Upgrade from 2.6.1 to 2.7.0
This release will remove support for Submission Public Keys with legacy SHA-1-based binding signatures. The SecureDrop Journalist Interface will not start when the instance has been configured with such a key, and the Source Interface will state that the instance is temporarily offline. If you have set up SecureDrop according to our documentation, you are not using such keys; no SecureDrop instances known to us are affected by this change.
If you are unsure if you will be affected by this change, you can
reach out to us for support. Our recommended course of action is to
check your Submission Public Key, available at the /public-key
endpoint of your SecureDrop Source Interface onion url, using the
sq-keyring-linter program, which is available by default on your
Admin Workstation starting with Tails version 5.19.
If your key contains insecure SHA-1-based signatures, we suggest
creating a new Submission Keypair according to our documentation.
You should not delete the old key from your Secure Viewing Station,
so that you can still decrypt old submissions. We are happy to
assist you with this process. As a reminder, all key material should
be generated on an air-gapped machine, and should never reside on a
For more detailed information about why keys with SHA-1 signatures are insecure, see https://sequoia-pgp.org/blog/2023/02/01/202302-happy-sha1-day/.
Update Servers to SecureDrop 2.7.0
Servers running Ubuntu 20.04 will be updated to the latest version of SecureDrop automatically within 24 hours of the release.
Update Workstations to SecureDrop 2.7.0
Updating Tails and replacing short passphrases
Before upgrading your Workstations to SecureDrop 2.7.0, we strongly recommend that you first upgrade to Tails 5.19.
Using the graphical updater
If you encounter errors with the graphical updater, perform a manual update. This will ensure that you have imported the new SecureDrop release signing key.
On the next boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. You must have configured an administrator password on the Tails welcome screen in order to use the graphical updater.
Perform the update to 2.7.0 by clicking “Update Now”:
Performing a manual update
If the graphical updater fails and you want to perform a manual update instead,
first delete the graphical updater’s temporary flag file, if it exists (the
securedrop is not a typo):
This will prevent the graphical updater from attempting to re-apply the failed update and has no bearing on future updates. You can now perform a manual update by running the following commands:
git fetch --tags
gpg --keyserver hkps://keys.openpgp.org --recv-key \
"2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3"
git tag -v 2.7.0
The output should include the following two lines:
gpg: using RSA key 2359E6538C0613E652955E6C188EDD3B7B22E6A3
gpg: Good signature from "SecureDrop Release Signing Key <email@example.com>" [unknown]
Please verify that each character of the fingerprint above matches what is on the screen of your workstation. A warning that the key is not certified is normal and expected. If the output includes the lines above, you can check out the new release:
git checkout 2.7.0
Finally, run the following commands:
Should you require further support with your SecureDrop installation, we are happy to help!
Community support is available at https://forum.securedrop.org
If you are already a member of our support portal, please don’t hesitate to open a ticket there. If you would like to request access, please contact us at firstname.lastname@example.org (GPG encrypted). Note that your ticket will be visible to all support portal users at your organization; if this is a concern, reach out by email to the above address or to a staff member directly.
The Freedom of the Press Foundation offers training and priority support services. See https://securedrop.org/priority-support/ for more information.