/var/lib/securedrop/keys/gpg-agent.conf should be installed by the package, not generated in postinst

[legoktm]

Description

Currently we create and edit the /var/lib/securedrop/keys/gpg-agent.conf file in the postinst of the securedrop-app-code package. Aside from being a bit precarious to be grepping for certain strings and editing accordingly, it gives us less flexibility on managing it because dpkg doesn't know about it.

There are two main options in Debian packaging, depending on whether there is a legitimate use case for users to customize and edit this file.

If there is, then it should be treated as a conffile (https://www.debian.org/doc/debian-policy/ap-pkg-conffiles.html#automatic-handling-of-configuration-files-by-dpkg), which dpkg can automatically diff and ask the person upgrading the package if they want to accept the new upstream version or give them the opportunity to merge in changes.

If we don't want people customizing it, it can just be a normal file in the package, and normal package upgrades will overwrite whatever contents were there previously. This gives us much more confidence about the state of of the gpg-agent.conf.

Likely there are other files in the package that could benefit from this treatment, but gpg-agent.conf was the one that stood out to me today because we were already looking at how gpg was running.

User Stories

• As a SecureDrop developer, I'd like to have greater confidence in the state of the gpg-agent configuration given its role in ensuring encryption works properly. I'd also like to maintain less bash/shell logic.

[conorsch]

Great point, @legoktm. As you've probably noticed, the overall build story could use a lot of work. We're doing a lot of things in Ansible tasks that would be better expressed in packaging directives. Please keep an eye out for similar recommendations; might be worth compiling a list of them to tackle a bunch of improvements together.