Upgrade from 0.14.0 to 1.0.0

Updating the Tails Workstations

We recommend that you update all Tails drives to version 3.16, which was released on September 4, 2019. Follow the Tails graphical prompts on your workstations to perform this upgrade.

On a subsequent boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. You must have configured an administrator password on the Tails welcome screen in order to use the graphical updater.

Note

If you have not previously updated this workstation to SecureDrop 0.14.0, we recommend following the manual update procedure. The manual procedure enforces the use of a secure keyserver.

If you are unsure which version of SecureDrop a workstation is using, you can run the command git status in ~/Persistent/securedrop. The first line of the output will tell you the current version, e.g., “HEAD detached at 0.14.0”.

If the workstation is on SecureDrop 0.14.0, it is safe to use the graphical updater by clicking “Update Now”:

../_images/securedrop-updater.png

Please note that this only updates the SecureDrop code on your Tails workstations. Tails updates must be performed separately.

Manually updating the SecureDrop code

If you are running an older version of SecureDrop on this workstation, or if the automated update fails, you can perform a manual update by running the following commands:

cd ~/Persistent/securedrop
git fetch --tags
gpg --keyserver hkps://keys.openpgp.org --recv-key \
 "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 1.0.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Please verify that each character of the fingerprint above matches what on the screen of your workstation. If it does, you can check out the new release:

git checkout 1.0.0

Important

If you do see the warning “refname ‘1.0.0’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted).

Finally, run the following commands:

./securedrop-admin setup
./securedrop-admin tailsconfig

Backing Up the Tails Workstations

USB flash drives degrade over time and vary in quality. To ensure continued access to SecureDrop by administrators and journalists, we recommend backing up the Tails Workstations on the occasion of a new SecureDrop release, after you have completed the upgrade process for each drive.

You can use a single storage device for backups of multiple workstations. See our Workstation Backup Guide for more information.

Enabling v3 Onion Services

SecureDrop 1.0.0 is the first release to support v3 onion services. Version 3 of the protocol for onion services offers significant security benefits, and we recommend that you transition your SecureDrop installation to v3 in the near future.

Enabling v3 onion services will create new, 56 character .onion addresses for your Source Interface, your Journalist Interface, and for SSH access (if SSH access over Tor is enabled). This means that you will have to update the .onion address advertised on your SecureDrop landing page after switching to v3.

For testing purposes, you can enable v3 alongside v2 before switching fully to v3. Please see our documentation for v3 onion services for more information.

Logo Update

SecureDrop ships with a new default logo for the SecureDrop project. This will not affect your installation if you have already customized the logo of your instance. If you have not done so yet, we recommend uploading a custom logo by following the instructions.

If you currently show the SecureDrop logo on your landing page or in other materials related to SecureDrop, please update it to the new version. See our brand refresh guide (PDF) for more information, and please do not hesitate to reach out if we can help in any way.

Getting Support

Should you require further support with your SecureDrop installation, we are happy to help!