Upgrade from 0.8.0 to 0.9.1

Updating the Tails Workstations

We recommend that you update all Tails drives to version 3.9, which was released concurrently with SecureDrop 0.9.0 on September 5, 2018. Follow the Tails graphical prompts on your workstations to perform this upgrade.

Due to a bug in the graphical SecureDrop updater that was fixed in SecureDrop 0.9.1 (released on September 6, 2018), attempting an update of your SecureDrop workstation code on your Journalist or Admin Workstations using the graphical updater will fail with an error message: “WARNING: Signature verification failed.” You need to update your workstations manually by following the steps below.

  1. Start the Journalist or Admin Workstation with Persistent Storage unlocked and an administration password set.
  2. Once you have a working Tor connection, open a Terminal by selecting from the menu: ApplicationsFavoritesTerminal
  3. Change your working directory to the SecureDrop installation directory using the command: cd ~/Persistent/securedrop/
  4. Verify the installed version using the command: git status

The command output will include the line “HEAD detached at <version>”, where “<version>” is your current installed version.

If the workstation code is at version 0.7.0 or earlier:

Update the workstation code to version 0.8.0 (not 0.9.0 or 0.9.1) manually before proceeding:

git fetch --tags
gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 0.8.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Please verify that each character of the fingerprint above matches what you see on the screen of your workstation. If it does, you can check out version 0.8.0:

git checkout 0.8.0

Please verify that the output of this command does not contain the text “warning: refname ‘0.8.0’ is ambiguous”.

Important

If you do see the warning “refname ‘0.8.0’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted).

Run the following command:

./securedrop-admin setup

Now, proceed with the 0.8.0 to 0.9.1 update as described below.

If the workstation code is at version 0.8.0:

Complete the following steps to upgrade your workstation to version 0.9.1:

  1. Update the workstation code using the command: ./securedrop-admin update
  2. Update the workstation dependencies using the command: ./securedrop-admin setup
  3. Update your workstation Tails settings using the command: ./securedrop-admin tailsconfig

You will be prompted for the temporary administration password set on the Tails greeter screen.

This should address the problem with the graphical updater for future releases.

Database Migration May Take Time to Complete

Some of the changes in SecureDrop 0.9.0 require a database migration that can take additional time during the upgrade process, especially if you are not using an SSD on your Application Server, or if you store data about a large number of sources and submissions on the server. This is normal behavior during the automatic upgrade, and the Source Interface and Journalist Interface will become available again once the upgrade has been completed. In case of a service outage of more than two hours, please don’t hesitate to reach out to us.

New Dialogs in Tails 3.9

When you run the securedrop-admin setup command, Tails as of version 3.9 will prompt to install packages automatically from persistent storage on each boot. These apt packages don’t need to persist; click on Install Only Once when you see this dialog:

Tails Apt Persistence

Troubleshooting Kernel Issues

SecureDrop 0.9.0 ships with an update of the Linux kernel running on your Application and Monitor Servers, from version 4.4.135 to version 4.4.144. If you have not previously changed your default kernel, your server will boot into the new kernel automatically on its next reboot.

We have tested this kernel extensively against recommended hardware and other common configurations. Please consult our kernel troubleshooting guide for instructions on how to compare the differences between kernel versions and how to roll back to an earlier version if necessary.

Important

It is of critical importance for the security and stability of your instance that you report kernel compatibility issues to us as soon as you become aware of them.

Enabling the New Kernel After a Downgrade

If you have previously downgraded your kernel to the 3.14.x series due to compatibility issues with the kernel that shipped with SecureDrop 0.7.0 or later, we urge you to test the latest kernel (version 4.4.144).

You can test the new kernel without downtime by following our instructions for testing and enabling a new kernel after a downgrade. Please note that this is only necessary if you have manually downgraded the kernel; otherwise, the new kernel will be enabled automatically.

Important

The next regular release of SecureDrop, version 0.10.0, will no longer preserve a preference for a downgraded kernel. If you have downgraded your kernel, testing the new kernel and reporting compatibility issues is of critical importance to minimize the risk of an outage of your SecureDrop instance.

Getting Support

Should you require further support with your SecureDrop installation or upgrade, we are happy to help!