Merge branch 'main' into 211-redux

docs/admin/install/overview.rst

@@ -32,7 +32,7 @@ Prerequisites
 -------------
 In order to install SecureDrop Workstation and configure it to use an existing SecureDrop instance, you will need the following:
 
-- A Qubes-compatible computer with at least 16GB of RAM (32 GB is recommended). SecureDrop Workstation has mainly been tested against Lenovo T480, T490 and T14 - see Qubes' `Hardware Compatibility List <https://www.qubes-os.org/hcl/>`_ and the SecureDrop Workstation :doc:`../reference/hardware` page for more options .
+- A Qubes-compatible computer with at least 16GB of RAM (32 GB is recommended) and known Linux Firmware Vendor support (https://fwupd.org/). SecureDrop Workstation has mainly been tested against Lenovo T400-series and T14 and Framework laptops. See Qubes' `Hardware Compatibility List <https://www.qubes-os.org/hcl/>`_ and the SecureDrop Workstation :doc:`../reference/hardware` page for more options. Note that HP laptops are not recommended due to firmware support limitations.
 - Qubes installation medium - this guide assumes the use of a USB 3.0 stick. Qubes may also be installed via optical media, which may make more sense depending on your `security concerns <https://www.qubes-os.org/doc/install-security/>`_.
 
   .. note:: A USB stick with a Type-A connector is recommended, as USB-C ports may be disabled on your computer when the BIOS settings detailed below are applied.

docs/admin/install/prepare.rst

@@ -25,20 +25,20 @@ If the Qubes hardware compatibility list entry for your computer recommends the
 
 Download and verify Qubes OS
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-On the working computer, download the Qubes OS ISO and cryptographic hash values for version ``4.2.2`` from `https://www.qubes-os.org/downloads/ <https://www.qubes-os.org/downloads/#qubes-release-4-2-2>`_. The ISO is 6.9 GB approximately, and may take some time to download based on the speed of your Internet connection.
+On the working computer, download the Qubes OS ISO and cryptographic hash values for version ``4.2.3`` from `https://www.qubes-os.org/downloads/ <https://www.qubes-os.org/downloads/#qubes-os-4-2-3>`_. The ISO is 6.9 GB approximately, and may take some time to download based on the speed of your Internet connection.
 
 Follow the linked instructions to `verify the ISO <https://www.qubes-os.org/security/verifying-signatures/#how-to-verify-detached-pgp-signatures-on-qubes-isos>`_. Ensure that the ISO and hash values are in the same directory, then run:
 
 .. code-block:: sh
 
   gpg --keyserver-options no-self-sigs-only,no-import-clean --fetch-keys https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc
-  gpg -v --verify Qubes-R4.2.2-x86_64.iso.DIGESTS
-  sha256sum -c Qubes-R4.2.2-x86_64.iso.DIGESTS
-  
+  gpg -v --verify Qubes-R4.2.3-x86_64.iso.DIGESTS
+  sha256sum -c Qubes-R4.2.3-x86_64.iso.DIGESTS
+
 The output should look like this:
 
 .. code-block:: sh
- 
+
   gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-release-4.2-signing-key.asc'
   gpg: key E022E58F8E34D89F: public key "Qubes OS Release 4.2 Signing Key" imported
   gpg: Total number processed: 1
@@ -47,24 +47,24 @@ The output should look like this:
 
   gpg: armor header: Hash: SHA256
   gpg: original file name=''
-  gpg: Signature made Tue 25 Jun 2024 01:32:23 PM EDT
+  gpg: Signature made Mon Sep 16 09:46:51 2024 EDT
   gpg:                using RSA key 9C884DF3F81064A569A4A9FAE022E58F8E34D89F
   gpg: using pgp trust model
   gpg: Good signature from "Qubes OS Release 4.2 Signing Key" [unknown]
   gpg: WARNING: This key is not certified with a trusted signature!
   gpg:          There is no indication that the signature belongs to the owner.
   Primary key fingerprint: 9C88 4DF3 F810 64A5 69A4  A9FA E022 E58F 8E34 D89F
   gpg: textmode signature, digest algorithm SHA256, key algorithm rsa4096
-  Qubes-R4.2.2-x86_64.iso: OK
+  Qubes-R4.2.3-x86_64.iso: OK
   sha256sum: WARNING: 20 lines are improperly formatted
-  
+
 Specifically, you will want to make sure that you see "Good signature" listed in the text. If it does not report a good signature, try deleting the ISO and downloading it again.
 
 Once you've verified the ISO, copy it to your installation medium - for example, if using Linux and a USB stick, using the command:
 
 .. code-block:: sh
 
-  sudo dd if=Qubes-R4.2.2-x86_64.iso of=/dev/sdX bs=1048576 && sync
+  sudo dd if=Qubes-R4.2.3-x86_64.iso of=/dev/sdX bs=1048576 && sync
 
 where ``if`` is set to the path to your downloaded ISO file and ``of`` is set to
 the block device corresponding to your USB stick. Note that any data on the USB stick will be overwritten.

docs/admin/reference/backup.rst

@@ -153,12 +153,22 @@ measures it requires before any additional VMs are configured.
   the VM.** Continue through the reinstallation process. The correct template will be
   configured as you follow the rest of these instructions.
 
-  If you are restoring your own customized VMs and templates, you may need to take
-  additional steps, such as ensuring your templates are supported. Follow the Qubes
-  documentation on upgrading templates (for example:
-  `Fedora templates <https://www.qubes-os.org/doc/templates/fedora/#upgrading>`_,
+  If you are restoring your own customized VMs and templates, you will need to take
+  additional steps. You may decide to create new templates for your custom VMs and
+  provision them with the necessary applications/customizations (recommended), or
+  you may upgrade your existing templates following the upstream documentation
+  (`Fedora templates <https://www.qubes-os.org/doc/templates/fedora/#upgrading>`_,
   `Debian templates <https://www.qubes-os.org/doc/templates/debian/#upgrading>`_),
-  or contact Support.
+  then upgrade their package repositories to the Qubes 4.2 repositories using:
+
+  .. code-block:: sh
+
+    sudo qubes-dom0-update -y qubes-dist-upgrade
+    qubes-dist-upgrade --template-standalone --upgrade
+ 
+  More information can be
+  found in the `upstream documentation <https://www.qubes-os.org/doc/upgrade/4.2/#clean-installation>`_.
+  Contact Support with any questions.
 
 Reinstall SecureDrop Workstation
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

docs/admin/reference/forensic_backup.rst

@@ -0,0 +1,47 @@
+Forensic Backups
+================
+
+In response to
+`CVE-2025-24889 <https://github.com/freedomofpress/securedrop-client/security/advisories/GHSA-933q-fx9h-5g46>`_,
+SecureDrop Workstation 1.0.2 rebuilds the ``sd-log`` VM and preserves a backup of the
+original VM on affected systems. The backup is created using the
+`Qubes Backup tool <https://www.qubes-os.org/doc/backup-restore/>`_ and stored
+in a dedicated, non-networked VM called ``sd-retain-logvm``.
+
+Access the sd-log system image
+------------------------------
+
+To recover the backup for inspection or forensic analysis, use the
+`Qubes Backup Restore tool <https://www.qubes-os.org/doc/backup-restore/>`_
+to transfer the backup to external storage media, then transfer it to another machine.
+
+The backup is stored in ``/home/user/SDLog_Backups`` in the ``sd-retain-logvm`` VM and is a
+compressed archive with filename ``qubes-backup-YYYY-MM-DDTHHMMSS``.
+
+It has a hard-coded passphrase of ``SDW_SDLOG`` (This is not a security measure, but was
+set in order to automate the backup process).
+
+.. warning::
+  Do not restore the backup on your SecureDrop Workstation machine.
+
+Qubes OS provides documentation for recovering backups both on Qubes OS and on other
+operating systems.
+
+* `On other operating systems <https://www.qubes-os.org/doc/backup-emergency-restore-v4/>`_
+* `On Qubes <https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/#restoring-from-a-backup>`_
+
+The target volume (relevant for non-Qubes recovery instructions) is ``sd-log/private.img``.
+
+Use caution if restoring on a Qubes OS machine, since the entire VM will be restored.
+We are not aware of anyone exploiting CVE-2025-24889, but in theory, the VM could contain
+malicious code, which is why it was rebuilt.
+
+Artifact Retention
+------------------
+
+The archive VM ``sd-retain-logvm`` and its contents will be deleted in a subsequent SecureDrop
+Workstation update, planned for two months from the release of this announcement
+(planned removal early April 2025). To retain the archive for a longer period, follow the
+steps above to transfer it off SecureDrop Workstation.
+
+If you have any questions, please `contact Support <https://support.freedom.press>`_.

docs/admin/reference/provisioning_usb.rst

@@ -43,6 +43,15 @@ of its airgap:
 Creating a VeraCrypt-encrypted drive
 ------------------------------------
 
+.. Remove the following warning once securedrop-docs#599 and
+   veracrypt/VeraCrypt#1422 are resolved.
+
+.. warning::
+
+   If you plan to use your *Export Device* with computers running macOS 15
+   ("Sequoia") or later, you must also perform the VeraCrypt setup on that
+   version of macOS.
+
 - If it isn't already done, download and install the `VeraCrypt software <https://www.veracrypt.fr/en/Home.html>`_.
 - Start VeraCrypt from your computer's application or software interface.
 - Click **Create Volume**

docs/admin/reference/troubleshooting_updates.rst

@@ -119,37 +119,143 @@ above, and the terminal console displays the following message:
    Error: GPG check FAILED
 
 your system is trying to use an old copy of the SecureDrop Release
-Signing Key. The new, valid key will already be locally available on your
-system, so you can perform the following steps to remove the expired key
-and enable this updated key:
+Signing Key. You can perform the following steps to fetch the updated
+key and remove the expired one:
 
-1. Open a terminal in ``dom0`` via **Q > Gear Icon (left-hand side) > Other Tools > Xfce Terminal**.
+1. **Start a terminal** in the "work" VM via the menu: **Q > Apps > work > Xfce Terminal**
+
+2. **Download the key:**
+
+   *Run command:*
+
+   .. code-block::
+
+         gpg --keyserver hkps://keys.openpgp.org --recv-key "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3"
+
+   *Expected output:*
+
+   .. code-block::
+
+      gpg: key 188EDD3B7B22E6A3: public key "SecureDrop Release Signing Key <[email protected]>" imported
+      gpg: Total number processed: 1
+      gpg: imported: 1
+
+3. **Verify the expiry is 2027-05-24:**
+
+   *Run command:*
+
+   .. code-block::
+
+      gpg -k securedrop
+
+   *Expected output:*
+
+   .. code-block::
+
+      pub   rsa4096 2021-05-10 [SC] [expires: 2027-05-24]
+         2359E6538C0613E652955E6C188EDD3B7B22E6A3
+      uid           [ unknown] SecureDrop Release Signing Key <[email protected]>
+      sub   rsa4096 2021-05-10 [E] [expires: 2027-05-24]
+
+4. **Export the downloaded key:**
+
+   *Run command:*
+
+   .. code-block::
+
+      gpg --armor --export "2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3" > securedrop-release-key.pub
+
+   *No output expected.*
+
+5. **Print the exported key's checksum:**
+
+   *Run command:*
+
+   .. code-block::
+
+      sha256sum securedrop-release-key.pub
+
+   *Expected output:*
+
+   .. code-block::
+
+      fedef93de425668541545373952b5f92bac4ac1f1253fe5b64c2be2fc941073b securedrop-release-key.pub
+
+6. **Start a dom0 terminal** by opening the **Q Menu**, selecting the gear icon on the left-hand side, then selecting **Other > Xfce Terminal**.
+   The remaining commands will all be executed in this dom0 terminal.
+
+7. **Copy the key into dom0:**
+
+   *Run command:*
+
+   .. code-block::
+
+      qvm-run --pass-io work cat securedrop-release-key.pub > /tmp/securedrop-release-key.pub
+
+   *No output expected.*
+
+8. **Verify the key checksum matches:**
+
+   *Run command:*
+
+   .. code-block::
+
+       sha256sum /tmp/securedrop-release-key.pub
+
+   *Expected output:*
+
+   .. code-block::
+
+      fedef93de425668541545373952b5f92bac4ac1f1253fe5b64c2be2fc941073b /tmp/securedrop-release-key.pub
+
+9. **Copy the key into place:**
+
+   *Run command:*
+
+   .. code-block::
+
+      sudo cp /tmp/securedrop-release-key.pub /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
+
+   *No output expected.*
+
+10. **Delete the old key from RPM:**
+
+   *Run command:*
+
+   .. code-block::
+
+      sudo rpm -e gpg-pubkey-7b22e6a3-609966ad
+
+
+   *No output expected.*
 
-2. Run the following command:
+11. **Import the new key into RPM:**
 
-   .. code-block:: sh
+   *Run command:*
 
-      sudo rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep SecureDrop
+   .. code-block::
 
-   The output should look similar to:
+      sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
 
-   .. code-block:: sh
+   *No output expected.*
 
-      gpg-pubkey-xxxxx-xxxxx        SecureDrop Release Signing Key <[email protected]  public key
 
-3. Make note of the KEY ID (in the format ``gpg-pubkey-xxxxx-xxxxx``).
+12. **Verify the expiry is 2027-05-24:**
 
-4. Run the following commands:
+   *Run command:*
 
-   .. code-block:: sh
+   .. code-block::
 
-      sudo rpm -e gpg-pubkey-xxxxxx-xxxxxx # use KEY ID from step 3
+      gpg --show-keys /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
 
-      sudo rpm --import /etc/pki/rpm-GPG/RPM-GPG-KEY-securedrop-workstation
+   *Expected output:*
 
+   .. code-block::
 
-5. Reboot, then run updates again. If there are new errors, repeat
-the full troubleshooting process.
+      pub   rsa4096 2021-05-10 [SC] [expires: 2027-05-24]
+         2359E6538C0613E652955E6C188EDD3B7B22E6A3
+      uid           [ unknown] SecureDrop Release Signing Key <[email protected]>
+      sub   rsa4096 2021-05-10 [E] [expires: 2027-05-24]
 
 
 ``sd-*-template`` or ``whonix-gateway-17`` update failures

docs/conf.py

@@ -239,3 +239,9 @@
 # The default is to use Python’s global socket timeout, which may be `None`.
 # This can cause CI jobs to time out.
 linkcheck_timeout = 30
+
+linkcheck_ignore = [
+    r"http://.*\.onion/.*",
+    "https://www.gnome.org/", # returns 403 from cloud networks
+    "https://support.lenovo.com", # timeout from cloud networks
+]

docs/general/introduction.rst

@@ -15,8 +15,6 @@ Broadly speaking, this means that even if files in one of your virtual machines
 are exposed to malware, files in others still have some protection, which is
 not true of other operating systems.
 
-.. _`Qubes OS`: https://www.qubes-os.org
-
 What is SecureDrop Workstation?
 -------------------------------
 
@@ -33,4 +31,45 @@ and viewing. SecureDrop Workstation combines all of those steps
 into one workflow on one machine: a Qubes computer that
 combines the *Journalist Workstation* and the *Secure Viewing Station*.
 
-For more information on SecureDrop Workstation, see our :doc:`faq <../journalist/faq>`.
+Who is behind SecureDrop Workstation?
+-------------------------------------
+SecureDrop and SecureDrop Workstation are open source projects of
+`Freedom of the Press Foundation (FPF) <https://freedom.press/>`_, a
+US-based nonprofit organization. You can support our work
+by `contributing to SecureDrop <https://developers.securedrop.org/en/latest/contributing.html>`_
+and by making `a donation <https://freedom.press/donate>`_.
+
+Our work would not be possible without the larger open source community.
+
+We're deeply grateful to the SecureDrop volunteer community for translating
+our software into many languages. Their work is enabled by `Weblate <https://weblate.org/>`_,
+an open source platform for continuous localization. You can `make a donation <https://weblate.org/en/donate/>`_
+to support Weblate development.
+
+Translation of SecureDrop is supported by `Localization Lab <https://www.localizationlab.org/>`_. You can
+`donate <https://www.localizationlab.org/donate>`_ to support their important
+work to help bring open source software into many languages.
+
+The backbone of SecureDrop Workstation is `Qubes OS`_.
+FPF has directly sponsored Qubes OS development, and we encourage you to
+`donate to Qubes OS <https://www.qubes-os.org/donate/>`_ as well.
+
+We use the `Python <https://www.python.org/>`_ programming language and many tools in its
+ecosystem, which you can support by `donating to the Python Software Foundation <https://www.python.org/psf/donations/>`_.
+
+SecureDrop Workstation VMs are powered by `Debian <https://www.debian.org/>`_,
+`Fedora <https://fedoraproject.org/>`_, and `Whonix <https://www.whonix.org/>`_, all
+of which rely on volunteer contributions and financial support. The
+`GNOME <https://www.gnome.org/>`_ project acts as an umbrella for many of the individual
+software components we rely on.
+
+Finally, SecureDrop Workstation relies on many other open source projects such as
+`grsecurity <https://www.grsecurity.net>`_,  `GnuPG <https://gnupg.org/>`_,
+`Sequoia <https://sequoia-pgp.org/>`_, `LibreOffice <https://www.libreoffice.org/>`_,
+`Audacious <https://audacious-media-player.org/>`_, and others. These projects,
+in turn, are built on open source foundations. Please consider
+directing time and financial support wherever it can make a positive difference.
+
+For more information on SecureDrop Workstation, see our :doc:`FAQ <../journalist/faq>`.
+
+.. _`Qubes OS`: https://www.qubes-os.org

docs/index.rst

@@ -57,6 +57,7 @@ against malware and other security risks. It is built on Qubes OS and requires a
    admin/reference/provisioning_usb
    admin/reference/backup
    admin/reference/thinkpad_bios
+   admin/reference/forensic_backup
 
 * :ref:`genindex`
 * :ref:`search`