Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated securedrop-keyring package to bump expiry to 2027-05-24 #7167

Merged
merged 2 commits into from
May 28, 2024
Merged

Updated securedrop-keyring package to bump expiry to 2027-05-24 #7167

merged 2 commits into from
May 28, 2024

Conversation

zenmonkeykstop
Copy link
Contributor

@zenmonkeykstop zenmonkeykstop commented May 24, 2024
edited by legoktm
Loading

Status

Ready for review

Description of Changes

Fixes: #7164

This version of the securedrop-keyring package includes an updated signing public key with an expiration of 2027-05-24.

The package version has been set to 0.2.2, incrementing from previous minor version.

Testing

  • Import key locally, ensure the expiration date and uid are set correctly
  • Verify key only has the new 2021 key
  • Import keyring locally, ensure expiration date and uid are set correctly
  • Verify keyring only has the new 2021 key
  • Verify old tags can be verified using the new key
  • Can sign and verify test file using new key (if tester doesn't have signing access, please request a test signed file from someone with signing access)
  • CI should pass

Deployment

After this is merged we'll:

  • Upload key to keys.openpgp.org (which will be pulled in automatically on freedom.press)
  • Update key on securedrop.org
  • Include in upcoming 2.9.0 release

Checklist

If you made changes to the system configuration:

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

@zenmonkeykstop zenmonkeykstop requested a review from a team as a code owner May 24, 2024 20:01
@zenmonkeykstop
Don't install setuptools-scm==6.0.1 via override_dh_autoinstall
724abeb 
setuptools-scm 6.0.1 has an unbounded setuptools build dependency, that has
started to pull in a breaking version of setuptools. As far as i can tell, package
wheel builds aren't using it anyway - build isolation means they pull in their
ownn versions of everything. So we can just not install it.

AFAICT this doesn't affect the current state (lack) of build reproducibility. Any
improvements there would probably mean building and using our own wheels following
the same pattern as securedrop-builder&securedrop-client
@zenmonkeykstop zenmonkeykstop self-assigned this May 28, 2024
legoktm
legoktm approved these changes May 28, 2024
View reviewed changes
Copy link
Member

@legoktm legoktm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, also tested the built keyring package and verified the contained key was correct and able to pull packages from apt.freedom.press.

@legoktm legoktm merged commit 074f1b6 into develop May 28, 2024
17 checks passed
@legoktm legoktm deleted the 7164-key-bump branch May 28, 2024 15:02
@nathandyer nathandyer mentioned this pull request May 30, 2024
Closed
31 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@legoktm legoktm legoktm approved these changes

Assignees

@zenmonkeykstop zenmonkeykstop

Labels
sprint goal
Projects
SecureDrop dev cycle
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update pubkey in Focal securedrop-keyring package
2 participants
@zenmonkeykstop @legoktm