From 6713cce50313b0ef241708b1c74c75cb29134421 Mon Sep 17 00:00:00 2001
From: Micah Lee <micah@micahflee.com>
Date: Fri, 26 Aug 2022 14:06:06 -0700
Subject: [PATCH] Updates to the macOS and Windows build scripts and
 documentation

---
 BUILD.md                      | 12 +++++-------
 RELEASE.md                    | 33 +++++++++++++++++++++------------
 install/macos/build-app.py    |  4 +---
 install/windows/build-app.bat |  6 +++---
 install/windows/build-wxs.py  |  9 ++++-----
 5 files changed, 34 insertions(+), 30 deletions(-)

diff --git a/BUILD.md b/BUILD.md
index f12516c..8de6cd7 100644
--- a/BUILD.md
+++ b/BUILD.md
@@ -54,16 +54,14 @@ Create a .rpm:
 
 ## macOS
 
-Install Xcode from the App Store.
-
 Install [Docker Desktop](https://www.docker.com/products/docker-desktop). Make sure to choose your correct CPU, either Intel Chip or Apple Chip.
 
-Install Python 3.9.9 [from python.org](https://www.python.org/downloads/release/python-399/).
+Install the latest version of Python 3.9 [from python.org](https://www.python.org/downloads/macos/), and make sure `/Library/Frameworks/Python.framework/Versions/3.9/bin` is in your `PATH`.
 
 Install Python dependencies:
 
 ```sh
-pip3 install --user poetry
+python3 -m pip install poetry
 poetry install
 ```
 
@@ -110,12 +108,12 @@ The output is in the `dist` folder.
 
 Install [Docker Desktop](https://www.docker.com/products/docker-desktop).
 
-Install Python 3.9.9 (x86) [from python.org](https://www.python.org/downloads/release/python-399/). When installing it, make sure to check the "Add Python 3.9 to PATH" checkbox on the first page of the installer.
+Install the latest version of Python 3.9 (64-bit) [from python.org](https://www.python.org/downloads/windows/). Make sure to check the "Add Python 3.9 to PATH" checkbox on the first page of the installer.
 
-Install [poetry](https://python-poetry.org/). Open PowerShell, and run:
+Install [poetry](https://python-poetry.org/):
 
 ```
-(Invoke-WebRequest -Uri https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py -UseBasicParsing).Content | python
+python -m pip install poetry
 ```
 
 Change to the `dangerzone` folder, and install the poetry dependencies:
diff --git a/RELEASE.md b/RELEASE.md
index 28d7fbc..fe72754 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -34,14 +34,13 @@ To make a macOS release, go to macOS build machine:
 
 - Build machine must have:
   - macOS 10.14
-  - Apple-trusted `Developer ID Application: FIRST LOOK PRODUCTIONS, INC.` and `Developer ID Installer: FIRST LOOK PRODUCTIONS, INC.` code-signing certificates installed
-  - An app-specific Apple ID password saved in the login keychain called `flockagent-notarize`
+  - Apple-trusted `Developer ID Application: FIRST LOOK PRODUCTIONS, INC. (P24U45L8P5)` code-signing certificates installed
 - Verify and checkout the git tag for this release
 - Run `poetry install`
-- Run `poetry run ./install/macos/build_app.py --with-codesign`; this will make `dist/Dangerzone.dmg`
-- Notarize it: `xcrun altool --notarize-app --primary-bundle-id "media.firstlook.dangerzone" -u "micah@firstlook.org" -p "@keychain:dangerzone-notarize" --file dist/Dangerzone.dmg`
-- Wait for it to get approved, check status with: `xcrun altool --notarization-history 0 -u "micah@firstlook.org" -p "@keychain:dangerzone-notarize"`
-- (If it gets rejected, you can see why with: `xcrun altool --notarization-info [RequestUUID] -u "micah@firstlook.org" -p "@keychain:dangerzone-notarize"`)
+- Run `poetry run ./install/macos/build-app.py --with-codesign`; this will make `dist/Dangerzone.dmg`
+- Notarize it: `xcrun altool --notarize-app --primary-bundle-id "media.firstlook.dangerzone" -u "micah@firstlook.org" -p "$PASSWORD" --file dist/Dangerzone.dmg`
+- Wait for it to get approved, check status with: `xcrun altool --notarization-history 0 -u "micah@firstlook.org" -p "$PASSWORD"`
+- (If it gets rejected, you can see why with: `xcrun altool --notarization-info $REQUEST_UUID -u "micah@firstlook.org" -p "$PASSWORD"`)
 - After it's approved, staple the ticket: `xcrun stapler staple dist/Dangerzone.dmg`
 
 This process ends up with the final file:
@@ -54,15 +53,25 @@ Rename `Dangerzone.dmg` to `Dangerzone-$VERSION.dmg`.
 
 ## Windows release
 
-To make a Windows release, go to the Windows build machine:
+### Set up a Windows 11 VM for making releases
+
+- Download a VirtualBox VM image for Windows from here: https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ and import it into VirtualBox. Also install the Oracle VM VirtualBox Extension Pack.
+- Install updates
+- Install git for Windows from https://git-scm.com/download/win, and clone the dangerzone repo
+- Follow the Windows build instructions in `BUILD.md`, except:
+  - Don't install Docker Desktop (it won't work without nested virtualization)
+  - Install the Windows SDK from here: https://developer.microsoft.com/en-us/windows/downloads/windows-sdk/ and add `C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool` to the path (you'll need it for `signtool.exe`)
+  - You'll also need the Windows codesigning certificate installed on the VM
+
+### Build the container image
+
+Instead of running `python .\install\windows\build-image.py` in the VM, run the build image script on the host (making sure to build for `linux/amd64`). Copy `share/container.tar.gz` and `share/image-id.txt` from the host into the `share` folder in the VM
+
+### Build the Dangerzone binary and installer
 
-- Build machine should be running Windows 10, and have the Windows codesigning certificate installed
 - Verify and checkout the git tag for this release
 - Run `poetry install`
-- Run `poetry shell`, then `cd ..\pyinstaller`, `python setup.py install`, `exit`
-- Run `poetry run install\windows\step1-build-exe.bat`
-- Open a second command prompt _as an administratror_, cd to the dangerzone directory, and run: `install\windows\step2-make-symlink.bat`
-- Back in the first command prompt, run: `poetry run install\windows\step3-build-installer.bat`
+- Run `poetry run .\install\windows\build-app.bat`
 - When you're done you will have `dist\Dangerzone.msi`
 
 Rename `Dangerzone.msi` to `Dangerzone-$VERSION.msi`.
diff --git a/install/macos/build-app.py b/install/macos/build-app.py
index e13511d..765de45 100755
--- a/install/macos/build-app.py
+++ b/install/macos/build-app.py
@@ -73,9 +73,7 @@ def main():
 
     if args.with_codesign:
         print("○ Code signing app bundle")
-        identity_name_application = (
-            "Developer ID Application: FIRST LOOK PRODUCTIONS, INC. (P24U45L8P5)"
-        )
+        identity_name_application = "Developer ID Application: FIRST LOOK PRODUCTIONS, INC. (P24U45L8P5)"
         entitlements_plist_path = os.path.join(root, "install/macos/entitlements.plist")
 
         for path in itertools.chain(
diff --git a/install/windows/build-app.bat b/install/windows/build-app.bat
index 32f3f0a..7c3b322 100644
--- a/install/windows/build-app.bat
+++ b/install/windows/build-app.bat
@@ -6,8 +6,8 @@ REM build the exe
 python .\setup-windows.py build
 
 REM code sign dangerzone.exe
-signtool.exe sign /v /d "Dangerzone" /sha1 28a4af3b6ba5ed0ef307e1b96a140e1b42450c3b /tr http://timestamp.digicert.com build\exe.win32-3.9\dangerzone.exe
-signtool.exe sign /v /d "Dangerzone" /sha1 28a4af3b6ba5ed0ef307e1b96a140e1b42450c3b /tr http://timestamp.digicert.com build\exe.win32-3.9\dangerzone-cli.exe
+signtool.exe sign /v /d "Dangerzone" /sha1 1a0345732140749bdaa03efe8591b2c2a036884c /tr http://timestamp.digicert.com build\exe.win-amd64-3.9\dangerzone.exe
+signtool.exe sign /v /d "Dangerzone" /sha1 1a0345732140749bdaa03efe8591b2c2a036884c /tr http://timestamp.digicert.com build\exe.win-amd64-3.9\dangerzone-cli.exe
 
 REM build the wix file
 python install\windows\build-wxs.py > build\Dangerzone.wxs
@@ -19,7 +19,7 @@ light.exe -ext WixUIExtension Dangerzone.wixobj
 
 REM code sign dangerzone.msi
 insignia.exe -im Dangerzone.msi
-signtool.exe sign /v /d "Dangerzone" /sha1 28a4af3b6ba5ed0ef307e1b96a140e1b42450c3b /tr http://timestamp.digicert.com Dangerzone.msi
+signtool.exe sign /v /d "Dangerzone" /sha1 1a0345732140749bdaa03efe8591b2c2a036884c /tr http://timestamp.digicert.com Dangerzone.msi
 
 REM moving Dangerzone.msi to dist
 cd ..
diff --git a/install/windows/build-wxs.py b/install/windows/build-wxs.py
index a9b73d1..04cdc93 100644
--- a/install/windows/build-wxs.py
+++ b/install/windows/build-wxs.py
@@ -23,7 +23,7 @@ def build_data(dirname, dir_prefix, id_, name):
                 id_prefix = id_
 
             # Skip lib/Pyside2/Examples folder
-            if "\\build\\exe.win32-3.9\\lib\\PySide2\\examples" in dirname:
+            if "\\build\\exe.win-amd64-3.9\\lib\\PySide2\\examples" in dirname:
                 continue
 
             id_value = f"{id_prefix}{basename.capitalize().replace('-', '_')}"
@@ -121,7 +121,7 @@ def main():
     dist_dir = os.path.join(
         os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))),
         "build",
-        "exe.win32-3.9",
+        "exe.win-amd64-3.9",
     )
     if not os.path.exists(dist_dir):
         print("You must build the dangerzone binary before running this")
@@ -145,7 +145,7 @@ def main():
     data["dirs"][0]["dirs"].append(
         build_data(
             dist_dir,
-            "exe.win32-3.9",
+            "exe.win-amd64-3.9",
             "INSTALLDIR",
             "Dangerzone",
         )
@@ -224,9 +224,8 @@ def main():
     print('<?xml version="1.0" encoding="windows-1252"?>')
     print(f'<?define ProductVersion = "{version}"?>')
     print('<?define ProductUpgradeCode = "12b9695c-965b-4be0-bc33-21274e809576"?>')
-
     ET.indent(root_el)
-    ET.dump(root_el)
+    print(ET.tostring(root_el).decode())
 
 
 if __name__ == "__main__":