Merge pull request #5472 from freedomofpress/5470-keystone-kops

Update dev container browser software and validation
freedomofpress · Sep 2, 2020 · 2777a9f · 2777a9f
2 parents 1470425 + 1773732
commit 2777a9f
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 2,326 deletions.
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/main.yml
@@ -105,6 +105,9 @@
   args:
     chdir: "{{ securedrop_app_code_deb_dir }}"
   environment:
+    DH_PIP_EXTRA_ARGS: "--verbose --ignore-installed --no-deps --no-binary=:all: --no-cache-dir"
+    DH_UPGRADE_SETUPTOOLS: "46.0.0"
+    DH_VIRTUALENV_ARGUMENTS: "--python=/usr/bin/python3.5 --setuptools"
     DH_VIRTUALENV_INSTALL_ROOT: "/opt/venvs"
 
 - name: Find newly built Debian package

diff --git a/install_files/securedrop-app-code/debian/rules b/install_files/securedrop-app-code/debian/rules
@@ -5,7 +5,7 @@ DEB_DH_INSTALL_ARGS=-X .git
 SECUREDROP_BUILD_PLATFORM=$(shell lsb_release -sc)
 
 %:
-	dh $@ --with python-virtualenv --with systemd
+	dh $@ --buildsystem=dh_virtualenv --with systemd
 
 override_dh_gencontrol:
 	dh_gencontrol -- $(SUBSTVARS)
@@ -24,16 +24,6 @@ override_dh_strip_nondeterminism:
 	find -type f -name RECORD -exec sed -i -e '/.*\.pyc.*/d' {} +
 	dh_strip_nondeterminism $@
 
-override_dh_virtualenv:
-	dh_virtualenv \
-		--python=/usr/bin/python3.5 \
-		--setuptools \
-		--extra-pip-arg "--verbose" \
-		--extra-pip-arg "--ignore-installed" \
-		--extra-pip-arg "--no-deps" \
-		--extra-pip-arg "--no-binary=:all:" \
-		--extra-pip-arg "--no-cache-dir"
-
 #
 # Have to override the automatic service handling since we have more
 # than one.

diff --git a/molecule/builder-xenial/Dockerfile b/molecule/builder-xenial/Dockerfile
@@ -13,7 +13,6 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         devscripts \
         dh-python \
         dh-systemd \
-        dh-virtualenv \
         gdb \
         git \
         gnupg2 \
@@ -36,4 +35,11 @@ RUN apt-get -y update && apt-get upgrade -y && apt-get install -y \
         && apt-get clean \
         && rm -rf /var/lib/apt/lists/*
 
+#install dh-virtualenv from debian unstable
+RUN echo "deb https://deb.debian.org/debian unstable main contrib" > /etc/apt/sources.list.d/debian-unstable.list
+COPY aptpreferences.conf /etc/apt/preferences.d/debian-unstable
+RUN apt-get install -y debian-archive-keyring
+RUN ln -s /usr/share/keyrings/debian-archive-keyring.gpg /etc/apt/trusted.gpg.d/
+RUN apt-get update && apt-get install -y dh-virtualenv
+
 RUN paxctl -cm /usr/bin/python3.5 && mkdir -p /tmp/build
diff --git a/molecule/builder-xenial/aptpreferences.conf b/molecule/builder-xenial/aptpreferences.conf
@@ -0,0 +1,7 @@
+Package: *
+Pin: release a=xenial
+Pin-Priority: 700
+
+Package: *
+Pin: release a=unstable
+Pin-Priority: 1
diff --git a/securedrop/dockerfiles/xenial/python3/Dockerfile b/securedrop/dockerfiles/xenial/python3/Dockerfile
@@ -18,32 +18,43 @@ RUN apt-get update && apt-get install -y paxctl && \
 
 RUN gem install sass -v 3.4.23
 
-ENV FF_ESR_VER 60.6.1esr
-RUN curl -LO https://ftp.mozilla.org/pub/firefox/releases/${FF_ESR_VER}/linux-x86_64/en-US/firefox-${FF_ESR_VER}.tar.bz2 && \
-    curl -LO https://ftp.mozilla.org/pub/firefox/releases/${FF_ESR_VER}/linux-x86_64/en-US/firefox-${FF_ESR_VER}.tar.bz2.asc && \
-    gpg --recv-key --keyserver gpg.mozilla.org 0x61B7B526D98F0353 && \
-    gpg --verify firefox-${FF_ESR_VER}.tar.bz2.asc && \
-    tar xjf firefox-*.tar.bz2 && \
-    mv firefox /usr/bin && \
-    paxctl -cm /usr/bin/firefox/firefox
+# Current versions of the test browser software. Tor Browser is based
+# on a specific version of Firefox, noted in Help > About Tor Browser.
+# Ideally we'll keep those in sync.
+ENV FF_VERSION 68.12.0esr
+ENV GECKODRIVER_VERSION v0.27.0
+ENV TBB_VERSION 9.5.4
 
-COPY ./tor_project_public.pub /opt/
+# Import Tor release signing key
+ENV TOR_RELEASE_KEY_FINGERPRINT "EF6E286DDA85EA2A4BA7DE684E2C6E8793298290"
+RUN curl -s https://openpgpkey.torproject.org/.well-known/openpgpkey/torproject.org/hu/kounek7zrdx745qydx6p59t9mqjpuhdf | gpg2 --import -
 
-ENV TBB_VERSION 9.5.3
-RUN gpg --import /opt/tor_project_public.pub && \
-    wget  https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz && \
+# Install Tor Browser
+RUN wget https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz && \
     wget https://www.torproject.org/dist/torbrowser/${TBB_VERSION}/tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz.asc && \
-    gpg --verify tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz.asc tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz && \
+    gpg2 --verify tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz.asc 2>&1 | grep "Primary key fingerprint:" | sed -e 's/Primary key fingerprint: //' -e 's/ //g' | tail -1 | grep -qE "${TOR_RELEASE_KEY_FINGERPRINT}" && \
     tar -xvJf tor-browser-linux64-${TBB_VERSION}_en-US.tar.xz && \
     mkdir -p /root/.local/tbb && mv tor-browser_en-US /root/.local/tbb &&\
     paxctl -cm /root/.local/tbb/tor-browser_en-US/Browser/firefox.real && \
     paxctl -cm /root/.local/tbb/tor-browser_en-US/Browser/libnspr4.so && \
     paxctl -cm /root/.local/tbb/tor-browser_en-US/Browser/plugin-container
 
-ENV GECKODRIVER_CHECKSUM=03be3d3b16b57e0f3e7e8ba7c1e4bf090620c147e6804f6c6f3203864f5e3784
-RUN wget https://github.com/mozilla/geckodriver/releases/download/v0.24.0/geckodriver-v0.24.0-linux64.tar.gz && \
-    shasum -a 256 geckodriver*tar.gz && \
-    echo "${GECKODRIVER_CHECKSUM}  geckodriver-v0.24.0-linux64.tar.gz" | shasum -a 256 -c - && \
+# Import Mozilla release signing key
+ENV MOZILLA_RELEASE_KEY_FINGERPRINT "14F26682D0916CDD81E37B6D61B7B526D98F0353"
+RUN curl -s https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/KEY | gpg2 --import -
+
+# Install the version of Firefox on which Tor Browser is based
+RUN curl -LO https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/linux-x86_64/en-US/firefox-${FF_VERSION}.tar.bz2 && \
+    curl -LO https://archive.mozilla.org/pub/firefox/releases/${FF_VERSION}/linux-x86_64/en-US/firefox-${FF_VERSION}.tar.bz2.asc && \
+    gpg2 --verify firefox-${FF_VERSION}.tar.bz2.asc 2>&1 | grep "Primary key fingerprint:" | sed -e 's/Primary key fingerprint: //' -e 's/ //g' | tail -1 | grep -qE "${MOZILLA_RELEASE_KEY_FINGERPRINT}" && \
+    tar xjf firefox-*.tar.bz2 && \
+    mv firefox /usr/bin && \
+    paxctl -cm /usr/bin/firefox/firefox
+
+# Install geckodriver
+RUN wget https://github.com/mozilla/geckodriver/releases/download/${GECKODRIVER_VERSION}/geckodriver-${GECKODRIVER_VERSION}-linux64.tar.gz && \
+    wget https://github.com/mozilla/geckodriver/releases/download/${GECKODRIVER_VERSION}/geckodriver-${GECKODRIVER_VERSION}-linux64.tar.gz.asc && \
+    gpg2 --verify geckodriver-${GECKODRIVER_VERSION}-linux64.tar.gz.asc && \
     tar -zxvf geckodriver*tar.gz && chmod +x geckodriver && mv geckodriver /bin && \
     paxctl -cm /bin/geckodriver