Adds new workstation template with keyring package

[conorsch]

Name of package: qubes-template-securedrop-workstation

Rebuilds the template with securedrop-keyring package preinstalled.

Test plan

Build process

• Tag in qubes-template-securedrop-workstation repository is correct: https://github.com/freedomofpress/qubes-template-securedrop-workstation/releases/tag/0.2.1
• Build logs are included: freedomofpress/build-logs@362d39d
• CI is passing, the rpm is properly signed with the test key
• Unsigned RPM after running rpm --delsign on the signed RPM results in the checksum found in the build logs

VM sanity check

I have not yet performed these simple tests to verify VM functionality, please do so as part of review:

• Template installs successfully in dom0
• Set VM to HVM and kernel to ''
• Template boots in grsecurity kernel
• apt-key finger shows the release key in its own keyring
• the old key is not present
• securedrop-keyring package is installed
• sudo echo hello does not prompt for sudo password

See freedomofpress/qubes-template-securedrop-workstation#12 for reference

[emkll]

Thanks @conorsch test plan (other than signing of the RPM which you have committed, which is unsigned) looks good to me, tested the template locally. I have pushed a commit that signs the RPM with the test key by running the following command:
rpm --resign qubes-template-securedrop-workstation-buster-4.0.1-202007062239.noarch.rpm

CI is now passing, but one can check manually if the rpm is signed:

$ rpm -qpi qubes-template-securedrop-workstation-buster-4.0.1-202007062239.noarch.rpm
Name        : qubes-template-securedrop-workstation-buster
Version     : 4.0.1
Release     : 202007062239
Architecture: noarch
Install Date: (not installed)
Group       : Unspecified
Size        : 3788902608
License     : GPL
Signature   : RSA/SHA512, Tue 07 Jul 2020 08:16:11 AM EDT, Key ID 4a3be4a92211b03c
Source RPM  : qubes-template-securedrop-workstation-buster-4.0.1-202007062239.src.rpm
Build Date  : Mon 06 Jul 2020 06:45:49 PM EDT
Build Host  : localhost
Relocations : (not relocatable)
URL         : http://www.qubes-os.org
Summary     : Qubes template for securedrop-workstation-buster
Description :
Qubes template for securedrop-workstation-buster

Approving since CI is passing, but before merging, one can verify that removing the signature matched the initial RPM committed to this branch (using rpm --delsign qubes-template-securedrop-workstation-buster-4.0.1-202007062239.noarch.rpm)

Given the size of the RPMs (800+ MB), what do you think of deleting the old templates? They should be preserved in GitLFS history

[conorsch]

Thanks for the assist, @emkll, I'll verify the --delsign behavior locally.

Given the size of the RPMs (800+ MB), what do you think of deleting the old templates?

Also wise. I'll snip out all but the current and one previous version, so a total of two.

[conorsch]

Confirmed, running --delsign on the new RPM shows the expected checksum from the build logs. CI is passing given the test sig, so merging.

[conorsch]

Template is live in testing: https://yum-test.securedrop.org/workstation/dom0/f25/