Interest Article

Bootstrapping SecureDrop Workstation via Qubes-Contrib

October 2, 2025

An upcoming release of SecureDrop Workstation will simplify the installation process by utilizing a bootstrap package hosted in Qubes OS’s “Contrib” repository.

As with SecureDrop Server, our previous installation instructions required users to download and verify our OpenPGP signing key manually before installing SecureDrop Workstation. This is important because it ensures users are receiving signed, authentic versions of our software. At the same time, the manual process is inconvenient and slows down the installation process. Especially in Qubes, moving a file from an internet-connected VM to dom0 is an intentionally difficult process.

SecureDrop Workstation installation is now a little easier thanks to the Qubes-Contrib repository. Now, users download our bootstrap package, securedrop-workstation-keyring, from Qubes-Contrib, which installs our signing key and configures our RPM repository. Users then download the primary SecureDrop Workstation package using sudo qubes-dom0-update securedrop-workstation-dom0-config. Further details will be documented in our installation instructions; existing users will automatically receive the keyring package when they update their machines.

Qubes-Contrib packages are managed, reviewed, and signed by Qubes OS maintainers. By using the chain of trust conferred by the Qubes maintainers, we can improve the usability of SecureDrop Workstation and pave the way for easier installation and setup without sacrificing security.

Thanks as always to the Qubes team for all their efforts, and to all our SecureDrop Workstation users.

Return to News