Merge e6380f793b into 60df4f7e35

This commit makes changes to the release instructions, prefering bash
exemples when that's possible. As a result, the QA.md and RELEASE.md
files have been separated and a new `generate-release-tasks.py` script
is making its apparition.

.github/workflows/ci.yml

@@ -119,10 +119,14 @@ jobs:
           key: v1-tessdata-${{ hashFiles('./install/common/download-tessdata.py') }}
       - name: Run CLI tests
         run: poetry run make test
-      # Taken from: https://github.com/orgs/community/discussions/27149#discussioncomment-3254829
-      - name: Set path for candle and light
-        run: echo "C:\Program Files (x86)\WiX Toolset v3.14\bin" >> $GITHUB_PATH
-        shell: bash
+      - name: Set up .NET CLI environment
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: "8.x"
+      - name: Install WiX Toolset
+        run: dotnet tool install --global wix
+      - name: Add WiX UI extension
+        run: wix extension add --global WixToolset.UI.wixext
       - name: Build the MSI installer
         # NOTE: This also builds the .exe internally.
         run: poetry run .\install\windows\build-app.bat

BUILD.md

@@ -471,11 +471,24 @@ poetry shell
 .\dev_scripts\dangerzone.bat
 ```
 
-### If you want to build the installer
+### If you want to build the Windows installer
 
-* Go to https://dotnet.microsoft.com/download/dotnet-framework and download and install .NET Framework 3.5 SP1 Runtime. I downloaded `dotnetfx35.exe`.
-* Go to https://wixtoolset.org/releases/ and download and install WiX toolset. I downloaded `wix314.exe`.
-* Add `C:\Program Files (x86)\WiX Toolset v3.14\bin` to the path ([instructions](https://web.archive.org/web/20230221104142/https://windowsloop.com/how-to-add-to-windows-path/)).
+Install [.NET SDK](https://dotnet.microsoft.com/en-us/download) version 6 or later. Then, open a terminal and install the latest version of [WiX Toolset .NET tool](https://wixtoolset.org/) **v5** with:
+
+```sh
+dotnet tool install --global wix --version 5.*
+```
+
+Install the WiX UI extension. You may need to open a new terminal in order to use the newly installed `wix` .NET tool:
+
+```sh
+wix extension add --global WixToolset.UI.wixext/5.x.y
+```
+
+> [!IMPORTANT]  
+> To avoid compatibility issues, ensure the WiX UI extension version matches the version of the WiX Toolset.
+> 
+> Run `wix --version` to check the version of WiX Toolset you have installed and replace `5.x.y` with the full version number without the Git revision.
 
 ### If you want to sign binaries with Authenticode
 

QA.md

@@ -0,0 +1,197 @@
+## QA
+
+To ensure that new releases do not introduce regressions, and support existing
+and newer platforms, we have to test that the produced packages work as expected.
+
+Check the following:
+
+- [ ] Make sure that the tip of the `main` branch passes the CI tests.
+- [ ] Make sure that the Apple account has a valid application password and has
+      agreed to the latest Apple terms (see [macOS release](#macos-release)
+      section).
+
+Because it is repetitive, we wrote a script to help with the QA.
+It can run the tasks for you, pausing when it needs manual intervention.
+
+You can run it with a command like:
+
+```bash
+poetry run ./dev_scripts/qa.py {distro}-{version}
+```
+
+### The checklist
+
+- [ ] Create a test build in Windows and make sure it works:
+  - [ ] Check if the suggested Python version is still supported.
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
+  - [ ] Run the Dangerzone tests.
+  - [ ] Build and run the Dangerzone .exe
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in macOS (Intel CPU) and make sure it works:
+  - [ ] Check if the suggested Python version is still supported.
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create and run an app bundle.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in macOS (M1/2 CPU) and make sure it works:
+  - [ ] Check if the suggested Python version is still supported.
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create and run an app bundle.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in the most recent Ubuntu LTS platform (Ubuntu 24.04
+  as of writing this) and make sure it works:
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create a .deb package and install it system-wide.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in the most recent Fedora platform (Fedora 41 as of
+  writing this) and make sure it works:
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create an .rpm package and install it system-wide.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in the most recent Qubes Fedora template (Fedora 40 as
+  of writing this) and make sure it works:
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create a Qubes .rpm package and install it system-wide.
+  - [ ] Ensure that the Dangerzone application appears in the "Applications"
+    tab.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below) and make sure
+    they spawn disposable qubes.
+
+### Scenarios
+
+#### 1. Dangerzone correctly identifies that Docker/Podman is not installed
+
+_(Only for MacOS / Windows)_
+
+Temporarily hide the Docker/Podman binaries, e.g., rename the `docker` /
+`podman` binaries to something else. Then run Dangerzone. Dangerzone should
+prompt the user to install Docker/Podman.
+
+#### 2. Dangerzone correctly identifies that Docker is not running
+
+_(Only for MacOS / Windows)_
+
+Stop the Docker Desktop application. Then run Dangerzone. Dangerzone should
+prompt the user to start Docker Desktop.
+
+
+#### 3. Updating Dangerzone handles external state correctly.
+
+_(Applies to Windows/MacOS)_
+
+Install the previous version of Dangerzone, downloaded from the website.
+
+Open the Dangerzone application and enable some non-default settings.
+**If there are new settings, make sure to change those as well**.
+
+Close the Dangerzone application and get the container image for that
+version. For example:
+
+```
+$ docker images dangerzone.rocks/dangerzone:latest
+REPOSITORY                   TAG         IMAGE ID      CREATED       SIZE
+dangerzone.rocks/dangerzone  latest      <image ID>    <date>        <size>
+```
+
+Then run the version under QA and ensure that the settings remain changed.
+
+Afterwards check that new docker image was installed by running the same command
+and seeing the following differences:
+
+```
+$ docker images dangerzone.rocks/dangerzone:latest
+REPOSITORY                   TAG         IMAGE ID        CREATED       SIZE
+dangerzone.rocks/dangerzone  latest      <different ID>  <newer date>  <different size>
+```
+
+#### 4. Dangerzone successfully installs the container image
+
+_(Only for Linux)_
+
+Remove the Dangerzone container image from Docker/Podman. Then run Dangerzone.
+Dangerzone should install the container image successfully.
+
+#### 5. Dangerzone retains the settings of previous runs
+
+Run Dangerzone and make some changes in the settings (e.g., change the OCR
+language, toggle whether to open the document after conversion, etc.). Restart
+Dangerzone. Dangerzone should show the settings that the user chose.
+
+#### 6. Dangerzone reports failed conversions
+
+Run Dangerzone and convert the `tests/test_docs/sample_bad_pdf.pdf` document.
+Dangerzone should fail gracefully, by reporting that the operation failed, and
+showing the following error message:
+
+> The document format is not supported
+
+#### 7. Dangerzone succeeds in converting multiple documents
+
+Run Dangerzone against a list of documents, and tick all options. Ensure that:
+* Conversions take place sequentially.
+* Attempting to close the window while converting asks the user if they want to
+  abort the conversions.
+* Conversions are completed successfully.
+* Conversions show individual progress in real-time (double-check for Qubes).
+* _(Only for Linux)_ The resulting files open with the PDF viewer of our choice.
+* OCR seems to have detected characters in the PDF files.
+* The resulting files have been saved with the proper suffix, in the proper
+  location.
+* The original files have been saved in the `unsafe/` directory.
+
+#### 8. Dangerzone is able to handle drag-n-drop
+
+Run Dangerzone against a set of documents that you drag-n-drop. Files should be
+added and conversion should run without issue.
+
+> [!TIP]
+> On our end-user container environments for Linux, we can start a file manager
+> with `thunar &`.
+
+#### 9. Dangerzone CLI succeeds in converting multiple documents
+
+_(Only for Windows and Linux)_
+
+Run Dangerzone CLI against a list of documents. Ensure that conversions happen
+sequentially, are completed successfully, and we see their progress.
+
+#### 10. Dangerzone can open a document for conversion via right-click -> "Open With"
+
+_(Only for Windows, MacOS and Qubes)_
+
+Go to a directory with office documents, right-click on one, and click on "Open
+With". We should be able to open the file with Dangerzone, and then convert it.
+
+#### 11. Dangerzone shows helpful errors for setup issues on Qubes
+
+_(Only for Qubes)_
+
+Check what errors does Dangerzone throw in the following scenarios. The errors
+should point the user to the Qubes notifications in the top-right corner:
+
+1. The `dz-dvm` template does not exist. We can trigger this scenario by
+   temporarily renaming this template.
+2. The Dangerzone RPC policy does not exist. We can trigger this scenario by
+   temporarily renaming the `dz.Convert` policy.
+3. The `dz-dvm` disposable Qube cannot start due to insufficient resources. We
+   can trigger this scenario by temporarily increasing the minimum required RAM
+   of the `dz-dvm` template to more than the available amount.

RELEASE.md

@@ -1,12 +1,13 @@
 # Release instructions
 
-This section documents the release process. Unless you're a dangerzone developer making a release, you'll probably never need to follow it.
+This section documents how we currently release Dangerzone for the different distributions we support.
 
 ## Pre-release
 
-Before making a release, all of these should be complete:
+Here is a list of tasks that should be done before issuing the release:
 
-- [ ] Copy the checkboxes from these instructions onto a new issue and call it **QA and Release version \<VERSION\>**
+- [ ] Create a new issue named **QA and Release for version \<VERSION\>**, to track the general progress.
+      You can generate its content with the the `poetry run ./dev_scripts/generate-release-tasks.py` command.
 - [ ] [Add new Linux platforms and remove obsolete ones](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#add-new-platforms-and-remove-obsolete-ones)
 - [ ] Bump the Python dependencies using `poetry lock`
 - [ ] Update `version` in `pyproject.toml`
@@ -15,6 +16,8 @@ Before making a release, all of these should be complete:
 - [ ] Bump the Debian version by adding a new changelog entry in `debian/changelog`
 - [ ] Update screenshot in `README.md`, if necessary
 - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release
+- [ ] A draft release should be created. Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
+- [ ] Do the QA tasks
 
 ## Add new Linux platforms and remove obsolete ones
 
@@ -37,7 +40,7 @@ In case of a new version (beta, RC, or official release):
    `BUILD.md` files where necessary.
 4. Send a PR with the above changes.
 
-In case of an EOL version:
+In case of the removal of a version:
 
 1. Remove any mention to this version from our repo.
    * Consult the previous paragraph, but also `grep` your way around.
@@ -51,192 +54,13 @@ Follow the instructions in `docs/developer/TESTING.md` to run the tests.
 
 These tests will identify any regressions or progression in terms of document coverage.
 
-## QA
-
-To ensure that new releases do not introduce regressions, and support existing
-and newer platforms, we have to do the following:
-
-- [ ] Make sure that the tip of the `main` branch passes the CI tests.
-- [ ] Make sure that the Apple account has a valid application password and has
-      agreed to the latest Apple terms (see [macOS release](#macos-release)
-      section).
-- [ ] Create a test build in Windows and make sure it works:
-  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Run the Dangerzone tests.
-  - [ ] Build and run the Dangerzone .exe
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in macOS (Intel CPU) and make sure it works:
-  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create and run an app bundle.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in macOS (M1/2 CPU) and make sure it works:
-  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create and run an app bundle.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in the most recent Ubuntu LTS platform (Ubuntu 24.04
-  as of writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create a .deb package and install it system-wide.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in the most recent Fedora platform (Fedora 41 as of
-  writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create an .rpm package and install it system-wide.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in the most recent Qubes Fedora template (Fedora 40 as
-  of writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create a Qubes .rpm package and install it system-wide.
-  - [ ] Ensure that the Dangerzone application appears in the "Applications"
-    tab.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below) and make sure
-    they spawn disposable qubes.
-
-### Scenarios
-
-#### 1. Dangerzone correctly identifies that Docker/Podman is not installed
-
-_(Only for MacOS / Windows)_
-
-Temporarily hide the Docker/Podman binaries, e.g., rename the `docker` /
-`podman` binaries to something else. Then run Dangerzone. Dangerzone should
-prompt the user to install Docker/Podman.
-
-#### 2. Dangerzone correctly identifies that Docker is not running
-
-_(Only for MacOS / Windows)_
-
-Stop the Docker Desktop application. Then run Dangerzone. Dangerzone should
-prompt the user to start Docker Desktop.
-
-
-#### 3. Updating Dangerzone handles external state correctly.
-
-_(Applies to Windows/MacOS)_
-
-Install the previous version of Dangerzone, downloaded from the website.
-
-Open the Dangerzone application and enable some non-default settings.
-**If there are new settings, make sure to change those as well**.
-
-Close the Dangerzone application and get the container image for that
-version. For example:
-
-```
-$ docker images dangerzone.rocks/dangerzone:latest
-REPOSITORY                   TAG         IMAGE ID      CREATED       SIZE
-dangerzone.rocks/dangerzone  latest      <image ID>    <date>        <size>
-```
-
-Then run the version under QA and ensure that the settings remain changed.
-
-Afterwards check that new docker image was installed by running the same command
-and seeing the following differences:
-
-```
-$ docker images dangerzone.rocks/dangerzone:latest
-REPOSITORY                   TAG         IMAGE ID        CREATED       SIZE
-dangerzone.rocks/dangerzone  latest      <different ID>  <newer date>  <different size>
-```
-
-#### 4. Dangerzone successfully installs the container image
-
-_(Only for Linux)_
-
-Remove the Dangerzone container image from Docker/Podman. Then run Dangerzone.
-Dangerzone should install the container image successfully.
-
-#### 5. Dangerzone retains the settings of previous runs
-
-Run Dangerzone and make some changes in the settings (e.g., change the OCR
-language, toggle whether to open the document after conversion, etc.). Restart
-Dangerzone. Dangerzone should show the settings that the user chose.
-
-#### 6. Dangerzone reports failed conversions
-
-Run Dangerzone and convert the `tests/test_docs/sample_bad_pdf.pdf` document.
-Dangerzone should fail gracefully, by reporting that the operation failed, and
-showing the following error message:
-
-> The document format is not supported
-
-#### 7. Dangerzone succeeds in converting multiple documents
-
-Run Dangerzone against a list of documents, and tick all options. Ensure that:
-* Conversions take place sequentially.
-* Attempting to close the window while converting asks the user if they want to
-  abort the conversions.
-* Conversions are completed successfully.
-* Conversions show individual progress in real-time (double-check for Qubes).
-* _(Only for Linux)_ The resulting files open with the PDF viewer of our choice.
-* OCR seems to have detected characters in the PDF files.
-* The resulting files have been saved with the proper suffix, in the proper
-  location.
-* The original files have been saved in the `unsafe/` directory.
-
-#### 8. Dangerzone is able to handle drag-n-drop
-
-Run Dangerzone against a set of documents that you drag-n-drop. Files should be
-added and conversion should run without issue.
-
-> [!TIP]
-> On our end-user container environments for Linux, we can start a file manager
-> with `thunar &`.
-
-#### 9. Dangerzone CLI succeeds in converting multiple documents
-
-_(Only for Windows and Linux)_
-
-Run Dangerzone CLI against a list of documents. Ensure that conversions happen
-sequentially, are completed successfully, and we see their progress.
-
-#### 10. Dangerzone can open a document for conversion via right-click -> "Open With"
-
-_(Only for Windows, MacOS and Qubes)_
-
-Go to a directory with office documents, right-click on one, and click on "Open
-With". We should be able to open the file with Dangerzone, and then convert it.
-
-#### 11. Dangerzone shows helpful errors for setup issues on Qubes
-
-_(Only for Qubes)_
-
-Check what errors does Dangerzone throw in the following scenarios. The errors
-should point the user to the Qubes notifications in the top-right corner:
-
-1. The `dz-dvm` template does not exist. We can trigger this scenario by
-   temporarily renaming this template.
-2. The Dangerzone RPC policy does not exist. We can trigger this scenario by
-   temporarily renaming the `dz.Convert` policy.
-3. The `dz-dvm` disposable Qube cannot start due to insufficient resources. We
-   can trigger this scenario by temporarily increasing the minimum required RAM
-   of the `dz-dvm` template to more than the available amount.
-
 ## Release
 
 Once we are confident that the release will be out shortly, and doesn't need any more changes:
 
 - [ ] Create a PGP-signed git tag for the version, e.g., for dangerzone `v0.1.0`:
 
-  ```
+  ```bash
   git tag -s v0.1.0
   git push origin v0.1.0
   ```
@@ -252,6 +76,8 @@ Once we are confident that the release will be out shortly, and doesn't need any
 
 ### macOS Release
 
+This needs to happen for both Silicon and Intel chipsets.
+
 #### Initial Setup
 
 - Build machine must have:
@@ -266,48 +92,85 @@ Once we are confident that the release will be out shortly, and doesn't need any
 
 #### Releasing and Signing
 
+Here is what you need to do:
+
 - [ ] Verify and install the latest supported Python version from
   [python.org](https://www.python.org/downloads/macos/) (do not use the one from
   brew as it is known to [cause issues](https://github.com/freedomofpress/dangerzone/issues/471))
-  * In case of a new Python installation or minor version upgrade, e.g., from
-    3.11 to 3.12 , reinstall Poetry with `python3 -m pip install poetry`
-  * You can verify the correct Python version is used with `poetry debug info`
-- [ ] Verify and checkout the git tag for this release
-- [ ] Run `poetry install --sync`
-- [ ] On the silicon mac, build the container image:
+
+- [ ] Checkout the dependencies, and clean your local copy:
+
+  ```bash
+
+  # In case of a new Python installation or minor version upgrade, e.g., from
+  # 3.11 to 3.12, reinstall Poetry
+  python3 -m pip install poetry
+
+  # You can verify the correct Python version is used
+  poetry debug info
+
+  # Replace with the actual version
+  export DZ_VERSION=$(cat share/version.txt)
+
+  # Verify and checkout the git tag for this release:
+  git checkout -f v$VERSION
+
+  # Clean the git repository
+  git clean -df
+
+  # Clean up the environment
+  poetry env remove --all
+
+  # Install the dependencies
+  poetry install --sync
   ```
-  python3 ./install/common/build-image.py
+
+- [ ] Build the container image and the OCR language data
+  
+  ```bash
+  poetry run ./install/common/build-image.py
+  poetry run ./install/common/download-tessdata.py
+
+  # Copy the container image to the assets folder
+  cp share/container.tar.gz ~dz/release-assets/$VERSION/dangerzone-$VERSION-arm64.tar.gz
+  cp share/image-id.txt ~dz/release-assets/$VERSION/.
   ```
-  Then copy the `share/container.tar.gz` to the assets folder on `dangerzone-$VERSION-arm64.tar.gz`, along with the `share/image-id.txt` file.
-- [ ] Run `poetry run ./install/macos/build-app.py`; this will make `dist/Dangerzone.app`
+
+- [ ] Build the app bundle
+
+  ```bash
+  poetry run ./install/macos/build-app.py
+  ```
+
 - [ ] Make sure that the build application works with the containerd graph
   driver (see [#933](https://github.com/freedomofpress/dangerzone/issues/933))
-- [ ] Run `poetry run ./install/macos/build-app.py --only-codesign`; this will make `dist/Dangerzone.dmg`
-  * You need to run this command as the account that has access to the code signing certificate
-  * You must run this command from the MacOS UI, from a terminal application.
-- [ ] Notarize it: `xcrun notarytool submit --wait --apple-id "<email>" --keychain-profile "dz-notarytool-release-key" dist/Dangerzone.dmg`
-  * You need to change the `<email>` in the above command with the email
-    associated with the Apple Developer ID.
-  * This command assumes that you have created, and stored in the Keychain, an
-    application password associated with your Apple Developer ID, which will be
-    used specifically for `notarytool`.
-- [ ] Wait for it to get approved:
-  * If it gets rejected, you should be able to see why with the same command
-    (or use the `log` option for a more verbose JSON output)
-  * You will also receive an update in your email.
-- [ ] After it's approved, staple the ticket: `xcrun stapler staple dist/Dangerzone.dmg`
+- [ ] Sign the application bundle, and notarize it
   
-This process ends up with the final file:
+  You need to run this command as the account that has access to the code signing certificate
   
-```
-dist/Dangerzone.dmg
-```
+  This command assumes that you have created, and stored in the Keychain, an
+  application password associated with your Apple Developer ID, which will be
+  used specifically for `notarytool`.
 
-Rename `Dangerzone.dmg` to `Dangerzone-$VERSION.dmg`.
+  ```bash
+  # Sign the .App and make it a .dmg
+  poetry run ./install/macos/build-app.py --only-codesign
+
+  # Notarize it. You must run this command from the MacOS UI
+  # from a terminal application.
+  xcrun notarytool submit ./dist/Dangerzone.dmg --apple-id $APPLE_ID --keychain-profile "dz-notarytool-release-key" --wait && xcrun stapler staple dist/Dangerzone.dmg
+
+  # Copy the .dmg to the assets folder
+  ARCH=$(uname -m)
+  if [ "$ARCH" = "x86_64" ]; then
+      ARCH="i686"
+  fi
+  cp dist/Dangerzone.dmg ~dz/release-assets/$VERSION/Dangerzone-$VERSION-$ARCH.dmg
+  ```
 
 ### Windows Release
 
-The Windows release is performed in a Windows 11 virtual machine as opposed to a physical one.
+The Windows release is performed in a Windows 11 virtual machine (as opposed to a physical one).
 
 #### Initial Setup
 
@@ -321,8 +184,31 @@ The Windows release is performed in a Windows 11 virtual machine as opposed to a
 
 #### Releasing and Signing
 
-- [ ] Verify and checkout the git tag for this release
-- [ ] Run `poetry install --sync`
+- [ ] Checkout the dependencies, and clean your local copy:
+  ```bash
+  # In case of a new Python installation or minor version upgrade, e.g., from
+  # 3.11 to 3.12, reinstall Poetry
+  python3 -m pip install poetry
+
+  # You can verify the correct Python version is used
+  poetry debug info
+
+  # Replace with the actual version
+  export DZ_VERSION=$(cat share/version.txt)
+
+  # Verify and checkout the git tag for this release:
+  git checkout -f v$VERSION
+
+  # Clean the git repository
+  git clean -df
+
+  # Clean up the environment
+  poetry env remove --all
+
+  # Install the dependencies
+  poetry install --sync
+  ```
+
 - [ ] Copy the container image into the VM
   > [!IMPORTANT]
   > Instead of running `python .\install\windows\build-image.py` in the VM, run the build image script on the host (making sure to build for `linux/amd64`). Copy `share/container.tar.gz` and `share/image-id.txt` from the host into the `share` folder in the VM.
@@ -354,21 +240,15 @@ instructions in our build section](https://github.com/freedomofpress/dangerzone/
 or create your own locally with:
 
 ```sh
+# Create and run debian bookworm development environment
 ./dev_scripts/env.py --distro debian --version bookworm build-dev
 ./dev_scripts/env.py --distro debian --version bookworm run --dev bash
-cd dangerzone
-```
 
-Build the latest container:
+# Build the latest container
+./dev_scripts/env.py --distro debian --version bookworm run --dev bash -c "cd dangerzone && poetry run ./install/common/build-image.py"
 
-```sh
-python3 ./install/common/build-image.py
-```
-
-Create a .deb:
-
-```sh
-./install/linux/build-deb.py
+# Create a .deb
+./dev_scripts/env.py --distro debian --version bookworm run --dev bash -c "cd dangerzone && ./install/linux/build-deb.py"
 ```
 
 Publish the .deb under `./deb_dist` to the
@@ -387,22 +267,12 @@ or create your own locally with:
 
 ```sh
 ./dev_scripts/env.py --distro fedora --version 41 build-dev
-./dev_scripts/env.py --distro fedora --version 41 run --dev bash
-cd dangerzone
-```
 
-Build the latest container:
+# Build the latest container (skip if already built):
+./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && poetry run ./install/common/build-image.py" 
 
-```sh
-python3 ./install/common/build-image.py
-```
-
-Copy the container image to the assets folder on `dangerzone-$VERSION-i686.tar.gz`.
-
-Create a .rpm:
-
-```sh
-./install/linux/build-rpm.py
+# Create a .rpm:
+./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && ./install/linux/build-rpm.py"
 ```
 
 Publish the .rpm under `./dist` to the
@@ -413,7 +283,7 @@ Publish the .rpm under `./dist` to the
 Create a .rpm for Qubes:
 
 ```sh
-./install/linux/build-rpm.py --qubes
+./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && ./install/linux/build-rpm.py --qubes"
 ```
 
 and similarly publish it to the [`freedomofpress/yum-tools-prod`](https://github.com/freedomofpress/yum-tools-prod)
@@ -421,36 +291,37 @@ repo.
 
 ## Publishing the Release
 
-To publish the release:
+To publish the release, you can follow these steps:
 
 - [ ] Create an archive of the Dangerzone source in `tar.gz` format:
-  * You can use the following command:
-
-    ```
-    export DZ_VERSION=$(cat share/version.txt)
-    git archive --format=tar.gz -o dangerzone-${DZ_VERSION:?}.tar.gz --prefix=dangerzone/ v${DZ_VERSION:?}
-    ```
+  ```bash
+  export VERSION=$(cat share/version.txt)
+  git archive --format=tar.gz -o dangerzone-${VERSION:?}.tar.gz --prefix=dangerzone/ v${VERSION:?}
+  ```
 
 - [ ] Run container scan on the produced container images (some time may have passed since the artifacts were built)
-  ```
+  ```bash
   gunzip --keep -c ./share/container.tar.gz > /tmp/container.tar
   docker pull anchore/grype:latest
   docker run --rm -v /tmp/container.tar:/container.tar anchore/grype:latest /container.tar
   ```
 
 - [ ] Collect the assets in a single directory, calculate their SHA-256 hashes, and sign them.
-  * You can use `./dev_scripts/sign-assets.py`, if you want to automate this
-    task.
-- [ ] Create a new **draft** release on GitHub and upload the macOS and Windows installers.
-  * Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
-  * You can use `./dev_scripts/upload-asset.py`, if you want to upload an asset
-    using an access token.
-- [ ] Upload the `container-$VERSION-i686.tar.gz` and `container-$VERSION-arm64.tar.gz` images that were created in the previous step
+  There is an `./dev_scripts/sign-assets.py` script to automate this task.
 
-  **Important:** Make sure that it's the same container images as the ones that
-  are shipped in other platforms (see our [Pre-release](#Pre-release) section)
+  **Important:** Before running the script, make sure that it's the same container images as
+  the ones that are shipped in other platforms (see our [Pre-release](#Pre-release) section)
+
+  ```bash
+  # Sign all the assets
+  ./dev_scripts/sign-assets.py ~/release-assets/$VERSION/github --version $VERSION
+  ```
+
+- [ ] Upload all the assets to the draft release on GitHub.
+  ```bash
+  find ~/release-assets/$VERSION/github | xargs -n1 ./dev_scripts/upload-asset.py --token ~/token --draft
+  ```
 
-- [ ] Upload the detached signatures (.asc) and checksum file.
 - [ ] Update the [Dangerzone website](https://github.com/freedomofpress/dangerzone.rocks) to link to the new installers.
 - [ ] Update the brew cask release of Dangerzone with a [PR like this one](https://github.com/Homebrew/homebrew-cask/pull/116319)
 - [ ] Update version and download links in `README.md`

dev_scripts/generate-release-tasks.py

@@ -0,0 +1,67 @@
+#!/usr/bin/env python3
+import pathlib
+import subprocess
+
+RELEASE_FILE = "RELEASE.md"
+QA_FILE = "QA.md"
+
+
+def git_root():
+    """Get the root directory of the Git repo."""
+    # FIXME: Use a Git Python binding for this.
+    # FIXME: Make this work if called outside the repo.
+    path = (
+        subprocess.run(
+            ["git", "rev-parse", "--show-toplevel"],
+            check=True,
+            stdout=subprocess.PIPE,
+        )
+        .stdout.decode()
+        .strip("\n")
+    )
+    return pathlib.Path(path)
+
+
+def extract_checkboxes(filename):
+    headers = []
+    result = []
+
+    with open(filename, "r") as f:
+        lines = f.readlines()
+
+    current_level = 0
+    for line in lines:
+        line = line.rstrip()
+
+        # If it's a header, store it
+        if line.startswith("#"):
+            # Count number of # to determine header level
+            level = len(line) - len(line.lstrip("#"))
+            if level < current_level or not current_level:
+                headers.extend(["", line, ""])
+                current_level = level
+            elif level > current_level:
+                continue
+            else:
+                headers = ["", line, ""]
+
+        # If it's a checkbox
+        elif "- [ ]" in line or "- [x]" in line or "- [X]" in line:
+            # Print the last header if we haven't already
+            if headers:
+                result.extend(headers)
+                headers = []
+                current_level = 0
+
+            # If this is the "Do the QA tasks" line, recursively get QA tasks
+            if "Do the QA tasks" in line:
+                result.append(line)
+                qa_tasks = extract_checkboxes(git_root() / QA_FILE)
+                result.append(qa_tasks)
+            else:
+                result.append(line)
+    return "\n".join(result)
+
+
+if __name__ == "__main__":
+    print(extract_checkboxes(git_root() / RELEASE_FILE))

dev_scripts/qa.py

@@ -20,17 +20,32 @@ EOL_PYTHON_URL = "https://endoflife.date/api/python.json"
 CONTENT_QA = r"""## QA
 
 To ensure that new releases do not introduce regressions, and support existing
-and newer platforms, we have to do the following:
+and newer platforms, we have to test that the produced packages work as expected.
+
+Check the following:
 
 - [ ] Make sure that the tip of the `main` branch passes the CI tests.
 - [ ] Make sure that the Apple account has a valid application password and has
       agreed to the latest Apple terms (see [macOS release](#macos-release)
       section).
+
+Because it is repetitive, we wrote a script to help with the QA.
+It can run the tasks for you, pausing when it needs manual intervention.
+
+You can run it with a command like:
+
+```bash
+poetry run ./dev_scripts/qa.py {distro}-{version}
+```
+
+### The checklist
+
 - [ ] Create a test build in Windows and make sure it works:
   - [ ] Check if the suggested Python version is still supported.
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Build and run the Dangerzone .exe
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -39,6 +54,7 @@ and newer platforms, we have to do the following:
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Create and run an app bundle.
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -47,6 +63,7 @@ and newer platforms, we have to do the following:
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Create and run an app bundle.
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -55,6 +72,7 @@ and newer platforms, we have to do the following:
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Create a .deb package and install it system-wide.
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -63,6 +81,7 @@ and newer platforms, we have to do the following:
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
+  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Create an .rpm package and install it system-wide.
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -553,7 +572,7 @@ class Reference:
         # Convert spaces to dashes
         anchor = anchor.replace(" ", "-")
         # Remove non-alphanumeric (except dash and underscore)
-        anchor = re.sub("[^a-zA-Z\-_]", "", anchor)
+        anchor = re.sub("[^a-zA-Z-_]", "", anchor)
 
         return anchor
 
@@ -572,8 +591,8 @@ class QABase(abc.ABC):
 
     platforms = {}
 
-    REF_QA = Reference("RELEASE.md", content=CONTENT_QA)
-    REF_QA_SCENARIOS = Reference("RELEASE.md", content=CONTENT_QA_SCENARIOS)
+    REF_QA = Reference("QA.md", content=CONTENT_QA)
+    REF_QA_SCENARIOS = Reference("QA.md", content=CONTENT_QA_SCENARIOS)
 
     # The following class method is available since Python 3.6. For more details, see:
     # https://docs.python.org/3.6/whatsnew/3.6.html#pep-487-simpler-customization-of-class-creation
@@ -1051,6 +1070,10 @@ class QAFedora(QALinux):
         )
 
 
+class QAFedora41(QAFedora):
+    VERSION = "41"
+
+
 class QAFedora40(QAFedora):
     VERSION = "40"
 

install/windows/build-app.bat

@@ -17,22 +17,23 @@ signtool.exe sign /v /d "Dangerzone" /a /n "Freedom of the Press Foundation" /fd
 REM verify the signature of dangerzone-cli.exe
 signtool.exe verify /pa build\exe.win-amd64-3.12\dangerzone-cli.exe
 
-REM build the wix file
-python install\windows\build-wxs.py > build\Dangerzone.wxs
+REM build the wxs file
+python install\windows\build-wxs.py
 
 REM build the msi package
 cd build
-candle.exe Dangerzone.wxs
-light.exe -ext WixUIExtension Dangerzone.wixobj
+wix build -arch x64 -ext WixToolset.UI.wixext .\Dangerzone.wxs -out Dangerzone.msi
+
+REM validate Dangerzone.msi
+wix msi validate Dangerzone.msi
 
 REM code sign Dangerzone.msi
-insignia.exe -im Dangerzone.msi
 signtool.exe sign /v /d "Dangerzone" /a /n "Freedom of the Press Foundation" /fd sha256 /t http://time.certum.pl/ Dangerzone.msi
 
 REM verify the signature of Dangerzone.msi
 signtool.exe verify /pa Dangerzone.msi
 
-REM moving Dangerzone.msi to dist
+REM move Dangerzone.msi to dist
 cd ..
 mkdir dist
 move build\Dangerzone.msi dist

install/windows/build-wxs.py

@@ -4,114 +4,75 @@ import uuid
 import xml.etree.ElementTree as ET
 
 
-def build_data(dirname, dir_prefix, id_, name):
+def build_data(base_path, path_prefix, dir_id, dir_name):
     data = {
-        "id": id_,
-        "name": name,
+        "directory_name": dir_name,
+        "directory_id": dir_id,
         "files": [],
         "dirs": [],
     }
 
-    for basename in os.listdir(dirname):
-        filename = os.path.join(dirname, basename)
-        if os.path.isfile(filename):
-            data["files"].append(os.path.join(dir_prefix, basename))
-        elif os.path.isdir(filename):
-            if id_ == "INSTALLDIR":
-                id_prefix = "Folder"
+    if dir_id == "INSTALLFOLDER":
+        data["component_id"] = "ApplicationFiles"
+    else:
+        data["component_id"] = "Component" + dir_id
+    data["component_guid"] = str(uuid.uuid4()).upper()
+
+    for entry in os.listdir(base_path):
+        entry_path = os.path.join(base_path, entry)
+        if os.path.isfile(entry_path):
+            data["files"].append(os.path.join(path_prefix, entry))
+        elif os.path.isdir(entry_path):
+            if dir_id == "INSTALLFOLDER":
+                next_dir_prefix = "Folder"
             else:
-                id_prefix = id_
+                next_dir_prefix = dir_id
 
             # Skip lib/PySide6/examples folder due to ilegal file names
-            if "\\build\\exe.win-amd64-3.12\\lib\\PySide6\\examples" in dirname:
+            if "\\build\\exe.win-amd64-3.12\\lib\\PySide6\\examples" in base_path:
                 continue
 
             # Skip lib/PySide6/qml/QtQuick folder due to ilegal file names
             # XXX Since we're not using Qml it should be no problem
-            if "\\build\\exe.win-amd64-3.12\\lib\\PySide6\\qml\\QtQuick" in dirname:
+            if "\\build\\exe.win-amd64-3.12\\lib\\PySide6\\qml\\QtQuick" in base_path:
                 continue
 
-            id_value = f"{id_prefix}{basename.capitalize().replace('-', '_')}"
-            data["dirs"].append(
-                build_data(
-                    os.path.join(dirname, basename),
-                    os.path.join(dir_prefix, basename),
-                    id_value,
-                    basename,
-                )
+            next_dir_id = next_dir_prefix + entry.capitalize().replace("-", "_")
+            subdata = build_data(
+                os.path.join(base_path, entry),
+                os.path.join(path_prefix, entry),
+                next_dir_id,
+                entry,
             )
 
-    if len(data["files"]) > 0:
-        if id_ == "INSTALLDIR":
-            data["component_id"] = "ApplicationFiles"
-        else:
-            data["component_id"] = "FolderComponent" + id_[len("Folder") :]
-        data["component_guid"] = str(uuid.uuid4())
+            # Add the subdirectory only if it contains files or subdirectories
+            if subdata["files"] or subdata["dirs"]:
+                data["dirs"].append(subdata)
 
     return data
 
 
-def build_dir_xml(root, data):
+def build_directory_xml(root, data):
     attrs = {}
-    if "id" in data:
-        attrs["Id"] = data["id"]
-    if "name" in data:
-        attrs["Name"] = data["name"]
-    el = ET.SubElement(root, "Directory", attrs)
+    attrs["Id"] = data["directory_id"]
+    attrs["Name"] = data["directory_name"]
+    directory_el = ET.SubElement(root, "Directory", attrs)
     for subdata in data["dirs"]:
-        build_dir_xml(el, subdata)
-
-    # If this is the ProgramMenuFolder, add the menu component
-    if "id" in data and data["id"] == "ProgramMenuFolder":
-        component_el = ET.SubElement(
-            el,
-            "Component",
-            Id="ApplicationShortcuts",
-            Guid="539e7de8-a124-4c09-aa55-0dd516aad7bc",
-        )
-        ET.SubElement(
-            component_el,
-            "Shortcut",
-            Id="ApplicationShortcut1",
-            Name="Dangerzone",
-            Description="Dangerzone",
-            Target="[INSTALLDIR]dangerzone.exe",
-            WorkingDirectory="INSTALLDIR",
-        )
-        ET.SubElement(
-            component_el,
-            "RegistryValue",
-            Root="HKCU",
-            Key="Software\Freedom of the Press Foundation\Dangerzone",
-            Name="installed",
-            Type="integer",
-            Value="1",
-            KeyPath="yes",
-        )
+        build_directory_xml(directory_el, subdata)
 
 
 def build_components_xml(root, data):
-    component_ids = []
-    if "component_id" in data:
-        component_ids.append(data["component_id"])
-
+    component_el = ET.SubElement(
+        root,
+        "Component",
+        Id=data["component_id"],
+        Guid=data["component_guid"],
+        Directory=data["directory_id"],
+    )
+    for filename in data["files"]:
+        ET.SubElement(component_el, "File", Source=filename)
     for subdata in data["dirs"]:
-        if "component_guid" in subdata:
-            dir_ref_el = ET.SubElement(root, "DirectoryRef", Id=subdata["id"])
-            component_el = ET.SubElement(
-                dir_ref_el,
-                "Component",
-                Id=subdata["component_id"],
-                Guid=subdata["component_guid"],
-            )
-            for filename in subdata["files"]:
-                file_el = ET.SubElement(
-                    component_el, "File", Source=filename, Id="file_" + uuid.uuid4().hex
-                )
-
-        component_ids += build_components_xml(root, subdata)
-
-    return component_ids
+        build_components_xml(root, subdata)
 
 
 def main():
@@ -125,120 +86,188 @@ def main():
         # -rc markers.
         version = f.read().strip().split("-")[0]
 
-    dist_dir = os.path.join(
+    build_dir = os.path.join(
         os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))),
         "build",
-        "exe.win-amd64-3.12",
     )
+
+    cx_freeze_dir = "exe.win-amd64-3.12"
+
+    dist_dir = os.path.join(build_dir, cx_freeze_dir)
+
     if not os.path.exists(dist_dir):
         print("You must build the dangerzone binary before running this")
         return
 
-    data = {
-        "id": "TARGETDIR",
-        "name": "SourceDir",
-        "dirs": [
-            {
-                "id": "ProgramFilesFolder",
-                "dirs": [],
-            },
-            {
-                "id": "ProgramMenuFolder",
-                "dirs": [],
-            },
-        ],
-    }
-
-    data["dirs"][0]["dirs"].append(
-        build_data(
-            dist_dir,
-            "exe.win-amd64-3.12",
-            "INSTALLDIR",
-            "Dangerzone",
-        )
+    # Prepare data for WiX file harvesting from the output of cx_Freeze
+    data = build_data(
+        dist_dir,
+        cx_freeze_dir,
+        "INSTALLFOLDER",
+        "Dangerzone",
     )
 
-    root_el = ET.Element("Wix", xmlns="http://schemas.microsoft.com/wix/2006/wi")
-    product_el = ET.SubElement(
-        root_el,
-        "Product",
+    # Add the Wix root element
+    wix_el = ET.Element(
+        "Wix",
+        {
+            "xmlns": "http://wixtoolset.org/schemas/v4/wxs",
+            "xmlns:ui": "http://wixtoolset.org/schemas/v4/wxs/ui",
+        },
+    )
+
+    # Add the Package element
+    package_el = ET.SubElement(
+        wix_el,
+        "Package",
         Name="Dangerzone",
         Manufacturer="Freedom of the Press Foundation",
-        Id="*",
-        UpgradeCode="$(var.ProductUpgradeCode)",
+        UpgradeCode="12B9695C-965B-4BE0-BC33-21274E809576",
         Language="1033",
-        Codepage="1252",
-        Version="$(var.ProductVersion)",
-    )
-    ET.SubElement(
-        product_el,
-        "Package",
-        Id="*",
-        Keywords="Installer",
-        Description="Dangerzone $(var.ProductVersion) Installer",
-        Manufacturer="Freedom of the Press Foundation",
-        InstallerVersion="100",
-        Languages="1033",
         Compressed="yes",
-        SummaryCodepage="1252",
+        Codepage="1252",
+        Version=version,
     )
-    ET.SubElement(product_el, "Media", Id="1", Cabinet="product.cab", EmbedCab="yes")
     ET.SubElement(
-        product_el, "Icon", Id="ProductIcon", SourceFile="..\\share\\dangerzone.ico"
+        package_el,
+        "SummaryInformation",
+        Keywords="Installer",
+        Description="Dangerzone " + version + " Installer",
+        Codepage="1252",
     )
-    ET.SubElement(product_el, "Property", Id="ARPPRODUCTICON", Value="ProductIcon")
+    ET.SubElement(package_el, "MediaTemplate", EmbedCab="yes")
     ET.SubElement(
-        product_el,
+        package_el, "Icon", Id="ProductIcon", SourceFile="..\\share\\dangerzone.ico"
+    )
+    ET.SubElement(package_el, "Property", Id="ARPPRODUCTICON", Value="ProductIcon")
+    ET.SubElement(
+        package_el,
         "Property",
         Id="ARPHELPLINK",
         Value="https://dangerzone.rocks",
     )
     ET.SubElement(
-        product_el,
+        package_el,
         "Property",
         Id="ARPURLINFOABOUT",
         Value="https://freedom.press",
     )
     ET.SubElement(
-        product_el,
-        "Property",
-        Id="WIXUI_INSTALLDIR",
-        Value="INSTALLDIR",
+        package_el, "ui:WixUI", Id="WixUI_InstallDir", InstallDirectory="INSTALLFOLDER"
     )
-    ET.SubElement(product_el, "UIRef", Id="WixUI_InstallDir")
-    ET.SubElement(product_el, "UIRef", Id="WixUI_ErrorProgressText")
+    ET.SubElement(package_el, "UIRef", Id="WixUI_ErrorProgressText")
     ET.SubElement(
-        product_el,
+        package_el,
         "WixVariable",
         Id="WixUILicenseRtf",
         Value="..\\install\\windows\\license.rtf",
     )
     ET.SubElement(
-        product_el,
+        package_el,
         "WixVariable",
         Id="WixUIDialogBmp",
         Value="..\\install\\windows\\dialog.bmp",
     )
     ET.SubElement(
-        product_el,
+        package_el,
         "MajorUpgrade",
-        AllowSameVersionUpgrades="yes",
         DowngradeErrorMessage="A newer version of [ProductName] is already installed. If you are sure you want to downgrade, remove the existing installation via Programs and Features.",
     )
 
-    build_dir_xml(product_el, data)
-    component_ids = build_components_xml(product_el, data)
+    # Workaround for an issue after upgrading from WiX Toolset v3 to v5 where the previous
+    # version of Dangerzone is not uninstalled during the upgrade by checking if the older installation
+    # exists in "C:\Program Files (x86)\Dangerzone".
+    #
+    # Also handle a special case for Dangerzone 0.8.0 which allows choosing the install location
+    # during install by checking if the registry key for it exists.
+    #
+    # Note that this seems to allow installing Dangerzone 0.8.0 after installing Dangerzone from this branch.
+    # In this case the installer errors until Dangerzone 0.8.0 is uninstalled again
+    #
+    # TODO: Revert this once we are reasonably certain there aren't too many affected Dangerzone installations.
+    find_old_el = ET.SubElement(package_el, "Property", Id="OLDDANGERZONEFOUND")
+    directory_search_el = ET.SubElement(
+        find_old_el,
+        "DirectorySearch",
+        Id="dangerzone_install_folder",
+        Path="C:\\Program Files (x86)\\Dangerzone",
+    )
+    ET.SubElement(directory_search_el, "FileSearch", Name="dangerzone.exe")
+    registry_search_el = ET.SubElement(package_el, "Property", Id="DANGERZONE080FOUND")
+    ET.SubElement(
+        registry_search_el,
+        "RegistrySearch",
+        Root="HKLM",
+        Key="SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{03C2D2B2-9955-4AED-831F-DA4E67FC0FDB}",
+        Name="DisplayName",
+        Type="raw",
+    )
+    ET.SubElement(
+        package_el,
+        "Launch",
+        Condition="NOT OLDDANGERZONEFOUND AND NOT DANGERZONE080FOUND",
+        Message="A previous version of [ProductName] is already installed. Please uninstall it from Programs and Features before proceeding with the installation.",
+    )
 
-    feature_el = ET.SubElement(product_el, "Feature", Id="DefaultFeature", Level="1")
-    for component_id in component_ids:
-        ET.SubElement(feature_el, "ComponentRef", Id=component_id)
+    # Add the ProgramMenuFolder StandardDirectory
+    programmenufolder_el = ET.SubElement(
+        package_el,
+        "StandardDirectory",
+        Id="ProgramMenuFolder",
+    )
+    # Add a shortcut for Dangerzone in the Start menu
+    shortcut_el = ET.SubElement(
+        programmenufolder_el,
+        "Component",
+        Id="ApplicationShortcuts",
+        Guid="539E7DE8-A124-4C09-AA55-0DD516AAD7BC",
+    )
+    ET.SubElement(
+        shortcut_el,
+        "Shortcut",
+        Id="DangerzoneStartMenuShortcut",
+        Name="Dangerzone",
+        Description="Dangerzone",
+        Target="[INSTALLFOLDER]dangerzone.exe",
+        WorkingDirectory="INSTALLFOLDER",
+    )
+    ET.SubElement(
+        shortcut_el,
+        "RegistryValue",
+        Root="HKCU",
+        Key="Software\\Freedom of the Press Foundation\\Dangerzone",
+        Name="installed",
+        Type="integer",
+        Value="1",
+        KeyPath="yes",
+    )
+
+    # Add the ProgramFilesFolder StandardDirectory
+    programfilesfolder_el = ET.SubElement(
+        package_el,
+        "StandardDirectory",
+        Id="ProgramFiles64Folder",
+    )
+
+    # Create the directory structure for the installed product
+    build_directory_xml(programfilesfolder_el, data)
+
+    # Create a component group for application components
+    applicationcomponents_el = ET.SubElement(
+        package_el, "ComponentGroup", Id="ApplicationComponents"
+    )
+    # Populate the application components group with components for the installed package
+    build_components_xml(applicationcomponents_el, data)
+
+    # Add the Feature element
+    feature_el = ET.SubElement(package_el, "Feature", Id="DefaultFeature", Level="1")
+    ET.SubElement(feature_el, "ComponentGroupRef", Id="ApplicationComponents")
     ET.SubElement(feature_el, "ComponentRef", Id="ApplicationShortcuts")
 
-    print('<?xml version="1.0" encoding="windows-1252"?>')
-    print(f'<?define ProductVersion = "{version}"?>')
-    print('<?define ProductUpgradeCode = "12b9695c-965b-4be0-bc33-21274e809576"?>')
-    ET.indent(root_el)
-    print(ET.tostring(root_el).decode())
+    ET.indent(wix_el, space="    ")
+
+    with open(os.path.join(build_dir, "Dangerzone.wxs"), "w") as wxs_file:
+        wxs_file.write(ET.tostring(wix_el).decode())
 
 
 if __name__ == "__main__":