Troubleshooting Workstation Updates

This section includes some general troubleshooting instructions for common workstation update issues. For additional, version-specific issues and recommended actions, please see the relevant admin upgrade guide.

Performing a manual update

Sometimes, when an update doesn’t go according to plan, it’s necessary to perform a manual update and clear the update flag.

If the graphical updater fails and you want to perform a manual update instead, first delete the graphical updater’s temporary flag file, if it exists (the . before securedrop is not a typo):

rm ~/Persistent/.securedrop/securedrop_update.flag

This will prevent the graphical updater from attempting to re-apply the failed update and has no bearing on future updates. You can now perform a manual update by running the following commands:

cd ~/Persistent/securedrop
git fetch --tags
gpg --keyserver hkps://keys.openpgp.org --recv-key \
 "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3"
git tag -v 2.11.1

The output should include the following two lines:

gpg:                using RSA key 2359E6538C0613E652955E6C188EDD3B7B22E6A3
gpg: Good signature from "SecureDrop Release Signing Key <securedrop-release-key-2021@freedom.press>" [unknown]

Please verify that each character of the fingerprint above matches what is on the screen of your workstation. A warning that the key is not certified is normal and expected. If the output includes the lines above, you can check out the new release:

git checkout 2.11.1

Important

If you do see the warning “refname ‘2.11.1’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted).

Finally, run the following commands:

sudo apt update
./securedrop-admin setup
./securedrop-admin tailsconfig