Today we are announcing the release of SecureDrop 0.9.1. This is a bugfix release to fix an issue with the graphical updater which caused a “Signature verification failed” error to be shown when attempting to update a Journalist or Admin Workstation from version 0.8.0 to version 0.9.0.
What administrators need to do
Since this update only concerns the code on your workstation, you do not need to wait for your SecureDrop servers to be updated to perform these steps. First, verify that you are running a sufficiently recent version of the workstation code:
- Start the Journalist or Admin Workstation with Persistent Storage unlocked and an administration password set.
- Once you have a working Tor connection, open a Terminal by selecting Favorites/Terminal from the Applications menu.
- Change your working directory to the SecureDrop installation directory using the command:
- Verify the installed version using the command:
The command output will include the line
HEAD detached at <version>, where
<version> is your current installed version.
If the workstation code is at version 0.7.0 or earlier:
Update to 0.8.0 manually before proceeding:
Verify the 0.8.0 tag signature using the following commands:
git fetch --tags gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" git tag -v 0.8.0
The output should include the following two lines:
gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 gpg: Good signature from "SecureDrop Release Signing Key"
If the fingerprint above matches exactly with the output in your terminal, check out version 0.8.0:
git checkout 0.8.0
Important: Please verify that the output of this command does not contain the text "warning: refname '0.8.0' is ambiguous". If you do see this warning, we recommend that you contact us immediately at email@example.com (GPG encrypted).
Update the workstation dependencies using the command:
Proceed with the 0.8.0-0.9.1 update as described below.
If the workstation code is at version 0.8.0:
Complete the following steps to upgrade your workstation to version 0.9.1:
- Update the workstation code using the command:
- Update the workstation dependencies using the command:
- Update your workstation Tails settings using the command:
You will be prompted for the temporary administration password set on the Tails greeter screen.
This should address the problem with the graphical updater for future releases. We apologize for the error.
Questions and comments
If you have questions or comments regarding this release, please don't hesitate to reach out:
- Via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
- Via firstname.lastname@example.org (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).