Skip to content

Use guardian fork of securedrop-client #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Apr 6, 2023
Merged

Use guardian fork of securedrop-client #1

merged 9 commits into from
Apr 6, 2023

Conversation

philmcmahon
Copy link
Collaborator

@philmcmahon philmcmahon commented Feb 8, 2023
edited
Loading

Description of Changes

This change modifies securedrop-workstation so that it installs the guardian fork of securedrop-client. This is a temporary measure allowing the guardian to start using features such as batch deletion whilst we also collaborate with FPF on getting our desired features into the main branch.

Changes include:

  • New salt file setting up a the guardian's APT repository hosted on Amazon S3, accessed via apt-transport-s3
  • s3auth.conf.j2 file to help with configuring apt-transport-s3
  • A script to sign RPM files generated by the existing build-rpm script and upload to Amazon S3
  • A script to download the required config from S3 for setting up a securedrop-workstation dev environment
  • CODE/PROD public keys for verifying packages published by the guardian
  • Updated config.json.example to show the new guardian config block and required values.

Testing

I've tested this fairly heavily on my Qubes machine.

Deployment

RPM files for this fork can be built using the guardian's securedrop build servers (currently closed source) - see https://github.com/guardian/investigations-platform/pull/424

Checklist

If you have made changes to the provisioning logic

  • All tests (make test) pass in dom0

I ran these and quite a few failed but they didn't appear to be related to my changes. The only actual changes made from the existing securedrop-workstation code are in dom0/sd-app-files.sls and fairly clear so I'm quite relaxed about merging this.

If you have added or removed files

  • I have updated MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec

If documentation is required

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation

@philmcmahon
Copy link
Collaborator Author

Update - I've added a step to launch the guardian's export VMs when securedrop workstation is launched (in sdw-launcher.py)

philmcmahon
philmcmahon commented Apr 6, 2023
View reviewed changes
launcher/whistleflow_launcher.py Outdated
def launch_whistleflow():
"""Launch the Whistleflow view, encrypt and send services"""
logger.info("Launching whistleflow-view")
subprocess.Popen(["qvm-run", "whistleflow-view", "systemctl start whistleflow-view"])
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this needs removing - whistleflow-view doesn't have a service

philmcmahon
philmcmahon commented Apr 6, 2023
View reviewed changes
launcher/whistleflow_launcher.py Outdated
logger.info("Launching whistleflow-view")
subprocess.Popen(["qvm-run", "whistleflow-view", "systemctl start whistleflow-view"])
logger.info("Launching whistleflow-encrypt")
subprocess.Popen(["qvm-run", "whistleflow-encrypt", "systemctl start whistleflow-encrypt"])
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not needed due to https://github.com/guardian/whistleflow/pull/17/files

@philmcmahon philmcmahon merged commit 53bd1b2 into main Apr 6, 2023
@philmcmahon philmcmahon deleted the gu-release branch April 6, 2023 12:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zekehuntergreen zekehuntergreen zekehuntergreen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@philmcmahon @zekehuntergreen