SecureDrop releases are digitally signed using a release key. This allows anyone to verify the integrity of a SecureDrop release, to mitigate the risk of tampering by third parties.
The SecureDrop release key with the fingerprint 22245C81E3BAEB4138B36061310F561200F4AD77 was created on October 20, 2016 and has been used to sign every release since SecureDrop 0.3.10. It is set to expire on June 30, 2021.
Instead of renewing the key, we have decided to rotate it to a new release key with the fingerprint 2359E6538C0613E652955E6C188EDD3B7B22E6A3. This is a purely precautionary measure. After nearly five years in use, rotating the signing key mitigates risks of compromise or misuse.
As of this writing (June 28, 2021):
- The SecureDrop 2.0.0 release tag has still been signed with the old key. The next release tag will be signed with the new key.
- The SecureDrop package repository for Ubuntu 20.04 has been signed with the new key, which was shipped to servers as part of SecureDrop 1.8.2.
- The fingerprint on the SecureDrop website has been updated.
All future SecureDrop release artifacts will be signed with the new key: 2359E6538C0613E652955E6C188EDD3B7B22E6A3.
What SecureDrop administrators need to do
As per the upgrade instructions for SecureDrop 2.0.0, we recommend updating your Journalist and Admin Workstations using the SecureDrop graphical updater before June 29, 2021. This will avoid the need for a manual update due to the old release key’s expiry. Other than that, no action by administrators is required.
If you miss this time window, you need to update your Admin and Journalist Workstations to SecureDrop 2.0.0 manually, and you will see a note in the verification output that the release key has expired.
How to verify the transition
To allow you to verify the legitimacy of this key rotation, we have signed a transition statement with both keys. To verify it, you require GnuPG (gpg). If GnuPG is installed, first make sure that both keys are present on your keyring. Import the old key if not present:
gpg --keyserver hkps://keys.openpgp.org --recv-key 22245C81E3BAEB4138B36061310F561200F4AD77
Import the new key:
gpg --keyserver hkps://keys.openpgp.org --recv-key 2359E6538C0613E652955E6C188EDD3B7B22E6A3
Download the transition statement and verify it using the following command:
gpg --verify signing-key-transition.txt
The output should look similar to the following:
gpg: Signature made Mon 10 May 2021 10:46:35 AM PDT gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 gpg: Good signature from "SecureDrop Release Signing Key" [unknown] gpg: aka "SecureDrop Release Signing Key <securedrop-release-key@freedom.press>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77 gpg: Signature made Mon 10 May 2021 10:46:35 AM PDT gpg: using RSA key 2359E6538C0613E652955E6C188EDD3B7B22E6A3 gpg: Good signature from "SecureDrop Release Signing Key <securedrop-release-key-2021@freedom.press>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3
The warnings are expected behavior (the SecureDrop team does not currently rely on additional key certification). Note that the statement includes valid signatures with the old and new fingerprint.
If you are unable to verify the transition statement, or have questions about this signing key change, please do not hesitate to get in touch:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our contact form