QA and Release for version 0.10.0 RC2

[apyrgio]

Pre-release

• Create a new issue named QA and Release for version <VERSION>, to track the general progress.
• Add new Linux platforms and remove obsolete ones
• Bump the Python dependencies using poetry lock --regenerate
• Bump the GitHub asset dependencies using poetry run mazette lock
• Check for new WiX releases and update it if needed
• Update version in pyproject.toml
• Update share/version.txt
• Update the "Version" field in install/linux/dangerzone.spec
• (optional) Bump image version from v1 to v2, if the API has changed.
• Bump the Debian version by adding a new changelog entry in debian/changelog
• Bump the dates and versions in the Dockerfile.env
• Update the download links in our INSTALL.md page to point to the new version (the download links will be populated after the release)
• Update screenshot in README.md, if necessary
• CHANGELOG.md should be updated to include a list of all major changes since the last release
• A draft release should be created. Copy the release notes text from the template at docs/templates/release-notes
• Send the release notes to editorial for review
• Tag the tip of the main branch as v<version>-rc1. E.g. git tag -s v0.9.1-rc1.

Prepare build environments

macOS

On each release

• Agree to any new terms and conditions in https://developer.apple.com, once you login with FPF's Apple ID.
• Upgrade "Command Line Tools" from "System Settings -> Software Update", from an account with admin privileges.
• Upgrade Xcode from the App Store, from an account with admin privileges.
• Update Docker Desktop and Podman Desktop to the latest versions.
• Update Python to the latest supported version, following our instructions

Windows

On each release

• Update WiX, if necessary
• Update Python to the latest supported version from https://python.org.
• Update Python to the latest supported version, following our instructions

Sign and release container image

Pick a release candidate image

• Clone Dangerzone locally and pull the latest changes in the main branch.
• Grab the latest container image for this commit and get its digest:
• Ensure that this image is fresh (no more than two days old) and has been produced by a build that passes CI tests.

Attest provenance and reproducibility

• Attest provenance with poetry run ./dev_scripts/dangerzone-image attest-provenance $IMAGE
• Grab digests of platform-specific images (linux/amd64 and linux/arm64) with crane manifest $IMAGE
• Reproduce it bit-for-bit locally for every platform:

Sign and publish image

• Clone https://github.com/freedomofpress/ghcr-signer in the environment where signing keys are present.
• Sign the image and store the signatures locally with uv run --recursive --sk ./ghcr-signer.py prepare "$IMAGE"
• Prepare a PR, wait until CI passes, and then merge it
• Verify that the latest image is signed and has the expected digest:
• Bump the bundled log index in dangerzone/updater/signatures.py with the log index of the container image.

Build release artifacts

macOS

Automated

• export APPLE_ID=<email> in your terminal session
• Build artifacts for Intel macOS with make build-macos-intel
• Build artifacts for Apple Silicon macOS with make build-macos-arm

Windows

• Checkout the dependencies, and clean the local copy:
• Download the container image with signatures:
• Download the necessary assets with poetry run mazette install
• Run poetry run .\install\windows\build-app.bat
• Rename Dangerzone.msi to Dangerzone-$VERSION.msi.

Linux

Automated

• Run make build-linux (not necessary if you've previously built artifacts for macOS)

QA

The checklist

• Make sure that the tip of the main branch passes the CI tests.
• Create a test build in Windows and make sure it works:
  • Check if the suggested Python version is still supported.
  • Create a new development environment with Poetry.
  • Build the container image and ensure the development environment uses
  • Download the necessary assets using poetry run mazette install
  • Run the Dangerzone tests.
  • Build and run the Dangerzone .exe
  • Test some QA scenarios (see Scenarios below).
• Create a test build in macOS (Intel CPU) and make sure it works:
  • Check if the suggested Python version is still supported.
  • Create a new development environment with Poetry.
  • Build the container image and ensure the development environment uses
  • Download the necessary assets using poetry run mazette install
  • Run the Dangerzone tests.
  • Create and run an app bundle.
  • Test some QA scenarios (see Scenarios below).
• Create a test build in macOS (M1/2 CPU) and make sure it works:
  • Check if the suggested Python version is still supported.
  • Create a new development environment with Poetry.
  • Build the container image and ensure the development environment uses
  • Download the necessary assets using poetry run mazette install
  • Run the Dangerzone tests.
  • Create and run an app bundle.
  • Test some QA scenarios (see Scenarios below).
• Create a test build in the most recent Ubuntu LTS platform (Ubuntu 24.04
  • Create a new development environment with Poetry.
  • Build the container image and ensure the development environment uses
  • Download the necessary assets using poetry run mazette install
  • Run the Dangerzone tests.
  • Create a .deb package and install it system-wide.
  • Test some QA scenarios (see Scenarios below).
• Create a test build in the most recent Fedora platform (Fedora 41 as of
  • Create a new development environment with Poetry.
  • Build the container image and ensure the development environment uses
  • Download the necessary assets using poetry run mazette install
  • Run the Dangerzone tests.
  • Create an .rpm package and install it system-wide.
  • Test some QA scenarios (see Scenarios below).
• Create a test build in the most recent Qubes Fedora template (Fedora 41 as
  • Create a new development environment with Poetry.
  • Run the Dangerzone tests.
  • Create a Qubes .rpm package and install it system-wide.
  • Ensure that the Dangerzone application appears in the "Applications"
  • Test some QA scenarios (see Scenarios below) and make sure

Release

• Create a PGP-signed git tag for the version, e.g., for dangerzone v0.1.0:
• Create an archive of the Dangerzone source in tar.gz format:
• Run container scan on the produced container images (some time may have passed since the artifacts were built)
• Collect the assets in a single directory, calculate their SHA-256 hashes, and sign them.
• Upload all the assets to the draft release on GitHub.
• Update the draft release to target the final git tag.
• Send a PR to update the Dangerzone website to link to the new installers.
• Send a PR that updates the Dangerzone version and links to our installation instructions (INSTALL.md) in README.md

📣 Publish the release!

• Merge the PRs in the apt-tools-prod and yum-tools-prod repos.
• Make the GitHub draft release public.
• Merge the PRs in dangerzone.rocks and [dangerzone](https://github.com/freedomofpress/dangerzone/pulls).
• Toot release announcement on our mastodon account https://social.freedom.press/@dangerzone
• Extend the check_repos.yml CI test for the newly added platforms, if necessary
• Manually trigger the check_repos.yml CI test and ensure it passes.

[apyrgio]

Unfortunately, we may need to start our release from a main branch that DOES NOT pass the CI tests, until GitHub fixes some availability issues. For more context, see #1351