(f"ERROR: Journalist public key is not valid: {e}")
+        sys.exit(1)
 
 
 if __name__ == "__main__":  # pragma: no cover
+    validate_journalist_key()
+    prime_keycache()
     debug = getattr(config, "env", "prod") != "prod"
     # nosemgrep: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host
     app.run(debug=debug, host="0.0.0.0", port=8081)
diff --git a/securedrop/scripts/validate-pgp-key b/securedrop/scripts/validate-pgp-key