Upgrade from 0.3.5 to 0.3.6

SecureDrop 0.3.6 was a maintenance release to update the expiration date on the GPG signing key used for the Freedom of the Press apt repository. The signing key expired on October 26, 2015, preventing automatic updates from Freedom of the Press until the issue is manually resolved.


As of SecureDrop 0.3.10, a Debian package securedrop-keyring is used for managing apt keys on the servers. In the process the release signing key was rotated. Check the Set up the Admin Workstation guide for the most up-to-date instructions.

The upgrade steps in this document will upgrade a 0.3.5 SecureDrop to 0.3.6. If you have not yet upgraded to 0.3.5, do that first.

Important Changes

Update Expired GPG Signing Key (Admin Workstation)

The Admin Workstation is used to verify the signed git tag on new SecureDrop releases. Prior to running the 0.3.6 upgrade, the Admin Workstation should update the signing key.

Update Expired GPG Signing Key (SecureDrop Servers)

The Application Server and Monitor Server will need to have their apt keyrings updated, which can be accomplished by running the Ansible playbooks.


  • An Admin networked Tails workstation with persistence enabled and an Admin password set during boot.
  • A running SecureDrop instance of 0.3.5.


If your SecureDrop instance is not already running 0.3.5, run that upgrade first. Failure to do so will result in a merge conflict for your site-specific settings, which can be tedious to resolve if you’re not experienced with git.

Upgrade Procedure

The upgrade procedure can be performed entirely from the Admin Workstation. Start by booting the Admin Tails USB on the Admin Workstation. Make sure you set an Adminstrator Password in the Tails Greeter.

  1. Open a terminal (it is an icon on the top of the screen that looks like a little black TV).

  2. Change into the SecureDrop repo directory

    cd /home/amnesia/Persistent/securedrop
  3. Stash your local changes to the inventory and prod-specific.yml

    git stash save "site specific configs"
  4. Update the Freedom of the Press signing key (these commands are from the Set up the Admin Workstation guide)

    gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"


    The GPG Master Signing Key is also available from the Freedom of the Press website, and the key is signed by the Lead Developer’s personal GPG keys, so you can verify that you have the correct key through the GPG Web of Trust (WoT).

  5. Pull the latest code

    git pull
  6. Verify the signed git tag for the latest stable release

    git tag -v 0.3.6
  7. Checkout the latest release

    git checkout 0.3.6
  8. Pop the site specific configs back in place

    git stash pop
  9. Make sure you have Ansible installed. If running which ansible returns nothing, you should

    sudo apt-get update
    sudo apt-get install ansible

#. Change your current working directory to where the files Ansible needs are stored

cd install_files/ansible-base
  1. Run the Ansible playbooks (substitute the admin account on the servers for <user>)

    ansible-playbook -i inventory -s -u <user> securedrop-prod.yml

During the playbook run, the GPG signing key will be updated, and all packages will be upgraded on both servers. The new signing key is valid until October 2016, at which point another manual update may be necessary.