Pre-Release Announcement

SecureDrop 2.7.0 Pre-Release Announcement

October 26, 2023

SecureDrop 2.7.0 is scheduled to be released on November 2, 2023. We will send out another notification through this blog, Mastodon, X (formerly Twitter), and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s coming in SecureDrop 2.7.0?

For sources, journalists, administrators, and developers

  • Security: SecureDrop 2.7.0 introduces Sequoia-PGP for encryption/decryption operations instead of GnuPG and pretty_bad_protocol, and will include an automatic migration of existing keys. See administrator notes below; a more detailed blog post is forthcoming. (#6891, #6884, #6913, #6912, #6925, #6926, #6949, #6958, #6892, #6948, #6946, #6970, #6975, #6972, #6983, #6981, #6998)
  • Localization: Our translation workflow now supports continuous updates (#6953, #6954, #6985, #6997, #6984)
  • Localization: Improvements to our French diceware wordlist (#6936)

For administrators

For developers

  • Dependency changes:
    • Update Ansible from 2.9.26 to 6.7.0 (ansible-core version 2.13.7) (#6830)
    • Update cryptography from 41.0.1 to 41.0.3 (#6940)
    • Remove boto and boto3 dependencies (#6890)
    • Remove hypothesis dependency (#6893)
    • Update certifi from 2022.12.7 to 2023.7.22 (#6900)
    • Update pillow from 9.3.0 to 10.0.1 (#6959)
    • Update markupsafe from 2.0.1 to 2.1.2 (#7014)
    • Import Markup and escape from markupsafe (#6964)
  • Update default Dockerfile application versions:
    • geckodriver to 0.33.0 (#6957)
    • Firefox to 115esr, Tor Browser to 13.0 (#7001)
  • Replace bandit, flake8, pylint, and isort with ruff (#6885, #6932, #6961, #6995)
  • Replace pretty_bad_protocol dependency with vendored version (#6836, #6907)

What administrators will need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.7.0 automatically within 24 hours of the release. As with previous releases, we will provide instructions for performing the workstation updates at the time of the release.

Note: This release will remove support for submission PGP keys with legacy SHA-1-based binding signatures. The SecureDrop Journalist Interface will not start when the instance has been configured with such a key. If you have set up SecureDrop according to our documentation, you are not using such keys; no SecureDrop instances known to us are affected by this change.

If you are unsure if you will be affected by this change, you can reach out to us for support. Our recommended course of action is to check your Submission Public Key, available at the /public-key endpoint of your SecureDrop Source Interface onion url, using the sq-keyring-linter program installable on your Admin Workstation. If your key contains insecure SHA-1-based signatures, we suggest creating a new Submission Keypair according to our documentation. You should not delete the old key from your Secure Viewing Station, so that you can still decrypt old submissions. We are happy to assist you with this process. As a reminder, all key material should be generated on an air-gapped machine, and should never reside on a network-connected device.

For more detailed information about why keys with SHA-1 signatures are insecure, see https://sequoia-pgp.org/blog/2023/02/01/202302-happy-sha1-day/.

Questions and comments

If you have questions or comments regarding this release, please contact us:

  • Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
  • Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
  • Via our community forums.

We also encourage you to file nonsensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!

Return to News