Merge branch 'main' into tails-copy-pv

.github/dependabot.yml

@@ -6,3 +6,10 @@ updates:
       interval: "weekly"
     allow:
       - dependency-type: "all"
+    groups:
+        dependencies:
+          patterns: ["*"]
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/ci.yml

@@ -0,0 +1,29 @@
+---
+name: CI
+
+on: [push, pull_request, workflow_call]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    # We use a standard Debian image to mirror a typical developer environment.
+    # This should be updated whenever a new Debian stable version is available.
+    container: debian:bookworm
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes --no-install-recommends make python3-poetry
+          poetry install --no-ansi
+      - name: Run lint
+        run: |
+          make docs-lint
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Build production deployment
+        run: |
+          podman build --build-arg GIT_BRANCH=$(git rev-parse HEAD) --file ./deploy/Dockerfile .

.github/workflows/linkcheck.yml

@@ -0,0 +1,23 @@
+---
+name: Link check
+
+on:
+  schedule:
+    - cron: '0 3 * * *'
+  workflow_call:
+
+jobs:
+  linkcheck:
+    runs-on: ubuntu-latest
+    # We use a standard Debian image to mirror a typical developer environment.
+    # This should be updated whenever a new Debian stable version is available.
+    container: debian:bookworm
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+          apt-get update && apt-get install --yes --no-install-recommends make python3-poetry
+          poetry install --no-ansi
+      - name: Run lint
+        run: |
+          make docs-linkcheck

deploy/Dockerfile

@@ -1,16 +1,13 @@
-# sha256 as of 2023-01-17
-FROM python:3.9-slim-bullseye@sha256:8b0502fe3a8ae9d26567f66e217223595ff6abe901cba64fd8b1b58176311b27 AS sphinx
+FROM debian:bookworm AS sphinx
 
 ARG GIT_BRANCH=main
-RUN apt-get -q update && apt-get -qy upgrade && apt-get -qy install git make latexmk texlive-latex-extra
+RUN apt-get -q update && apt-get -qy upgrade && apt-get -qy install git make latexmk texlive-latex-extra python3-poetry
 COPY ./ .
-RUN pip install poetry==1.4.0
 RUN poetry install
-# TODO: Once the latest stable tag uses poetry, we can drop the `poetry run` prefix
-RUN poetry run deploy/build $GIT_BRANCH
+RUN deploy/build $GIT_BRANCH
 
-# sha256 as of 2021-11-09
-FROM nginx:mainline-alpine@sha256:af466e4f12e3abe41fcfb59ca0573a3a5c640573b389d5287207a49d1324abd8
+# sha256 as of 2024-06-10
+FROM nginx:mainline-alpine-slim@sha256:244d37691a469d45349d9f29e8b7462d9f510b70c0c93acc5d23ee227070c962
 
 COPY deploy/nginx.conf /etc/nginx
 RUN mkdir -p /opt/nginx/run /opt/nginx/webroot/en/latest /opt/nginx/webroot/en/stable && chown -R nginx:nginx /opt/nginx

docs/admin/deployment/https_source_interface.rst

@@ -130,9 +130,9 @@ the Admin Workstation:
     $ ./onion-csr.rb -n <nonce> -d ./hsdir
 
 .. _`specific URL`: https://docs.digicert.com/manage-certificates/organization-domain-management/managing-domains-cc-guide/add-authorize-domain-http-dcv/
-.. _`DigiCert's documentation`: https://www.digicert.com/dc/blog/ordering-a-onion-certificate-from-digicert/
+.. _`DigiCert's documentation`: https://www.digicert.com/blog/ordering-a-onion-certificate-from-digicert
 .. |HTTPS Onion cert| image:: ../../images/screenshots/onion-url-certificate.png
-.. _`contact DigiCert directly`: https://www.digicert.com/dc/blog/ordering-a-onion-certificate-from-digicert/
+.. _`contact DigiCert directly`: https://www.digicert.com/blog/ordering-a-onion-certificate-from-digicert
 .. _`CAB Forum`: https://cabforum.org/2015/02/18/ballot-144-validation-rules-dot-onion-names/
 .. _`Harica`: https://www.harica.gr/
 

docs/admin/deployment/landing_page.rst

@@ -140,10 +140,11 @@ let us know and we can remove your instance from the directory.
 URL and Location
 ----------------
 
-Ideally you would not use a separate subdomain, but would use a path at
-your top-level domain, e.g. organization.com/securedrop. This is because
-TLS does not encrypt the hostname, so a SecureDrop user whose connection
-is being monitored would be trivially discovered.
+Your *Landing Page* must be a path at your top-level domain, e.g. 
+organization.com/securedrop, rather than a subdomain (e.g., 
+securedrop.organization.com). This is because DNS and TLS do not always encrypt the hostname,
+so a SecureDrop user whose connection is being monitored would be trivially
+discovered if you were to use a subdomain.
 
 If the *Landing Page* is deployed on the same domain as another site, you
 might consider having some specific configuration (such as the security

docs/admin/deployment/offboarding.rst

@@ -84,13 +84,13 @@ SSH key, you should rotate the key in the following manner.
 
     .. code:: sh
 
-      scp /home/amnesia/.ssh/newkey.pub scp://app
+      scp -O /home/amnesia/.ssh/newkey.pub scp://app
 
     and
 
     .. code:: sh
 
-      scp /home/amnesia/.ssh/newkey.pub scp://mon
+      scp -O /home/amnesia/.ssh/newkey.pub scp://mon
 
 
 #.  Add this key to the list of authorized keys.

docs/admin/deployment/onboarding_admins.rst

@@ -27,8 +27,8 @@ To onboard an additional administrator, you will need:
 
 To set up AW2, follow these steps:
 
-1. Boot AW1, `unlock its persistent volume <https://tails.boum.org/doc/persistent_storage/use/index.en.html>`__,
-   and `set an admin password on the welcome screen <https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/>`__
+1. Boot AW1, `unlock its persistent volume <https://tails.net/doc/persistent_storage/use/index.en.html>`__,
+   and `set an admin password on the welcome screen <https://tails.net/doc/first_steps/welcome_screen/administration_password/>`__
 2. Ensure that Tails and the SecureDrop version on AW1 are up-to-date.
    If not, update now by following the :ref:`most recent upgrade guide <latest_upgrade_guide>`.
 3. Log into the *Journalist Interface* using your admin credentials, and create
@@ -52,22 +52,34 @@ To set up AW2, follow these steps:
     ``ssh-keygen -t rsa -b 4096``
 
     When prompted, store the keypair in the default location.
-12. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``.
+13. Run the command ``./securedrop-admin tailsconfig`` in ``~/Persistent/securedrop``.
 
     This will set up desktop shortcuts and SSH access.
-13. In a terminal, type the following commands to authorize the newly created SSH keypair
+14. In a terminal, type the following commands to authorize the newly created SSH keypair
     on your servers:
 
     * ``ssh-add``
     * ``ssh-add /media/amnesia/TailsData/openssh-client/id_rsa``
     * ``ssh-copy-id app``
     * ``ssh-copy-id mon``
     * ``ssh-add -D``
-14. Confirm that you are able to access ``mon`` and ``app`` via SSH (``ssh app`` and ``ssh mon``).
-15. Confirm that you are able to access the *Source Interface* and the *Journalist
-    Interface* using the desktop shortcuts.
-16. Shut down AW2.
-17. :doc:`Back up AW2 <../maintenance/backup_workstations>`.
+
+15. Confirm that you are able to access ``mon`` and ``app`` via SSH. The
+    following commands should produce the following output::
+
+        amnesia@amnesia:~$ ssh app hostname
+        app
+        amnesia@amnesia:~$ ssh mon hostname
+        mon
+        
+16. Confirm that you are able to access the *Source Interface* and the *Journalist
+    Interface* using the *SecureDrop Menu*.
+17. :ref:`Initialize a passphrase database <keepassxc_setup>` on AW2.
+    Store the admin account details using KeePassXC, and other account
+    information this admin will need in the course of administering this
+    system.
+18. Shut down AW2.
+19. :doc:`Back up AW2 <../maintenance/backup_workstations>`.
 
 You can now provide AW2 to the new administrator. Ensure that they store the
 disk encryption passphrase in a secure manner: in most configurations, it is the

docs/admin/deployment/onboarding_journalists.rst

@@ -99,7 +99,8 @@ to access the servers over SSH.
 - Open a terminal and run the following commands:
 
   .. code:: sh
-
+    
+    sudo apt update
     cd ~/Persistent/securedrop
     ./securedrop-admin setup
     ./securedrop-admin tailsconfig
@@ -109,10 +110,11 @@ to access the servers over SSH.
 
 - Once the ``tailsconfig`` command is complete, verify that the *Source* and
   *Journalist Interfaces* are accessible at their v3 addresses via the
-  SecureDrop desktop shortcuts.
+  SecureDrop Menu.
 
-- Securely wipe the files on the *Transfer Device*, by right-clicking them
-  in the file manager and selecting **Wipe**.
+- Delete the files on the *Transfer Device* by right-clicking them
+  in the file manager, selecting **Move to Trash**, then navigating to **Trash**
+  in the sidebar and selecting **Empty Trash**.
 
 
 .. warning:: The ``app-journalist.auth_private`` file contains secret

docs/admin/deployment/remote.rst

@@ -104,23 +104,38 @@ Creating New SVS USB Drives
 
 To create the new SVS USB:
 
-1. Boot into the current SVS using the air-gapped workstation.
-   When you see the welcome dialog, unlock the persistent storage
-   volume.
-2. Insert the new (empty) SVS USB.
-3. Launch the Tails Cloner (**Applications ▸ Tails ▸ Tails Cloner**).
-   Select the option to **Clone the current Tails**. 
-   This will delete any data on the new SVS drive.
-4. Check the box marked **Clone the current Persistent Storage**.
-5. Click **Install**.
-6. Choose a strong new passphrase for the new Persistent Storage Volume
-   (a 6-word Diceware passphrase is recommended) and record it securely.
-7. After the process is complete, power off the SVS.
-8. Boot to the new SVS USB, unlock the Persistent Storage, and
-   enable all the options in the Persistent Storage settings.
-9. Verify that the *Submission Key* is present with the correct fingerprint on
-   the new SVS USB via Applications > Utilities > Passwords and Keys.
-
+1. Boot into Tails using the primary Tails USB on the air-gapped workstation.
+   When you see the welcome dialog, you can proceed without enabling persistence
+   or setting an admin password.
+2. Install Tails on the new SVS USB, following the instructions
+   `here. <https://tails.net/install/clone/pc/index.en.html>`_
+3. Boot into the new SVS USB and enable persistence with a strong passphrase
+   (a 6-word Diceware passphrase is recommended). In the Persistent volume
+   configuration wizard, be sure to enable persistence for “GnuPG - GnuPG
+   Keyrings and configuration”.
+4. Temporarily store the persistent volume passphrase in your password manager.
+   You should delete it once you have given the USB and passphrase to the
+   journalist who will be using them.
+5. Reboot the new SVS USB with persistence enabled and an administration
+   password set.
+6. Plug the current SVS USB into a free port on the workstation.
+7. Mount its persistent volume by browsing to Places > Computer, clicking
+   the USB disk in the left-hand column, and entering its persistent volume’s
+   passphrase.
+8. Open a terminal via Applications > Favorites > Terminal
+9. Copy the current SVS’s GPG keychain (which includes the *Submission Key*) to
+   the new SVS USB using the following command (without linebreaks):
+
+   .. code:: sh
+
+      sudo bash -c "rsync -a --no-specials --no-devices \
+      /media/amnesia/TailsData/gnupg/ \
+      /live/persistence/TailsData_unlocked/gnupg/"
+
+
+10. Eject and remove the current SVS USB.
+11. Verify that the *Submission Key* is present with the correct fingerprint on
+    the new SVS USB via Applications > Utilities > Passwords and Keys.
 
 The new SVS should now be ready for use. The journalist that will be checking
 submissions will need the new SVS USB, its Persistent Volume passphrase, and

docs/admin/deployment/ssh_over_local_net.rst

@@ -51,6 +51,7 @@ latest production release.
 
 .. code:: sh
 
+    $ sudo apt update
     $ cd ~/Persistent/securedrop
     $ ./securedrop-admin update
     $ ./securedrop-admin setup

docs/admin/deployment/tails_printing_guide.rst

@@ -41,7 +41,7 @@ Installing and Printing via the Tails GUI
 
 Let's look at the flow in Tails 4 for installing a USB-connected printer.
 On the Tails welcome screen, unlock your persistent volume, and
-`set an admin password <https://tails.boum.org/doc/first_steps/welcome_screen/administration_password/>`__.
+`set an admin password <https://tails.net/doc/first_steps/welcome_screen/administration_password/>`__.
 This ensures that you won't have to reinstall the printer each time you start
 Tails.