Backport 1.0.2

VERSION

@@ -1 +1 @@
-1.0.0
+1.0.2

changelog.md

@@ -1,5 +1,20 @@
 # changelog
 
+## 1.0.2
+
+This release is in response to a security issue in the logging component of
+SecureDrop Client (CVE-2025-24889), please see our advisory for more details.
+
+A manual step will be needed to apply this update; please follow
+[these instructions](https://workstation.securedrop.org/en/stable/admin/reference/troubleshooting_updates.html#expired-securedrop-signing-key)
+to retrieve the updated expiry date for our release signing key.
+If you need help or have any questions with this step, please reach out.
+
+* Recreate sd-log VM from scratch; save backup in new sd-retain-logvm VM
+* Update dom0 release signing key expiry to May 2027
+
+Note that the 1.0.1 version was skipped because of an issue while preparing this release.
+
 ## 1.0.0
 
 This is the first release targeting Qubes 4.2 and will require

files/sdw-admin.py

@@ -254,6 +254,11 @@ def perform_uninstall():
             ["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-clean-default-dispvm"]
         )
         print("Destroying all VMs")
+        # sd-retain-logvm is not tagged with `sd-workstation` tag;
+        # it must be removed before its template
+        subprocess.check_call(
+            ["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-remove-untagged-vms"]
+        )
         subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/destroy-vm"), "--all"])
         print("Reverting dom0 configuration")
         subprocess.check_call(["sudo", "qubesctl", "state.sls", "securedrop_salt.sd-clean-all"])

launcher/tests/test_signing_key.py

@@ -0,0 +1,37 @@
+from datetime import UTC, datetime, timedelta
+from pathlib import Path
+
+import pysequoia
+from debian import deb822
+
+ROOT = Path(__name__).parent.parent
+
+
+def test_apt_sources():
+    """Verify the key in the sources file is our prod signing key"""
+    path = ROOT / "securedrop_salt/apt_freedom_press.sources.j2"
+
+    sources = deb822.Sources(path.read_text())
+    assert_key(sources["Signed-By"].encode())
+
+
+def test_dom0_key():
+    path = ROOT / "securedrop_salt/securedrop-release-signing-pubkey-2021.asc"
+    assert_key(path.read_bytes())
+
+
+def assert_key(cert_bytes: bytes):
+    """verify there is only one key, our release key, and that it has the right expiry"""
+    key = pysequoia.Cert.from_bytes(cert_bytes)
+
+    assert key.fingerprint.upper() == "2359E6538C0613E652955E6C188EDD3B7B22E6A3"
+    assert len(key.user_ids) == 1
+    assert (
+        str(key.user_ids[0])
+        == "SecureDrop Release Signing Key <securedrop-release-key-2021@freedom.press>"
+    )
+    assert key.expiration.year == 2027
+    # Fail if we are within 6 months of the key's expiry
+    assert datetime.now(tz=UTC) < (
+        key.expiration - timedelta(days=6 * 30)
+    ), "key expires in less than 6 months"

rpm-build/SPECS/securedrop-workstation-dom0-config.spec

@@ -1,5 +1,5 @@
 Name:		securedrop-workstation-dom0-config
-Version:	1.0.0
+Version:	1.0.2
 Release:	1%{?dist}
 Summary:	SecureDrop Workstation
 
@@ -178,6 +178,9 @@ if [ $1 -eq 0 ]; then
 fi
 
 %changelog
+* Mon Feb 10 2025 SecureDrop Team <securedrop@freedom.press> - 1.0.2
+- See changelog.md
+
 * Thu Jul 11 2024 SecureDrop Team <securedrop@freedom.press> - 1.0.0
 - See changelog.md
 

scripts/common.sh

@@ -1,6 +1,6 @@
 TOPLEVEL=$(git rev-parse --show-toplevel)
 export TOPLEVEL
-PROJECT=$(git remote get-url origin | xargs basename -s .git)-dom0-config
+PROJECT="securedrop-workstation-dom0-config"
 export PROJECT
 
 OCI_RUN_ARGUMENTS="${OCI_RUN_ARGUMENTS:-}"

securedrop_salt/sd-log.sls

@@ -13,10 +13,80 @@
 # Check environment
 {% import_json "securedrop_salt/config.json" as d %}
 
+# Set a backup passphrase for the logs in sd-log.
+# Hardcoding a backup passphrase is to automate the backup/vm-rebuild
+# process, and is not a security measure. This passphrase will only be
+# used in this instance, and not for general system backups.
+{% set pass = "SDW_SDLOG" %}
+{% set artifact_vm = "sd-retain-logvm" %}
+{% set backup_dest = "/home/user/SDLog_Backup/" %}
+
+# Set "install epoch". Bump this number to backup and rebuild this vm.
+# This is more of a tag than a numerical value, and should not
+# be used for anything other than an equality check.
+{% set sdlog_epoch = '1001' %}
+
 include:
   - securedrop_salt.sd-workstation-template
 
-sd-log:
+# If sd-log exists but fails a freshness check, create a VM to
+# archive it, then back up and rebuild it
+install-{{ artifact_vm }}:
+  qvm.vm:
+    - name: {{ artifact_vm }}
+    - present:
+      - label: red
+    - prefs:
+      - netvm: ""
+      - default_dispvm: ""
+      - include_in_backups: False
+      - qrexec_timeout: 180
+    - onlyif:
+      - qvm-check --quiet sd-log
+    - unless:
+      - (( `qvm-features sd-log sd-install-epoch` == {{ sdlog_epoch }} ))
+
+# Size backup vm, create backup directory (starts backup vm), create backup.
+# Backup passphrase must be passed via stdin or written to disk; here we pass
+# via stdin.
+{{ artifact_vm }}-prepare-backup:
+  cmd.run:
+    - names:
+      - qvm-volume resize {{ artifact_vm }}:private {{ d.vmsizes.sd_log }}GiB
+      - qvm-run {{ artifact_vm }} 'mkdir -p -m 755 {{ backup_dest }}'
+      - echo {{ pass }} | qvm-backup -y -q -d {{ artifact_vm }} -p - {{ backup_dest }} sd-log
+      - qvm-shutdown --force --wait {{ artifact_vm }}
+    - require:
+      - cmd: sd-log-poweroff
+    - onlyif:
+      - qvm-check --quiet sd-log
+      - qvm-check --quiet {{ artifact_vm }}
+    - unless:
+      - (( `qvm-features sd-log sd-install-epoch` == {{ sdlog_epoch }} ))
+
+sd-log-poweroff:
+  cmd.run:
+    - name: qvm-shutdown --force --wait sd-log
+    - onlyif:
+      - qvm-check --quiet sd-log
+
+sd-log-remove-if-stale:
+  qvm.absent:
+    - name: sd-log
+    - require:
+      - cmd: {{ artifact_vm }}-prepare-backup
+    - onlyif:
+      - qvm-check --quiet sd-log
+    - unless:
+      - (( `qvm-features sd-log sd-install-epoch` == {{ sdlog_epoch }} ))
+
+# Install sd-log.
+# This state declares the {{ artifact_vm}}-prepare-backup state as
+# a requisite; if the state is skipped due to its own constraints
+# (`onlyif`), the requirement is still considered satisfied.
+# If this state is unsuccessful, with failhard=True the highstate
+# will fail by design.
+install-sd-log:
   qvm.vm:
     - name: sd-log
     - present:
@@ -41,14 +111,17 @@ sd-log:
         - service.securedrop-logging-disabled
         - service.securedrop-log-server
       - set:
+        - sd-install-epoch: {{ sdlog_epoch }}
         - menu-items: "org.gnome.Nautilus.desktop"
     - require:
       - qvm: sd-small-{{ sdvars.distribution }}-template
+      - cmd: {{ artifact_vm }}-prepare-backup
+    - failhard: True
 
 # The private volume size should be set in config.json
 sd-log-private-volume-size:
   cmd.run:
     - name: >
         qvm-volume resize sd-log:private {{ d.vmsizes.sd_log }}GiB
-    - require:
-      - qvm: sd-log
+    - onchanges:
+      - qvm: install-sd-log

securedrop_salt/sd-remove-untagged-vms.sls

@@ -0,0 +1,10 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+# Remove VMs not tagged with `sd-workstation` tag.
+# 
+sd-remove-untagged-vms:
+  qvm.absent:
+    - name: sd-retain-logvm
+    - onlyif:
+      - qvm-check --quiet sd-retain-logvm

securedrop_salt/securedrop-release-signing-pubkey-2021.asc

@@ -12,42 +12,115 @@ DWkG/xqMWXVZOtUa+REYrTCg9Zo7qlbIniRGeGfGtXYXI023clJH7QkSOEVbCzju
 SMG+mvRVGJVEWmkoD6mUqzgs+VpoJ9/f1OV5iZjeYRN7fDUYgZzYuWJp3fYmlvHj
 3oiAN7UrcUwESgoVl+Ga2VFJd+3w0qBLM+3bORq0z1sUp9oJhFpLLtqRuQARAQAB
 tEpTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs
-ZWFzZS1rZXktMjAyMUBmcmVlZG9tLnByZXNzPokCVAQTAQoAPgIbAwULCQgHAwUV
-CgkICwUWAgMBAAIeAQIXgBYhBCNZ5lOMBhPmUpVebBiO3Tt7IuajBQJka5M3BQkF
-8qgKAAoJEBiO3Tt7Iuaj4uYP/2y1U23PGfWMqXu3xqWIpj6Z3P2RTLJX5TNk5ncb
-AtokdfLt3GaIQDZnh/bZ8XVGZjiNRDaebhugrIqDxzXMEIB820P3Zxqf33aGWkrT
-uW7doEF7Jk/iZjvUHGQRXvoV60D9o6fG0QZxPbOYDQPbAZNJiMf+6PR7JL/gbBW8
-b4t0GAko0PD+uVp0vcHan3HMglHI9n6wX0aENEvEcyzw9xp0z/aTuIFH2AbqZbGV
-TrHqBEhNWfHO0AG7PsSly3NQsD1nVoJC7mjHaiEJje4wmVEKnw/4KRVPmq1ETFAB
-S0Lmt/J2y2TBYFnvqxiclj/a6UDCVCQJVm81iwVXSGbjTjP8SZFkdK8mO8h3++fI
-bxugd2Xy2pHG1ZRIq4a7pyz3DN6V5nUGZ4AGMs+vWXCWnFhy4V3FvCN/kdgZvaUh
-dBwNiOmlhdda8MfZU42txWfDIX5f9gzCOhfH2Aqe/UQlMqg1iaR4D02wTX1KSqix
-9E5In70FnOhUueTSN6zf+ls49zjQI9nPkMK0d9Um5KJxYR/zXfZl+YR4uXecfaeY
-DGb0SL/LPhAkhp4azf4a00iJWjRLvKA6aSrr6bioYPFKJYUhvFozG0OJYVK5dLUA
-ofsnyGNlVVCQzS97Bq0+HVrYa37Nk5admWknHWO3++4JJT0qT0nUUkvXtvXxnfFX
-PCo9uQINBGCZZq0BEACq7CxMegB4JuC81VDZKNGgPvRfZYzvE9JGV9G/Gz2Ko8IN
-tsBMbIQVXLndeuJZqYPTk5X6dPKJe6ik9WUSpdvpxLdy1FiVjvOMxaXvZCeXB8NS
-jicHq8KWRrvgM15GGRo1vBC8BLyjh6tnImkmI86HNJEy3kvN7OjgFeXactO4yXaP
-Gu4J8OglAYOLvNjamriY/ExFS5uURrmHgJB9beEFY+XS7FbUj81R3H64XCKlKIVu
-ZWmkVHWKqZGdpax9eDWnT7NGrBaZ0DKHKHkim423WAwiqq1YpBpBO586F/ZPdHJE
-pOO8U0jc2NPBH5+kw4mpkerhbmd89NKRBccZwYVv04EYtyQz7GayBREa7Kwj5bq3
-sAE+DqRgeWFLBVWdaeU98zawLR15Qsx85cGvxFJaE9LyPWHyHSlJeyrT0hNE02HG
-3Snvf+ZFqwFgPpYFZ5nO8BTW1S+nrYXZGirslIqfFs0lg1d0B48cTtg4MESouZ+6
-bZDWR/47s6jicncfYVNqSH5d1Ifj8guuxDQZyJLEh18kcOH0wezt7lM/H6kXZnDz
-slOJUAubUgpZ/IbTgdd49UW93QepI+ynuwSogqIPf521XAU/Or7OY+t7J2e1VaCC
-zvez+oiZ6GWh6lBpccPUnDWtti3U2i5hK4swGFa3Uvi6UwbZHihi/iUip4uKxQAR
-AQABiQI8BBgBCgAmAhsMFiEEI1nmU4wGE+ZSlV5sGI7dO3si5qMFAmRrl+cFCQXy
-rLoACgkQGI7dO3si5qPkABAArXr6ALKSu/JEcA618KZfQ1saJDBq2NwZqhq5NXCQ
-pUA9sHBg8NW70A5GtweMIGPg4dgllsyLJT+S42H8IV+DGevseTGrbp77xi2/GSru
-fVt1RLOi7SNDRXCGPYSkH9hNsyhor1Rw+dvAn9ydT1MtzrGIhrmRwVOBwKqMUHa6
-T22VcKGkP6e0sx4Qt53zd82GJWGOo9C4WhD48xHaTpFaex7Xj4Cq4frfJ+C17Om3
-Vlzb0aCAYL99rPkvDR7NvDscTw/270bv8/11hF+51DtIzs6bRXasl+veOL7ykLgT
-gEDYrXDiZbyKAYJlwriRX5gRMQ0l0WV93Vz56jqK1DMGs24E3pnLvSgBvKFBd/Ft
-clxwmaWUjCk3UCjdX7okDsnASUSlR/qsERSmPvDIYOSMNCIgW7g+vnXBjGI3LS+1
-rnIhF72Ytf7RJwKhR8ILxkv8elp/0hsvsC5JvZtpz/ohQHoGPaNgeRMp8cKODDOb
-dnBNTPJNyfFn0JheuGtygiiGLI9/GTq/3gu3x1rufiK1E7kpnyAwE7PsFkIsR3e7
-p7z1NAhMB7JtiQchIcYjfBbI3KU+xGrgxfW6/eIBpqpEegmhc5ByJOCGGRHda0ZU
-vbWlw4aNxAbmlvMlq44f9UvAA61blx0imoRCzl63gy2EtWNnCj/00d4cJEhMzRD0
-1y0=
-=IJFv
+ZWFzZS1rZXktMjAyMUBmcmVlZG9tLnByZXNzPokCVAQTAQoAPhYhBCNZ5lOMBhPm
+UpVebBiO3Tt7IuajBQJgmWatAhsDBQkCKbYABQsJCAcDBRUKCQgLBRYCAwEAAh4B
+AheAAAoJEBiO3Tt7IuajwuMP/3HGnRKTgRLdxeL/8tK4E204N+W3dPYhge1sFLeD
+ak0vXQeTzxizU/1Hi1+qLv+XRpKziPE0gvKnc8wThPhJ+G93hEAqI/Es4VIklzbB
+f/xhLeE54wk6tqz+wy4ugoq0NrRTLFRXT2SXA/enSxaH16fk/5LcNF0V8CTvoaGn
+5kvhZCSPJyw7eqPZGjH2pxy33sktprEAjN7aXuIHw3IiRHmrqgqSCpjn5rEEXO3Y
+u8osqh5ZdVQLnmtQiosA4IVNOKRJU9nTDnIVducx+RLG3Bz3Qf7/mmRC+M3hqGWB
+skk0c2+DtspsNyZh1E+8II3qVGqFwMBovSI0wPX3IOK4Wb91dz3/n8Ahc2N7pBY3
+7wH1GHjT/2Bv80F5d3bbUJVFDLEFFMSUcj4E6dxU38XkbBTODrOYcjzlIT6uK/XH
+Q61fE1e7PSVeNqr6eIqqaTdNZaOJNtlO5umYx0WQawKT72eznPW6HJkX5cfuTj9H
+ARwRCNOTpipOo499bMtk7UjJcTwc9KOxJeKDkbMUfe/43Zp1njctWuv2e/NPz92J
+Ma3BmLluuBR9HJTWKp8L6Ia55vhvtm3+hsgiTCf7gdpxkwRO7470ZeyZMZtARwxp
+2wcIrqdOKW8Zwij2Zsi882PPJjR4N07KiEv9pUBtLzlX3VsHBFSu32klxW3cNlSZ
+1eK/iQJUBBMBCgA+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEI1nmU4wG
+E+ZSlV5sGI7dO3si5qMFAmJ+OGQFCQQKkzcACgkQGI7dO3si5qMcVQ//V/CLball
+ykNTLPEZWJQrwOZmNwZUYU0EnjRINKVe507TjhTg4sVNWM2+ke/PoXhPs/709Idu
+OIA5KrHpQCmJvkQr/DfyJDs9Bf4KDWwvqkNcKtU2afGX8WAY3/QyMiOk8ZbQKawR
+S77GomVvjdJIBvnPrlMkCzJc+CSQ/JT7PVdM913btC/D8G9wfsXL+SxMglwvqQVx
+QECAn8dwzoBtGV4pJOusA0uMf5z0OpGzu/Q8UCzpMAMhCw82sB55fHI+qARA5sN5
+O9eM9vWAnevUbV9YqQtv+gGjhxUH7F6312OPi68o78RO4rNc1aRxN02Fo07hIxw2
+396fG6s1vcstk9c6cRvhwdUYDj9CjLKOGACokwQLDn6dQGfnMz9MdBHuvreEGYWq
+072dGjqo0cjUMn8pYwfz3Z6SmA5jKzXIwgsXINAuAH6IUeiFHhVJ5A41am5IxNZg
+hDu99BUNqH1ntvI4n4zxclxO/U4tj4srXVvUJpJ7tX90seGVjMtou9X8tPwZoPAx
+AVPo3Cww4/BGHJZSx3L84s88wFjp40olEdDfA2cKVOJaLuIzlB8draD7jpi4oUyv
+VitpTAfFRvoQs01h6DTJyvvsf5iyZqaEcDlg+fEkjPH2dYIGBcbKf0UjEbLfa/CH
+2p2wa9tRBtJJ0t1ctUQNjj3a+5KORo0AmquJAlQEEwEKAD4CGwMFCwkIBwMFFQoJ
+CAsFFgIDAQACHgECF4AWIQQjWeZTjAYT5lKVXmwYjt07eyLmowUCZGuTNwUJBfKo
+CgAKCRAYjt07eyLmo+LmD/9stVNtzxn1jKl7t8aliKY+mdz9kUyyV+UzZOZ3GwLa
+JHXy7dxmiEA2Z4f22fF1RmY4jUQ2nm4boKyKg8c1zBCAfNtD92can992hlpK07lu
+3aBBeyZP4mY71BxkEV76FetA/aOnxtEGcT2zmA0D2wGTSYjH/uj0eyS/4GwVvG+L
+dBgJKNDw/rladL3B2p9xzIJRyPZ+sF9GhDRLxHMs8PcadM/2k7iBR9gG6mWxlU6x
+6gRITVnxztABuz7EpctzULA9Z1aCQu5ox2ohCY3uMJlRCp8P+CkVT5qtRExQAUtC
+5rfydstkwWBZ76sYnJY/2ulAwlQkCVZvNYsFV0hm404z/EmRZHSvJjvId/vnyG8b
+oHdl8tqRxtWUSKuGu6cs9wzeleZ1BmeABjLPr1lwlpxYcuFdxbwjf5HYGb2lIXQc
+DYjppYXXWvDH2VONrcVnwyF+X/YMwjoXx9gKnv1EJTKoNYmkeA9NsE19SkqosfRO
+SJ+9BZzoVLnk0jes3/pbOPc40CPZz5DCtHfVJuSicWEf8132ZfmEeLl3nH2nmAxm
+9Ei/yz4QJIaeGs3+GtNIiVo0S7ygOmkq6+m4qGDxSiWFIbxaMxtDiWFSuXS1AKH7
+J8hjZVVQkM0vewatPh1a2Gt+zZOWnZlpJx1jt/vuCSU9Kk9J1FJL17b18Z3xVzwq
+PYkCVAQTAQoAPgIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgBYhBCNZ5lOMBhPm
+UpVebBiO3Tt7IuajBQJmUJPbBQkLWseuAAoJEBiO3Tt7IuajvMEP/3IG9m7HVXG5
+CV7Po4vTNQEB6SwPwHzH7HTurEV66WuYF838BF9/JO7q9WTvPIm3TdIwTKco2Kcn
++HnJfoWxzESOl6oaPYKJCgx8msxnwuHClRnvfboGbeFtFWQz1RCDLNkIPinhXB6Z
+1Dp3xU4ojRwh1Y8NW3LCqBahmY2zXINQbmZRRa76naIVKtbVXtS3jvNDyU46VEGf
+MvAFjp/estpjB6h8ZdeOJDhZPW9GG6qdFUylh61lORXK1VKX3y4i26rkO5XPZsGq
+1sxEH+r6343eZXoJHqtwLWUX0QRzPOrW5RjqNkOA6yRDD3Zs+1rThfNP3wofsFI8
+oflvL/hwyPp/v9VtkJLyVCvNbFBnzX7DREi2d6L7etyGAHRG5gK0hfczbflkCyv8
+JiAyxQUz9LYEj4FXES4WrXdGmGZ2l5se3NRNVMhRF0x3/cm700QDVFmCfJcxUJEx
+h05+XqveD96zXMzzOmk0KT9wfRq9TD7x638Ly+0Fq/6LKxRmfeEQt8aOp3f7tS4U
+XP72i/Ka/fiba+kpKgVuc6ih2xnBYygXPVIXnuBOXFbCIGJkG9QKWqjhPEckuJen
+VCV5x0clXQ60VTL9yRXONmAFrpbd3WOszqvrhO+YPgPMwZs3km3NB1sYH57PnhWz
+y1cCM16r4kH2yijN/z/GGsNZW1WVY1UruQINBGCZZq0BEACq7CxMegB4JuC81VDZ
+KNGgPvRfZYzvE9JGV9G/Gz2Ko8INtsBMbIQVXLndeuJZqYPTk5X6dPKJe6ik9WUS
+pdvpxLdy1FiVjvOMxaXvZCeXB8NSjicHq8KWRrvgM15GGRo1vBC8BLyjh6tnImkm
+I86HNJEy3kvN7OjgFeXactO4yXaPGu4J8OglAYOLvNjamriY/ExFS5uURrmHgJB9
+beEFY+XS7FbUj81R3H64XCKlKIVuZWmkVHWKqZGdpax9eDWnT7NGrBaZ0DKHKHki
+m423WAwiqq1YpBpBO586F/ZPdHJEpOO8U0jc2NPBH5+kw4mpkerhbmd89NKRBccZ
+wYVv04EYtyQz7GayBREa7Kwj5bq3sAE+DqRgeWFLBVWdaeU98zawLR15Qsx85cGv
+xFJaE9LyPWHyHSlJeyrT0hNE02HG3Snvf+ZFqwFgPpYFZ5nO8BTW1S+nrYXZGirs
+lIqfFs0lg1d0B48cTtg4MESouZ+6bZDWR/47s6jicncfYVNqSH5d1Ifj8guuxDQZ
+yJLEh18kcOH0wezt7lM/H6kXZnDzslOJUAubUgpZ/IbTgdd49UW93QepI+ynuwSo
+gqIPf521XAU/Or7OY+t7J2e1VaCCzvez+oiZ6GWh6lBpccPUnDWtti3U2i5hK4sw
+GFa3Uvi6UwbZHihi/iUip4uKxQARAQABiQI8BBgBCgAmFiEEI1nmU4wGE+ZSlV5s
+GI7dO3si5qMFAmCZZq0CGwwFCQIptgAACgkQGI7dO3si5qNAJhAAsjrKyJY1A814
+QI82Jk1BcpbYRpr5D11/Y8okj142Ury/14yVJ1mdFNIqXiKaazR2UJef+W7EZYXW
+EUFC4BpYFC75tnGAIuKpdBjd6hiJZ+sWi10eit3IejAwHkbzRTCvPEDxaQTK1EEB
+/AKE+9fJhnjIVIIYLgIRYwvNBT/SJ5A1OhoSHtYppD8FpGFw7Hl/t9DK5YETyvY8
+vkqAMZ9rxp9ZdLni9NsgHa4SCxb/1t9ixziUdwbBH0ulHJF3D3Gv6U4Rtcjyi/CL
+wMaC9pJ7PfISQBYL0USkL9WUYTy7IPn60fcvrXIx0ZoR0T4L5rbIQpJ89bVvyT2a
+1BTFo0zp46hzq9O5g6dr3oB94UKfbYxNOjNwyMmSyT/JVHzS5H8RAk9UdXmJZXuU
+FGlPJwfqakGOzZm+X8m6bfbALS++b0CAfkWVLNSASXdkK0du5XpIEFFca2qc0vxg
+qNFDNJC9lrjIx95Bxiql8kOhhloo/mXz7rZl9vbXBespZCMosFlatkL6hnFm28II
+b8vOwGrOuToxyJUQcD8u6iT8kpWFj5EBqojf1VEaYOogVX8kBFfNTUWmHslD44f4
+6IqIm/lE/wAGev3Aec+olqdD1B75hdWwJXNaMxCYVofIgihTMKUeSuXHXNajtwbc
+UJYyeX4X/LrknXu5EoBfUIXZEZ/Ju3WJAjwEGAEKACYCGwwWIQQjWeZTjAYT5lKV
+XmwYjt07eyLmowUCYoIgsQUJBAqHBAAKCRAYjt07eyLmo386D/9R5FLT5+Nh51kb
+BUwJ3n3VMMRP+90PUJd/YoiJz27gV32c2ptg0H39zlBa1ViwH2VZy0vdEDsLcO3N
+ZRdC29NQUCKZIn0fVa04y800DBEq5tfPLieJTV7Gj296WN0oUF+XIU1UGtrMv4KF
+TNC9NH06zD6yAY7wlAKfGPAbRH07lBtZ+RDMKXRXBkBk5mtbPwC9xIJMSuCSQBsh
+vKGPKGJKyv3nownkZaUM+VtZfAJT9ohY1vKCGLqx1nn1G3EwWHvJAwbn/jrwu3qE
+gEeFvXrA7AS629Pm+juXPz4vQ/cLvW8yGCTS3NtXifclg5ABSpsN+j1YYre7hkHO
+CR0zerxRM/ZG8JUZBXJknh63EdJpYcDm5+fND6hyyx3+UfT5nlVVPMTngyUlq4kG
+dfddC4/h9treOMlF6dl2vgjvQBh52RLnHy/AdR7CaUeA6uz0Amca+a6tsWNQp1UR
+GmOzlwX+b0GoGBVzl7Y6ZgWVu1js0rCcW84ERqYrPx8H04ZCrm6rF08nJwmQsvab
+vBhkUbGfN3AdtDB1+/yos0u32jHEN/WRKeHg/pOBXHU3cbUyJJILv02TYxW+lDoy
+xDg7b3QUHJuwnT/VHTV7cv22uy1cRdDiAXowcxh0Gk2FwGWi8Yw+kjUAbtTPZMxU
+zSn5PwMU4Fs8/rTnt9fzOvX5I/RluYkCPAQYAQoAJgIbDBYhBCNZ5lOMBhPmUpVe
+bBiO3Tt7IuajBQJka5fnBQkF8qy6AAoJEBiO3Tt7Iuaj5AAQAK16+gCykrvyRHAO
+tfCmX0NbGiQwatjcGaoauTVwkKVAPbBwYPDVu9AORrcHjCBj4OHYJZbMiyU/kuNh
+/CFfgxnr7Hkxq26e+8Ytvxkq7n1bdUSzou0jQ0Vwhj2EpB/YTbMoaK9UcPnbwJ/c
+nU9TLc6xiIa5kcFTgcCqjFB2uk9tlXChpD+ntLMeELed83fNhiVhjqPQuFoQ+PMR
+2k6RWnse14+AquH63yfgtezpt1Zc29GggGC/faz5Lw0ezbw7HE8P9u9G7/P9dYRf
+udQ7SM7Om0V2rJfr3ji+8pC4E4BA2K1w4mW8igGCZcK4kV+YETENJdFlfd1c+eo6
+itQzBrNuBN6Zy70oAbyhQXfxbXJccJmllIwpN1Ao3V+6JA7JwElEpUf6rBEUpj7w
+yGDkjDQiIFu4Pr51wYxiNy0vta5yIRe9mLX+0ScCoUfCC8ZL/Hpaf9IbL7AuSb2b
+ac/6IUB6Bj2jYHkTKfHCjgwzm3ZwTUzyTcnxZ9CYXrhrcoIohiyPfxk6v94Lt8da
+7n4itRO5KZ8gMBOz7BZCLEd3u6e89TQITAeybYkHISHGI3wWyNylPsRq4MX1uv3i
+AaaqRHoJoXOQciTghhkR3WtGVL21pcOGjcQG5pbzJauOH/VLwAOtW5cdIpqEQs5e
+t4MthLVjZwo/9NHeHCRITM0Q9NctiQI8BBgBCgAmAhsMFiEEI1nmU4wGE+ZSlV5s
+GI7dO3si5qMFAmZQlEIFCQtayBUACgkQGI7dO3si5qNkmhAAtZTN3CkGrfgVA0nb
+GlIzGLbubDZobJHJPTOpv6q4dzTCFgCG3RNZUC1aWG+8PXxoYYm9ut9YDSjeVtjn
+o6eTjap/TcTVnjOSmjPMODlvOjgVMxnwiQkrWBiUmwlSNnIXaxpMvL3ky9R8XEGA
+oB2uKmSnopXPEbfsNGEWe6NBQM5nM8+UeOuOfqLZP1wGPbCbilhEDwMq6y//NXKA
+eVXCEVy6U20LlSois7p37eZys5SrqXWlYisd7Jf3ATb4FCf6P9rXJiglClLycCnj
+CQdi8yCSBLVS+StdFduEeQQgMqXg3MFryaFO0KfNJ9tidJk+F0PTjuUdQrlQTzFl
+Yaa3ThVmZkypZiZBGhYuVpIpmQDmTCGentx1xuyqpDIA/4ZkjXp9KwpdXjwOXMrh
+81C1jgtgOXRpNKVZ2+bFt+0+P0DiirP+FSSNiVBAtbjm/MdBi9ULIMZDE6unVzZ8
+wiZ/zGMpiwtqv9t4YOwI2gEbs3JOxS7uHwIRAWd0ODp1jqG/TLpB4rqYUFhxHBik
+SkDyZXl5b7favPPjwfQJyVMETA2thSK/aCXRPNhYg/uavpfNVoDSsTHHLlnyibV/
+BAGiAFAyeTWlxUJqxBFjIryga7ZPsfaBpDSpFWiokb3Zj5XdQpgcANVo10XHoXlI
+uYpuziPoNt/HBdgvc+XOP51tWgo=
+=e0m3
 -----END PGP PUBLIC KEY BLOCK-----

tests/test_vms_exist.py

@@ -178,6 +178,8 @@ def test_sd_log_config(self):
         self._check_service_running(vm, "securedrop-log-server")
         self.assertEqual(vm.features["service.securedrop-log-server"], "1")
         self.assertEqual(vm.features["service.securedrop-logging-disabled"], "1")
+        # See sd-log.sls "sd-install-epoch" feature
+        self.assertEqual(vm.features["sd-install-epoch"], "1")
 
         self.assertFalse(vm.template_for_dispvms)
         self.assertIn("sd-workstation", vm.tags)