Upgrade from 0.8.0 to 0.9.1¶
Updating the Tails Workstations¶
We recommend that you update all Tails drives to version 3.9, which was released concurrently with SecureDrop 0.9.0 on September 5, 2018. Follow the Tails graphical prompts on your workstations to perform this upgrade.
Due to a bug in the graphical SecureDrop updater that was fixed in SecureDrop 0.9.1 (released on September 6, 2018), attempting an update of your SecureDrop workstation code on your Journalist or Admin Workstations using the graphical updater will fail with an error message: “WARNING: Signature verification failed.” You need to update your workstations manually by following the steps below.
- Start the Journalist or Admin Workstation with Persistent Storage unlocked and an administration password set.
- Once you have a working Tor connection, open a Terminal by selecting from the menu: Applications ▸ Favorites ▸ Terminal
- Change your working directory to the SecureDrop installation directory using
- Verify the installed version using the command:
The command output will include the line “HEAD detached at <version>”, where “<version>” is your current installed version.
If the workstation code is at version 0.7.0 or earlier:¶
Update the workstation code to version 0.8.0 (not 0.9.0 or 0.9.1) manually before proceeding:
git fetch --tags gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77" git tag -v 0.8.0
The output should include the following two lines:
gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77 gpg: Good signature from "SecureDrop Release Signing Key"
Please verify that each character of the fingerprint above matches what you see on the screen of your workstation. If it does, you can check out version 0.8.0:
git checkout 0.8.0
Please verify that the output of this command does not contain the text “warning: refname ‘0.8.0’ is ambiguous”.
Run the following command:
Now, proceed with the 0.8.0 to 0.9.1 update as described below.
If the workstation code is at version 0.8.0:¶
Complete the following steps to upgrade your workstation to version 0.9.1:
- Update the workstation code using the command:
- Update the workstation dependencies using the command:
- Update your workstation Tails settings using the command:
You will be prompted for the temporary administration password set on the Tails greeter screen.
This should address the problem with the graphical updater for future releases.
Database Migration May Take Time to Complete¶
Some of the changes in SecureDrop 0.9.0 require a database migration that can take additional time during the upgrade process, especially if you are not using an SSD on your Application Server, or if you store data about a large number of sources and submissions on the server. This is normal behavior during the automatic upgrade, and the Source Interface and Journalist Interface will become available again once the upgrade has been completed. In case of a service outage of more than two hours, please don’t hesitate to reach out to us.
New Dialogs in Tails 3.9¶
When you run the
securedrop-admin setup command, Tails as of version 3.9
will prompt to install packages automatically from persistent storage on each
boot. These apt packages don’t need to persist; click on Install Only Once
when you see this dialog:
Troubleshooting Kernel Issues¶
SecureDrop 0.9.0 ships with an update of the Linux kernel running on your Application and Monitor Servers, from version 4.4.135 to version 4.4.144. If you have not previously changed your default kernel, your server will boot into the new kernel automatically on its next reboot.
We have tested this kernel extensively against recommended hardware and other common configurations. Please consult our kernel troubleshooting guide for instructions on how to compare the differences between kernel versions and how to roll back to an earlier version if necessary.
It is of critical importance for the security and stability of your instance that you report kernel compatibility issues to us as soon as you become aware of them.
Enabling the New Kernel After a Downgrade¶
If you have previously downgraded your kernel to the 3.14.x series due to compatibility issues with the kernel that shipped with SecureDrop 0.7.0 or later, we urge you to test the latest kernel (version 4.4.144).
You can test the new kernel without downtime by following our instructions for testing and enabling a new kernel after a downgrade. Please note that this is only necessary if you have manually downgraded the kernel; otherwise, the new kernel will be enabled automatically.
The next regular release of SecureDrop, version 0.10.0, will no longer preserve a preference for a downgraded kernel. If you have downgraded your kernel, testing the new kernel and reporting compatibility issues is of critical importance to minimize the risk of an outage of your SecureDrop instance.
Should you require further support with your SecureDrop installation or upgrade, we are happy to help!
- Community support is available at https://forum.securedrop.org
- The Freedom of the Press Foundation offers training and priority support services. See https://securedrop.org/priority-support/ for more information. If you are already a member of our support portal, please don’t hesitate to open a ticket there.