Upgrade from 1.8.2 to 2.0.0

Note

If you are not already using Tails 4.19 or greater on your workstations, you will need to update manually due to a bug.

Updating Servers to SecureDrop 2.0.0

Servers running Ubuntu 20.04 will be updated to the latest version of SecureDrop automatically within 24 hours of the release.

Important

If your servers are still running Ubuntu 16.04, you will not receive this update, as the operating system has reached its end-of-life. Please contact us if you require assistance reinstalling SecureDrop.

Updating Workstations to SecureDrop 2.0.0

Using the graphical updater

Important

Attempting to update to 2.0.0 using the graphical updater will fail after June 29, 2021. This is due to the expiry of the signing key used for this release. If you are updating a Journalist Workstation or Admin Workstation after June 29, you must do so manually; see below.

On the next boot of your SecureDrop Journalist and Admin Workstations, the SecureDrop Workstation Updater will alert you to workstation updates. You must have configured an administrator password on the Tails welcome screen in order to use the graphical updater.

Perform the update to 2.0.0 by clicking “Update Now”:

../_images/securedrop-updater.png

Performing a manual update

If the graphical updater fails and you need to perform a manual update instead, first delete the graphical updater’s temporary flag file, if it exists (the . before securedrop is not a typo):

rm ~/Persistent/.securedrop/securedrop_update.flag

This will prevent the graphical updater from attempting to re-apply the failed update and has no bearing on future updates. You can now perform a manual update by running the following commands:

cd ~/Persistent/securedrop
git fetch --tags
gpg --keyserver hkps://keys.openpgp.org --recv-key \
 "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 2.0.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Note

The release key above will be allowed to expire on June 30, 2021. This means that you will see the output “Note: This key has expired!” when verifying tag 2.0.0 or any older tag after the expiration date.

Future releases will be signed using a new key with a new fingerprint. See our dual-signed transition statement.

Please verify that each character of the fingerprint above matches what is on the screen of your workstation. If it does, you can check out the new release:

git checkout 2.0.0

Important

If you do see the warning “refname ‘2.0.0’ is ambiguous” in the output, we recommend that you contact us immediately at securedrop@freedom.press (GPG encrypted).

Finally, run the following commands:

./securedrop-admin setup
./securedrop-admin tailsconfig

Backing Up the Tails Workstations

USB flash drives degrade over time and vary in quality. To ensure continued access to SecureDrop by administrators and journalists, we recommend backing up the Tails Workstations on the occasion of a new SecureDrop release, after you have completed the upgrade process for each drive.

You can use a single storage device for backups of multiple workstations. See our Workstation Backup Guide for more information.

Updating Tails

Check the version of Tails on your Admin and Journalist Workstations (Applications ▸ Tails ▸ About Tails). If your workstations are running Tails version 4.18 or earlier, Tails may fail to notify you of updates, or may display an error message.

Perform a manual update, or reinstate automatic updates by running the following command:

torsocks curl --silent https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem | \
sudo tee --append /usr/local/etc/ssl/certs/tails.boum.org-CA.pem && \
systemctl --user restart tails-upgrade-frontend

After a short delay, Tails should notify you about the availability of updates, allowing you to use the Tails graphical updater.

Getting Support

Should you require further support with your SecureDrop installation, we are happy to help!

  • Community support is available at https://forum.securedrop.org
  • If you are already a member of our support portal, please don’t hesitate to open a ticket there. If you would like to request access, please contact us at securedrop@freedom.press (GPG encrypted). Note that your ticket will be visible to all support portal users at your organization; if this is a concern, reach out by email to the above address or to a staff member directly.
  • The Freedom of the Press Foundation offers training and priority support services. See https://securedrop.org/priority-support/ for more information.