Upgrade install guide for 4.2

docs/admin/install/install.rst

@@ -2,24 +2,31 @@ Installing SecureDrop Workstation
 =================================
 .. include:: ../../includes/top-warning.rst
 
+.. warning::
+  The instructions will not work until the necessary packages are published in the stable SecureDrop repositories. Please try again soon, once the stable packages have been updated.
+
 Copy the submission key
 ~~~~~~~~~~~~~~~~~~~~~~~
 
 In order to decrypt submissions, your SecureDrop Workstation will need a copy of the secret key from your SecureDrop instance's SVS. To protect this key and preserve the air gap, you will need to connect the SVS USB to a Qubes VM with no network access, and copy it from there to ``dom0``. Note that you cannot directly copy and paste to the ``dom0`` VM from another VM - instead, follow the steps below to copy the file into ``dom0``:
 
 - First, use the network manager widget in the upper right panel to disable your network connection. These instructions refer to the ``vault`` VM, which has no network access by default, but if the SVS USB is attached to another VM by mistake, this will offer some protection against exfiltration.
 
-- Next, choose **Q > Domain: vault > vault: Files** to open the file manager in the ``vault`` VM.
+- Next, choose **Q > Apps > vault > Thunar File Manager** to open the file manager in the ``vault`` VM.
 
 - Connect the SVS USB to a USB port on the Qubes computer, then use the devices widget in the upper right panel to attach it to the ``vault`` VM. There will be three entries for the USB in the section titled **Data (Block) Devices**. Choose the *unlabeled* entry (*not* the one labeled "TAILS") annotated with a ``sys-usb`` text that ends with a number, like ``sys-usb:sdb2``. That is the persistent volume.
 
   |Attach TailsData|
 
 - In the the ``vault`` file manager, select **+ Other Locations**, then click the persistent volume's listing in the right panel. It will be named ``N GB encrypted``, where N is the size of the persistent volume. Enter the SVS persistent volume passphrase to unlock and mount it.
 
+  .. note::
+
+    You will receive a message that says **Failed to open directory "TailsData"**. This is normal behavior and will not cause any issues with the subsequent steps.
+
   |Unlock TailsData|
 
-- Open a ``dom0`` terminal via **Q > Terminal Emulator**, and run the following command to list the SVS submission key details, including its fingerprint:
+- Open a ``dom0`` terminal via **Q > Settings Gear > Other > Xfce Terminal**, and run the following command to list the SVS submission key details, including its fingerprint:
 
   .. code-block:: sh
 
@@ -76,9 +83,9 @@ Users of SecureDrop Workstation must enter their username, passphrase and two-fa
 
 In order to set up KeePassXC for easy use:
 
-- Add KeePassXC to the application menu by selecting it from the list of available apps in **Q > Domain: vault > vault: Qube Settings > Applications** and pressing the button labeled **>** (do not press the button labeled **>>**, which will add *all* applications to the menu).
+- Add KeePassXC to the application menu by selecting it from the list of available apps in **Q > Apps > vault > Settings > Applications** and pressing the button labeled **>** (do not press the button labeled **>>**, which will add *all* applications to the menu).
 
-- Launch KeePassXC via **Q > Domain: vault > vault: KeePassXC**. When prompted to enable automatic updates, decline. ``vault`` is networkless, so the built-in update check will fail; the app will be updated through system updates instead.
+- Launch KeePassXC via **Q > Apps > vault > KeePassXC**. When prompted to enable automatic updates, decline. ``vault`` is networkless, so the built-in update check will fail; the app will be updated through system updates instead.
 
 - Close the application.
 
@@ -115,9 +122,9 @@ With the key and configuration available in ``dom0``, you're ready to set up Sec
 
 - First, re-enable the network connection using the network manager widget.
 
-- Next, start a terminal in the network-attached ``work`` VM, via **Q > Domain:work > work: Terminal**.
+- Next, start a terminal in the network-attached ``work`` VM, via **Q > Apps > work > Xfce Terminal**.
 
-.. note:: As the next steps include commands that must be typed exactly, you may want to open a browser in the ``work`` VM, open this documentation there, and copy-and-paste the commands below into your ``work`` terminal. Note that due to Qubes' default security settings you will *not* be able to paste commands into your ``dom0`` terminal. The ``work`` browser can be opened via **Q > Domain: work > work: Firefox**
+.. note:: As the next steps include commands that must be typed exactly, you may want to open a browser in the ``work`` VM, open this documentation there, and copy-and-paste the commands below into your ``work`` terminal. Note that due to Qubes' default security settings you will *not* be able to paste commands into your ``dom0`` terminal. The ``work`` browser can be opened via **Q > Apps > work > Firefox**
 
 - In the ``work`` terminal, run the following commands to download and add the SecureDrop signing key, which is needed to verify the SecureDrop Workstation package:
 
@@ -137,7 +144,7 @@ With the key and configuration available in ``dom0``, you're ready to set up Sec
 
     [securedrop-workstation-temporary]
     enabled=1
-    baseurl=https://yum.securedrop.org/workstation/dom0/f32
+    baseurl=https://yum.securedrop.org/workstation/dom0/f37
     name=SecureDrop Workstation Qubes initial install bootstrap
 
 - Download the SecureDrop Workstation config package to the curent working directory with the command:
@@ -152,13 +159,13 @@ With the key and configuration available in ``dom0``, you're ready to set up Sec
 
   .. code-block:: sh
 
-    rpm -Kv securedrop-workstation-dom0-config-<versionNumber>-1.fc32.noarch.rpm
+    rpm -Kv securedrop-workstation-dom0-config-<versionNumber>-1.fc37.noarch.rpm
 
   where ``<versionNumber>`` is the release version number you noted above. The command output should match the following text:
 
   .. code-block:: none
 
-    securedrop-workstation-dom0-config-<versionNumber>-1.fc32.noarch.rpm:
+    securedrop-workstation-dom0-config-<versionNumber>-1.fc37.noarch.rpm:
       Header V4 RSA/SHA512 Signature, key ID 7b22e6a3: OK
       Header SHA256 digest: OK
       Header SHA1 digest: OK
@@ -172,7 +179,7 @@ With the key and configuration available in ``dom0``, you're ready to set up Sec
   .. code-block:: sh
 
     qvm-run --pass-io work \
-      "cat /home/user/securedrop-workstation-dom0-config-<versionNumber>-1.fc32.noarch.rpm" \
+      "cat /home/user/securedrop-workstation-dom0-config-<versionNumber>-1.fc37.noarch.rpm" \
       > securedrop-workstation.rpm
 
 - Verify that the RPM was transferred correctly by running the following commands:
@@ -181,7 +188,7 @@ With the key and configuration available in ``dom0``, you're ready to set up Sec
 
     .. code-block:: sh
 
-      sha256sum securedrop-workstation-dom0-config-<versionNumber>-1.fc32.noarch.rpm
+      sha256sum securedrop-workstation-dom0-config-<versionNumber>-1.fc37.noarch.rpm
 
   - in the ``dom0`` terminal:
 

docs/admin/install/prepare.rst

@@ -2,6 +2,10 @@ Pre-install Tasks
 =================
 .. include:: ../../includes/top-warning.rst
 
+.. warning::
+  The instructions will not work until the necessary packages are published in the stable SecureDrop repositories. Please try again soon, once the stable packages have been updated.
+
+
 Rotate legacy passphrases
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 To ensure that all passphrases meet the security requirements of the system, you must rotate the passphrases of any *Journalist Interface* users whose accounts were set up on or before September 12, 2017.
@@ -38,15 +42,43 @@ If the Qubes hardware compatibility list entry for your computer recommends the
 
 Download and verify Qubes OS
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-On the working computer, download the Qubes OS ISO for version ``4.1.2`` from `https://www.qubes-os.org/downloads/ <https://www.qubes-os.org/downloads/#qubes-release-4-1-2>`_. The ISO is 5.4 GiB approximately, and may take some time to download based on the speed of your Internet connection.
+On the working computer, download the Qubes OS ISO and cryptographic hash values for version ``4.2.2rc1`` from `https://www.qubes-os.org/downloads/ <https://www.qubes-os.org/downloads/#qubes-release-4-2-2-rc1>`_. The ISO is 6.9 GB approximately, and may take some time to download based on the speed of your Internet connection.
+
+Follow the linked instructions to `verify the ISO <https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-detached-pgp-signatures-on-qubes-isos>`_. Ensure that the ISO and hash values are in the same directory, then run:
+
+.. code-block:: sh
 
-Follow the linked instructions to `verify the ISO <https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-detached-pgp-signatures-on-qubes-isos>`_.
+  gpg --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc
+  gpg -v --verify Qubes-R4.2.2-rc1-x86_64.iso.DIGESTS
+  
+The output should look like this:
+
+.. code-block:: sh
+ 
+  gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc'
+  gpg: key E022E58F8E34D89F: public key "Qubes OS Release 4.2 Signing Key" imported
+  gpg: Total number processed: 1
+  gpg:               imported: 1
+  gpg: no ultimately trusted keys found
+
+  gpg: armor header: Hash: SHA256
+  gpg: original file name=''
+  gpg: Signature made Tue 25 Jun 2024 01:32:23 PM EDT
+  gpg:                using RSA key 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
+  gpg: using pgp trust model
+  gpg: Good signature from "Qubes OS Release 4.2 Signing Key" [unknown]
+  gpg: WARNING: This key is not certified with a trusted signature!
+  gpg:          There is no indication that the signature belongs to the owner.
+  Primary key fingerprint: 9C88 4DF3 F810 64A5 69A4  A9FA E022 E58F 8E34 D89F
+  gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096
+  
+Specifically, you will want to make sure that you see "Good signature" listed in the text. If it does not report a good signature, try deleting the ISO and downloading it again.
 
 Once you've verified the ISO, copy it to your installation medium - for example, if using Linux and a USB stick, using the command:
 
 .. code-block:: sh
 
-  sudo dd if=Qubes-R4.1.2-x86_64.iso of=/dev/sdX bs=1048576 && sync
+  sudo dd if=Qubes-R4.2.2-rc1-x86_64.iso of=/dev/sdX bs=1048576 && sync
 
 where ``if`` is set to the path to your downloaded ISO file and ``of`` is set to
 the block device corresponding to your USB stick. Note that any data on the USB stick will be overwritten.
@@ -62,7 +94,7 @@ To begin the Qubes installation, connect the Qubes install USB to your target co
 Follow the `installation documentation <https://www.qubes-os.org/doc/installation-guide/>`_ to install Qubes on your computer, ensuring that you:
 
 - Use all available storage space for the installation (as the computer should be dedicated to SecureDrop Workstation).
-- Set a strong FDE passphrase - a 6-word Diceware passphrase is recommended.
+- Set a strong full disk encryption (FDE) passphrase - a 6-word Diceware passphrase is recommended.
 - Create an administrative account named ``user`` with a strong password.
 
 .. note:: Qubes is not intended to have multiple user accounts, so your account name and password will be shared by all SecureDrop Workstation users. The password will be required to log in and unlock the screen during sessions - choosing something strong but memorable and easily typed is recommended!
@@ -75,6 +107,7 @@ After the disk is unlocked and Qubes starts, you will be prompted to complete th
 
 On the configuration screen, ensure that the following options are checked:
 
+ - Default Template should be set to "Fedora 40 Xfce"
  - "Create default system qubes (sys-net, sys-firewall, default DispVM)"
  - "Make sys-firewall and sys-usb disposable"
 
@@ -89,7 +122,7 @@ Once the initial setup is complete, the login dialog will be displayed. Log in u
 
 If, during the installation, you encountered the grayed out option "USB qube configuration disabled", you must now create a VM to access your USB devices. If you did not encounter this issue, you can skip this section.
 
-To create a USB qube, open a ``dom0`` terminal via the Qubes menu (the **Q** icon in the upper left corner): **Q > Terminal Emulator**. Run the following command:
+To create a USB qube, open a ``dom0`` terminal via the Qubes menu (the **Q** icon in the upper left corner): **Q > Settings Gear > Other > Xfce Terminal**. Run the following command:
 
 .. code-block:: sh
 
@@ -113,7 +146,7 @@ Apply ``dom0`` updates (estimated wait time: 15-30 minutes)
 
 After logging in, use the network manager widget in the upper-right panel to configure your network connection.
 
-Open a ``dom0`` terminal via the Qubes menu (the **Q** icon in the upper left corner): **Q > Terminal Emulator**. Run the following command:
+Open a ``dom0`` terminal via the Qubes menu (the **Q** icon in the upper left corner): **Q > Settings Gear > Other > Xfce Terminal**. Run the following command:
 
 .. code-block:: sh
 
@@ -127,13 +160,8 @@ Apply updates to system templates (estimated wait time: 45-60 minutes)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 After logging in again, confirm that the network manager successfully connects you to the configured network. If necessary, verify the network settings using the network manager widget.
 
-- Next, configure Tor by selecting the Qubes menu (the **Q** icon in the upper left corner) and selecting **Service: sys-whonix > sys-whonix: Anon Connection Wizard**. In most cases, choosing the default **Connect** option is best. Click **Next**, then **Next** again. Then, if Tor connects successfully, click **Finish**. If Tor fails to connect, make sure your network conection is up and does not filter Tor connections, then try again.
+- Next, configure Tor by selecting the Qubes menu (the **Q** icon in the upper left corner) and selecting **Q > Service > sys-whonix > Anon Connection Wizard**. In most cases, choosing the default **Connect** option is best. Click **Next**, then **Next** again. Then, if Tor connects successfully, click **Finish**. If Tor fails to connect, make sure your network conection is up and does not filter Tor connections, then try again.
 
   .. note:: If Tor connections are blocked on your network, you may need to configure Tor to use bridges in order to get a connection. For more information, see the `Anon Connection Wizard <https://www.whonix.org/wiki/Anon_Connection_Wizard>`_ documentation.
 
-- Once Tor has connected, select **Q > Qubes Tools > Qubes Update** to update the system VMs. in the ``[Dom0] Qubes Updater`` window, first check ``Enable updates for qubes without known available updates``, then check all entries in the list above except for dom0 (which you have already updated in the previous step). Then, click **Next**. The system's VMs will be updated sequentially - this may take some time. When the updates are complete, click **Finish**.
-
-Install Fedora 40 template
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-See :doc:`../reference/upgrading_fedora`.
+- Once Tor has connected, select **Q > Settings Gear > Qubes Tools > Qubes Update** to update the system VMs. in the ``[Dom0] Qubes Updater`` window, check all entries in the list above except for dom0 (which you have already updated in the previous step). Then, click **Next**. The system's VMs will be updated sequentially - this may take some time. When the updates are complete, click **Finish**.

docs/index.rst

@@ -53,7 +53,6 @@ against malware and other security risks. It is built on Qubes OS and requires a
    admin/reference/troubleshooting_connection
    admin/reference/troubleshooting_updates
    admin/reference/provisioning_usb
-   admin/reference/upgrading_fedora
    admin/reference/backup
 
 * :ref:`genindex`