Upgrade from 0.7.0 to 0.8.0¶
Updating the Tails Workstations¶
We recommend that you update all Tails drives to version 3.8, which was released concurrently with SecureDrop 0.8.0 on June 26, 2018. Follow the graphical prompts on your workstations to perform this upgrade.
For the Journalist Workstations and the Admin Workstation, the graphical SecureDrop updater will also prompt you to update the SecureDrop code on your workstations. The updater was introduced in SecureDrop 0.7.0. It looks like this:
Due to bug 3567, if this update is performed using the graphical updater, a branch containing unsigned code could take precedence over a release tag, if they have the same name. The likelihood of an exploit is low, as it would require accidental or deliberate branch creation, or compromise of GitHub and/or the communication flow between the workstation and Github.
To completely eliminate this risk, we recommend that you select “Update Later” and perform the update manually by issuing the following commands on each workstation:
cd ~/Persistent/securedrop git fetch --tags gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" git tag -v 0.8.0
The output should include the following two lines:
gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 gpg: Good signature from "SecureDrop Release Signing Key"
Please verify that each character of the fingerprint above matches what you see on the screen of your workstation. If it does, you can check out the new release:
git checkout 0.8.0
Please verify that the output of this command does not contain the text “warning: refname ‘0.8.0’ is ambiguous”.
Finally, run the following command:
Please note that this only updates the SecureDrop code on the workstation. Tails upgrades still have to be performed separately.
Removal of Two-Factor Authentication for Keyboard Login¶
SecureDrop 0.8.0 removes the requirement for two-factor authentication when logging into your server using an attached physical keyboard. This feature provided no real security benefit, as it could easily be bypassed using single user mode.
To ensure that you can login as the admin user using a physical keyboard, you may wish to use this opportunity to cycle the admin user password on your SecureDrop servers.
To do so, log into each SecureDrop server via SSH using your Admin Workstation.
Become the root user by typing
sudo su, then change the password for the
admin user by typing
passwd <username>, e.g., if your admin user account was
alice, you would type
Enter a secure password and store it in the KeePassX password manager on your Admin Workstation.
Troubleshooting Kernel Issues¶
SecureDrop 0.8.0 ships with an update of the Linux kernel running on your Application and Monitor Servers, from version 4.4.115 to version 4.4.135. If you have not previously changed your default kernel, your server will boot into the new kernel automatically on its next reboot.
We have tested this kernel extensively against recommended hardware and other common configurations. Compared with the previous kernel, it ships with additional hardware support. If you are experiencing an outage after the update, it may be due to differences between the two kernel versions relevant to your specific configuration.
Please consult our kernel troubleshooting guide for instructions on how to compare the differences between kernel versions and how to roll back to an earlier version if necessary.
It is of critical importance for the security and stability of your instance that you report kernel compatibility issues to us as soon as you become aware of them.
Enabling the New Kernel After a Downgrade¶
If you have previously downgraded your kernel to the 3.14.x series due to compatibility issues with the kernel that shipped with SecureDrop 0.7.0 (version 4.4.115), we urge you to test the new kernel (version 4.4.135). The new kernel ships with expanded hardware support and is intended to address the hardware compatibility issues that we are aware of.
You can test the new kernel without downtime by following our instructions for testing and enabling a new kernel after a downgrade. Please note that this is only necessary if you have manually downgraded the kernel; otherwise, the new kernel will be enabled automatically.
If the new kernel does not address compatibility issues on your hardware, please let us know as soon as you can by following our instructions for reporting compatibility issues. We intend to remove support for kernel series 3.14.x in a future release, once all major compatibility issues we are aware of have been resolved.
Should you require further support with your SecureDrop installation or upgrade, we are happy to help!
- Community support is available at https://forum.securedrop.org
- The Freedom of the Press Foundation offers training and priority support services. See https://securedrop.org/priority-support/ for more information. If you are already a member of our support portal, please don’t hesitate to open a ticket there.