Upgrade from 1.0.0 to 1.1.0

SecureDrop 1.1.0 is the first release to ship with support for using Tails 4 (scheduled to be released on October 22, 2019) on your Admin Workstation, your Journalist Workstation, and your Secure Viewing Station.

Because the Tails 3 series will stop receiving security updates with the release of Tails 4, it is important that you update your workstations to Tails 4 soon after its release on October 22, 2019.

Update the SecureDrop code on your Admin and Journalist Workstations first, then upgrade all workstations (including the Secure Viewing Station) to Tails 4 by following the procedure described in this document.

Updating workstations to SecureDrop 1.1.0

Using the graphical updater

On the next boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. You must have configured an administrator password on the Tails welcome screen in order to use the graphical updater.

Perform the update to 1.1.0 by clicking “Update Now”:

../_images/securedrop-updater.png

Performing a manual update

If the automated update fails, you can perform a manual update by running the following commands:

cd ~/Persistent/securedrop
git fetch --tags
gpg --keyserver hkps://keys.openpgp.org --recv-key \
 "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 1.1.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Please verify that each character of the fingerprint above matches what on the screen of your workstation. If it does, you can check out the new release:

git checkout 1.1.0

Important

If you do see the warning “refname ‘1.1.0’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted).

Finally, run the following commands:

./securedrop-admin setup
./securedrop-admin tailsconfig

Upgrading workstations to Tails 4

Important

Before upgrading your Admin Workstation and your Journalist Workstation to Tails 4, you must first ensure that the version of the SecureDrop code on the workstation (which is used for administrative tasks and for configuring the Tails desktop) is at 1.1.0.

If unsure, you can always run the git status command in the ~/Persistent/securedrop directory to determine the current version. If the output is not “HEAD detached at 1.1.0”, you are not ready to proceed with the upgrade to Tails 4, and you must first update the workstation using the procedure described in the previous section.

As a precaution, we recommend backing up your workstations before the upgrade to Tails 4. See our Workstation Backup Guide for more information. We also recommend that you keep a USB drive running Tails 3.16 on hand in case you need to revert.

Once you have created the backups, create a Tails 4 Primary USB which you will use to upgrade your workstation. Follow the instructions on the Tails website to create a fresh Tails drive on a computer running Windows, Mac, or Linux.

Boot the Tails 4 Primary USB on the air-gapped computer you use as the Secure Viewing Station, and follow the instructions for manually upgrading from another Tails to upgrade each workstation USB in turn. This procedure preserves the persistent storage volume of each USB drive you upgrade to Tails 4.

Boot each workstation into Tails 4 to verify that the upgrade was successful. On the Admin and Journalist Workstations, set an administrator password on the Tails welcome screen, and update the SecureDrop environment using the following commands:

 cd ~/Persistent/securedrop
./securedrop-admin setup
./securedrop-admin tailsconfig

Important

Until you run these commands, the SecureDrop shortcuts on the Tails desktop will not work, and the graphical updater will no longer report available updates for the SecureDrop code on your workstation.

No additional configuration is required for the Secure Viewing Station.

If you experience difficulties with this upgrade, please do not hesitate to contact us using any of the methods below. If the upgrade failed and you need to restore from a backup, see our guide for restoring workstations. Make sure you restore to a Tails drive using Tails 3.16 before attempting another upgrade to Tails 4.

Troubleshooting securedrop-admin

This release migrates the securedrop-admin command to Python 3, which is necessary because the Python 2 series reaches end-of-life on January 1, 2020. The securedrop-admin setup step normally should take care of all the required changes.

If you see error messages when running securedrop-admin or securedrop-admin setup, we recommend the following:

  • Ensure that you are running version 1.1.0 of SecureDrop on your workstation, by running the command git status in your ~/Persistent/securedrop directory. If the output is not “HEAD detached at 1.1.0”, perform a manual upgrade to SecureDrop 1.1.0 on your workstation.
  • Check your network connection on your workstation. The securedrop-admin setup command requires a working Tor connection.
  • Make sure that you have set an admin password on the Tails welcome screen.

If this does not solve the problem, clear out any existing Python environments on your workstation by following these steps:

  • Change into the directory ~/Persistent/securedrop/admin.
  • Run the following commands from within this directory (make sure to type them exactly as shown, as this is a destructive operation):
rm -r .venv
rm -r .venv3
  • Change back into the ~/Persistent/securedrop directory.
  • Run ./securedrop-admin setup. If the command completes without errors, run the ./securedrop-admin tailsconfig command.

If you continue to experience difficulties, please contact us using any of the methods below.

Getting Support

Should you require further support with your SecureDrop installation, we are happy to help!