Skip to content

Prod keyring install #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: main
Choose a base branch
from
Open

Prod keyring install #7

wants to merge 13 commits into from
+69 −30

Conversation

@deeplow
Copy link
Contributor

@deeplow deeplow commented Oct 31, 2025
edited
Loading

Fixes freedomofpress/securedrop-workstation#1459

  1. Enables the parameterization of bootstrapping to enable setting up prod and staging as well. One must explicitly state the SECUREDROP_ENV openqa variable. The options are dev staging prod and prod-qa.

    NOTE: When an invalid environment is provided, it fails like this. This "failing fast" is to avoid have a broken environment name break things and make it hard to notice why things are failing.

  2. Makes install instructions closer to https://github.com/freedomofpress/securedrop-dev-docs/

    Context: the previous set up diverged in two aspects:

Before merging

This needs to be merged in sync with freedomofpress/securedrop-workstation#1504, since it requires a target environment to be specified and on securedrop-workstation's main that is not specified.

@deeplow
Parameterize environment in copy_config()
72638e9 
Make it easier to set up configs for various environment types without
duplicating code.
@deeplow
Add prod as an installation option
8327c82 
Follow the production production installation instructions at
https://github.com/freedomofpress/securedrop-workstation-docs/blob/366c9c4663773556d5d75a5acd069f62e9124042/docs/admin/install/install.rst#download-securedrop-workstation-packages
@deeplow
Fix curl issue were sd-dev was no longer present
c759555
@deeplow
Revert back to dev default install (from prod)
27e0105
@deeplow
Get SD install environment via OpenQA SECUREROP_ENV
3c3cbd5 
Install dev by default but allow overriding via OpenQA test variables.
@deeplow
Increase delay in keyring bootstrapping for non-prod
65a19eb 
A test failed in the dev environment due to what looks like the
securedrop-workstation-keyring key not yet being imported at the time of
running "qubes-dom0-update securedrop-workstation-dom0-config" inside of
"make dev".
@deeplow
Remove temporary keyring workaround
e645c66 
No longer needed. See
freedomofpress/securedrop-workstation-docs#352
@deeplow
Copy link
Contributor Author

deeplow commented Nov 4, 2025

I think this one is ready for review in a future sprint. I need to check on the OpenQA status.

@deeplow deeplow moved this to Next sprint candidates in SecureDrop Nov 4, 2025
@nathandyer nathandyer moved this from Next sprint candidates to Backlog in SecureDrop Nov 4, 2025
@deeplow deeplow mentioned this pull request Nov 18, 2025
Closed
@deeplow deeplow force-pushed the prod-keyring-install branch from d724327 to e645c66 Compare November 19, 2025 14:24
@deeplow
Document SECUREDROP_ENV variable
f623a23 
Controls the type of environment that is set up, enabling configuring
various kinds of deployments for 'dev', 'staging' and 'prod'.
@deeplow
Move 'screen blanking' code closer to 'make dev'
ecf3440
@deeplow deeplow force-pushed the prod-keyring-install branch from c33819e to c32538a Compare November 19, 2025 15:14
@deeplow
SECUREDROP_ENV: add 'prod-qa' option
784adb0 
Adds an option to do the final testing prior to a release
@deeplow
Add environment validation to avoid mistakes
27bf324 
Removes the 'defaults to dev' behavior and require that SECUREDROP_ENV is
explicitly stated. It also adds validation to ensure a typo in that
setting fails immediately.
@deeplow deeplow force-pushed the prod-keyring-install branch from c32538a to 27bf324 Compare November 19, 2025 15:52
@deeplow deeplow moved this from Backlog to Ready For Review in SecureDrop Nov 19, 2025
deeplow added a commit to freedomofpress/securedrop-workstation that referenced this pull request Nov 19, 2025
@deeplow
Explicitly set SECUREDROP_ENV to 'dev'
ebb9289 
Implements a change in the OpenQA securedrop jobs [1], which forces
explicitly setting an OpenQA variable with the expected environment. The
goal of making this explicit is to make it clear that this is dev
environment and not something else.

[1]: freedomofpress/openqa-tests-qubesos#7
@conorsch
Copy link

conorsch commented Nov 24, 2025

I'd like to provide review here; still getting read in on the OpenQA setup, so I expect I'll have to pester @deeplow with a bunch of questions, which is pretty much the point. 😃

FYI I cannot formally assign myself as reviewer; cc @legoktm in case perms need to change.

@deeplow
Copy link
Contributor Author

deeplow commented Nov 24, 2025

Thanks for offering to review :) I've assigned you as an assignee, in the interest of being able to track the assignment temporarily, if that works for you. Could have been some permissions issue with this repo specifically (it was forked quite recently).

I'd happy to guide you through all of this OpenQA stuff :) Maybe could use this one as part of the OpenQA onboarding session.

In terms of viewering "CI" results of this branch, we unfortunately don't yet have OpenQA tests run automatically on them. (part of the problem is because we have this as a fork and every now and then need to push some changes to upstream). Currently I start them manually. This passing test is the result of running from this branch.

This was referenced Nov 24, 2025
Closed
Merged
Open
@deeplow deeplow moved this from Ready For Review to In Progress in SecureDrop Nov 26, 2025
@deeplow
Copy link
Contributor Author

deeplow commented Nov 26, 2025

Moving this back to "in progress" as I've noticed this has a mistake in how it's building the RPM (it diverges from dev instructions).

@deeplow
Re-do repo fetching logic to be closer to dev docs
e4fc057 
The previous set up diverged a bit from the docs at dev.securedrop.org:
  - it downloaded a repo via github's zip instead of 'make clone'
  - it installed the bootstrap RPM which may no longer be necessary (at
    least on the OpenQA side of things)

This PR addresses this limitations by using 'make clone' in 'dev'
environment, but while still downloading the repo for the makefile to
still be available in other environments.
@deeplow deeplow force-pushed the prod-keyring-install branch from 364ddd1 to e4fc057 Compare November 26, 2025 14:49
@deeplow
Copy link
Contributor Author

deeplow commented Nov 26, 2025
edited
Loading

I've started a dev job combined with freedomofpress/securedrop-workstation#1500 and that seems to be going well: https://openqa.qubes-os.org/tests/160667.

A job over with staging enabled on that some branch is also passing. So I think we're ready to have it merged and this one reviewed.

@deeplow deeplow requested a review from a team November 26, 2025 15:20
@nathandyer nathandyer moved this from In Progress to Ready For Review in SecureDrop Nov 26, 2025
@conorsch
Copy link

conorsch commented Nov 26, 2025

I'd happy to guide you through all of this OpenQA stuff :) Maybe could use this one as part of the OpenQA onboarding session.

Yes, please! There's a lot to unpack here. In terms of the PR diff, lgtm, but I'd appreciate the opportunity to talk through the module structure with you to understand the OpenQA setup holistically.

deeplow added a commit to freedomofpress/securedrop-workstation that referenced this pull request Nov 27, 2025
@deeplow
Explicitly set SECUREDROP_ENV to 'dev'
ee43fd6 
Implements a change in the OpenQA securedrop jobs [1], which forces
explicitly setting an OpenQA variable with the expected environment. The
goal of making this explicit is to make it clear that this is dev
environment and not something else.

[1]: freedomofpress/openqa-tests-qubesos#7
@deeplow
Exclude 'staging' env from bootstrapping keyring
e232df8 
The 'staging' development environment via its make target [1] is already
equipped with setting up the appropriate 'staging' keyring. In turn this
staging keyring gives access to the staging version of keyring. with the
inclusion of the keyring installation in 'make install-rpm' [2], this
step in OpenQA's side is no longer necessary.

[1]: https://github.com/freedomofpress/securedrop-workstation/pull/1500/files#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52R32-R33
[2]: https://github.com/freedomofpress/securedrop-workstation/pull/1500/files#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52R59-R61
@deeplow
Copy link
Contributor Author

deeplow commented Dec 1, 2025

I have sneaked in one more commit. It was tested here on a practically identical set up. But I don't mind running again directly from this branch, just to confirm this is still green.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@conorsch conorsch

Labels

None yet

Projects

SecureDrop
Status: Ready For Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add possibility to run prod (and prod-qa) installs on OpenQA

3 participants

@deeplow @conorsch