WIP: Doit

Revamp the container image installation process in a way that does not
involve using image IDs. We don't want to rely on image IDs anymore,
since they are brittle (see
https://github.com/freedomofpress/dangerzone/issues/933). Instead, we
use image tags, as provided in the `image-id.txt` file.  This allows us
to check fast if an image is up to date, and we no longer need to
maintain multiple image IDs from various container runtimes.

Refs #933
Refs #988
Fixes #1020

CHANGELOG.md

@@ -16,10 +16,6 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 - Platform support: Drop support for Fedora 39, since it's end-of-life ([#999](https://github.com/freedomofpress/dangerzone/pull/999))
 
-### Development changes
-
-- Automate a large portion of our release tasks with `doit` ([#1016](https://github.com/freedomofpress/dangerzone/issues/1016))
-
 ## [0.8.0](https://github.com/freedomofpress/dangerzone/compare/v0.8.0...0.7.1)
 
 ### Added

QA.md

@@ -1,199 +0,0 @@
-## QA
-
-To ensure that new releases do not introduce regressions, and support existing
-and newer platforms, we have to test that the produced packages work as expected.
-
-Check the following:
-
-- [ ] Make sure that the tip of the `main` branch passes the CI tests.
-- [ ] Make sure that the Apple account has a valid application password and has
-      agreed to the latest Apple terms (see [macOS release](#macos-release)
-      section).
-
-Because it is repetitive, we wrote a script to help with the QA.
-It can run the tasks for you, pausing when it needs manual intervention.
-
-You can run it with a command like:
-
-```bash
-poetry run ./dev_scripts/qa.py {distro}-{version}
-```
-
-### The checklist
-
-- [ ] Create a test build in Windows and make sure it works:
-  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
-  - [ ] Run the Dangerzone tests.
-  - [ ] Build and run the Dangerzone .exe
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in macOS (Intel CPU) and make sure it works:
-  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create and run an app bundle.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in macOS (M1/2 CPU) and make sure it works:
-  - [ ] Check if the suggested Python version is still supported.
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create and run an app bundle.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in the most recent Ubuntu LTS platform (Ubuntu 24.04
-  as of writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create a .deb package and install it system-wide.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in the most recent Fedora platform (Fedora 41 as of
-  writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Build the container image and ensure the development environment uses
-    the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create an .rpm package and install it system-wide.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
-- [ ] Create a test build in the most recent Qubes Fedora template (Fedora 40 as
-  of writing this) and make sure it works:
-  - [ ] Create a new development environment with Poetry.
-  - [ ] Run the Dangerzone tests.
-  - [ ] Create a Qubes .rpm package and install it system-wide.
-  - [ ] Ensure that the Dangerzone application appears in the "Applications"
-    tab.
-  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below) and make sure
-    they spawn disposable qubes.
-
-### Scenarios
-
-#### 1. Dangerzone correctly identifies that Docker/Podman is not installed
-
-_(Only for MacOS / Windows)_
-
-Temporarily hide the Docker/Podman binaries, e.g., rename the `docker` /
-`podman` binaries to something else. Then run Dangerzone. Dangerzone should
-prompt the user to install Docker/Podman.
-
-#### 2. Dangerzone correctly identifies that Docker is not running
-
-_(Only for MacOS / Windows)_
-
-Stop the Docker Desktop application. Then run Dangerzone. Dangerzone should
-prompt the user to start Docker Desktop.
-
-
-#### 3. Updating Dangerzone handles external state correctly.
-
-_(Applies to Windows/MacOS)_
-
-Install the previous version of Dangerzone, downloaded from the website.
-
-Open the Dangerzone application and enable some non-default settings.
-**If there are new settings, make sure to change those as well**.
-
-Close the Dangerzone application and get the container image for that
-version. For example:
-
-```
-$ docker images dangerzone.rocks/dangerzone
-REPOSITORY                   TAG         IMAGE ID      CREATED       SIZE
-dangerzone.rocks/dangerzone  latest      <image ID>    <date>        <size>
-dangerzone.rocks/dangerzone  <tag>       <image ID>    <date>        <size>
-```
-
-Then run the version under QA and ensure that the settings remain changed.
-
-Afterwards check that new docker image was installed by running the same command
-and seeing the following differences:
-
-```
-$ docker images dangerzone.rocks/dangerzone
-REPOSITORY                   TAG         IMAGE ID        CREATED       SIZE
-dangerzone.rocks/dangerzone  latest      <different ID>  <newer date>  <different size>
-dangerzone.rocks/dangerzone  <other tag> <different ID>  <newer date>  <different size>
-```
-
-#### 4. Dangerzone successfully installs the container image
-
-_(Only for Linux)_
-
-Remove the Dangerzone container image from Docker/Podman. Then run Dangerzone.
-Dangerzone should install the container image successfully.
-
-#### 5. Dangerzone retains the settings of previous runs
-
-Run Dangerzone and make some changes in the settings (e.g., change the OCR
-language, toggle whether to open the document after conversion, etc.). Restart
-Dangerzone. Dangerzone should show the settings that the user chose.
-
-#### 6. Dangerzone reports failed conversions
-
-Run Dangerzone and convert the `tests/test_docs/sample_bad_pdf.pdf` document.
-Dangerzone should fail gracefully, by reporting that the operation failed, and
-showing the following error message:
-
-> The document format is not supported
-
-#### 7. Dangerzone succeeds in converting multiple documents
-
-Run Dangerzone against a list of documents, and tick all options. Ensure that:
-* Conversions take place sequentially.
-* Attempting to close the window while converting asks the user if they want to
-  abort the conversions.
-* Conversions are completed successfully.
-* Conversions show individual progress in real-time (double-check for Qubes).
-* _(Only for Linux)_ The resulting files open with the PDF viewer of our choice.
-* OCR seems to have detected characters in the PDF files.
-* The resulting files have been saved with the proper suffix, in the proper
-  location.
-* The original files have been saved in the `unsafe/` directory.
-
-#### 8. Dangerzone is able to handle drag-n-drop
-
-Run Dangerzone against a set of documents that you drag-n-drop. Files should be
-added and conversion should run without issue.
-
-> [!TIP]
-> On our end-user container environments for Linux, we can start a file manager
-> with `thunar &`.
-
-#### 9. Dangerzone CLI succeeds in converting multiple documents
-
-_(Only for Windows and Linux)_
-
-Run Dangerzone CLI against a list of documents. Ensure that conversions happen
-sequentially, are completed successfully, and we see their progress.
-
-#### 10. Dangerzone can open a document for conversion via right-click -> "Open With"
-
-_(Only for Windows, MacOS and Qubes)_
-
-Go to a directory with office documents, right-click on one, and click on "Open
-With". We should be able to open the file with Dangerzone, and then convert it.
-
-#### 11. Dangerzone shows helpful errors for setup issues on Qubes
-
-_(Only for Qubes)_
-
-Check what errors does Dangerzone throw in the following scenarios. The errors
-should point the user to the Qubes notifications in the top-right corner:
-
-1. The `dz-dvm` template does not exist. We can trigger this scenario by
-   temporarily renaming this template.
-2. The Dangerzone RPC policy does not exist. We can trigger this scenario by
-   temporarily renaming the `dz.Convert` policy.
-3. The `dz-dvm` disposable Qube cannot start due to insufficient resources. We
-   can trigger this scenario by temporarily increasing the minimum required RAM
-   of the `dz-dvm` template to more than the available amount.

RELEASE.md

@@ -1,17 +1,12 @@
 # Release instructions
 
-This section documents how we currently release Dangerzone for the different distributions we support.
+This section documents the release process. Unless you're a dangerzone developer making a release, you'll probably never need to follow it.
 
 ## Pre-release
 
-Here is a list of tasks that should be done before issuing the release:
+Before making a release, all of these should be complete:
 
-- [ ] Create a new issue named **QA and Release for version \<VERSION\>**, to track the general progress.
-      You can generate its content with:
-
-      ```
-      poetry run ./dev_scripts/generate-release-tasks.py`
-      ```
+- [ ] Copy the checkboxes from these instructions onto a new issue and call it **QA and Release version \<VERSION\>**
 - [ ] [Add new Linux platforms and remove obsolete ones](https://github.com/freedomofpress/dangerzone/blob/main/RELEASE.md#add-new-platforms-and-remove-obsolete-ones)
 - [ ] Bump the Python dependencies using `poetry lock`
 - [ ] Update `version` in `pyproject.toml`
@@ -20,8 +15,6 @@ Here is a list of tasks that should be done before issuing the release:
 - [ ] Bump the Debian version by adding a new changelog entry in `debian/changelog`
 - [ ] Update screenshot in `README.md`, if necessary
 - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release
-- [ ] A draft release should be created. Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
-- [ ] Do the QA tasks
 
 ## Add new Linux platforms and remove obsolete ones
 
@@ -44,7 +37,7 @@ In case of a new version (beta, RC, or official release):
    `BUILD.md` files where necessary.
 4. Send a PR with the above changes.
 
-In case of the removal of a version:
+In case of an EOL version:
 
 1. Remove any mention to this version from our repo.
    * Consult the previous paragraph, but also `grep` your way around.
@@ -58,13 +51,194 @@ Follow the instructions in `docs/developer/TESTING.md` to run the tests.
 
 These tests will identify any regressions or progression in terms of document coverage.
 
+## QA
+
+To ensure that new releases do not introduce regressions, and support existing
+and newer platforms, we have to do the following:
+
+- [ ] Make sure that the tip of the `main` branch passes the CI tests.
+- [ ] Make sure that the Apple account has a valid application password and has
+      agreed to the latest Apple terms (see [macOS release](#macos-release)
+      section).
+- [ ] Create a test build in Windows and make sure it works:
+  - [ ] Check if the suggested Python version is still supported.
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Run the Dangerzone tests.
+  - [ ] Build and run the Dangerzone .exe
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in macOS (Intel CPU) and make sure it works:
+  - [ ] Check if the suggested Python version is still supported.
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create and run an app bundle.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in macOS (M1/2 CPU) and make sure it works:
+  - [ ] Check if the suggested Python version is still supported.
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create and run an app bundle.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in the most recent Ubuntu LTS platform (Ubuntu 24.04
+  as of writing this) and make sure it works:
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create a .deb package and install it system-wide.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in the most recent Fedora platform (Fedora 41 as of
+  writing this) and make sure it works:
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Build the container image and ensure the development environment uses
+    the new image.
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create an .rpm package and install it system-wide.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
+- [ ] Create a test build in the most recent Qubes Fedora template (Fedora 40 as
+  of writing this) and make sure it works:
+  - [ ] Create a new development environment with Poetry.
+  - [ ] Run the Dangerzone tests.
+  - [ ] Create a Qubes .rpm package and install it system-wide.
+  - [ ] Ensure that the Dangerzone application appears in the "Applications"
+    tab.
+  - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below) and make sure
+    they spawn disposable qubes.
+
+### Scenarios
+
+#### 1. Dangerzone correctly identifies that Docker/Podman is not installed
+
+_(Only for MacOS / Windows)_
+
+Temporarily hide the Docker/Podman binaries, e.g., rename the `docker` /
+`podman` binaries to something else. Then run Dangerzone. Dangerzone should
+prompt the user to install Docker/Podman.
+
+#### 2. Dangerzone correctly identifies that Docker is not running
+
+_(Only for MacOS / Windows)_
+
+Stop the Docker Desktop application. Then run Dangerzone. Dangerzone should
+prompt the user to start Docker Desktop.
+
+
+#### 3. Updating Dangerzone handles external state correctly.
+
+_(Applies to Windows/MacOS)_
+
+Install the previous version of Dangerzone, downloaded from the website.
+
+Open the Dangerzone application and enable some non-default settings.
+**If there are new settings, make sure to change those as well**.
+
+Close the Dangerzone application and get the container image for that
+version. For example:
+
+```
+$ docker images dangerzone.rocks/dangerzone
+REPOSITORY                   TAG         IMAGE ID      CREATED       SIZE
+dangerzone.rocks/dangerzone  latest      <image ID>    <date>        <size>
+dangerzone.rocks/dangerzone  <tag>       <image ID>    <date>        <size>
+```
+
+Then run the version under QA and ensure that the settings remain changed.
+
+Afterwards check that new docker image was installed by running the same command
+and seeing the following differences:
+
+```
+$ docker images dangerzone.rocks/dangerzone
+REPOSITORY                   TAG         IMAGE ID        CREATED       SIZE
+dangerzone.rocks/dangerzone  latest      <different ID>  <newer date>  <different size>
+dangerzone.rocks/dangerzone  <other tag> <different ID>  <newer date>  <different size>
+```
+
+#### 4. Dangerzone successfully installs the container image
+
+_(Only for Linux)_
+
+Remove the Dangerzone container image from Docker/Podman. Then run Dangerzone.
+Dangerzone should install the container image successfully.
+
+#### 5. Dangerzone retains the settings of previous runs
+
+Run Dangerzone and make some changes in the settings (e.g., change the OCR
+language, toggle whether to open the document after conversion, etc.). Restart
+Dangerzone. Dangerzone should show the settings that the user chose.
+
+#### 6. Dangerzone reports failed conversions
+
+Run Dangerzone and convert the `tests/test_docs/sample_bad_pdf.pdf` document.
+Dangerzone should fail gracefully, by reporting that the operation failed, and
+showing the following error message:
+
+> The document format is not supported
+
+#### 7. Dangerzone succeeds in converting multiple documents
+
+Run Dangerzone against a list of documents, and tick all options. Ensure that:
+* Conversions take place sequentially.
+* Attempting to close the window while converting asks the user if they want to
+  abort the conversions.
+* Conversions are completed successfully.
+* Conversions show individual progress in real-time (double-check for Qubes).
+* _(Only for Linux)_ The resulting files open with the PDF viewer of our choice.
+* OCR seems to have detected characters in the PDF files.
+* The resulting files have been saved with the proper suffix, in the proper
+  location.
+* The original files have been saved in the `unsafe/` directory.
+
+#### 8. Dangerzone is able to handle drag-n-drop
+
+Run Dangerzone against a set of documents that you drag-n-drop. Files should be
+added and conversion should run without issue.
+
+> [!TIP]
+> On our end-user container environments for Linux, we can start a file manager
+> with `thunar &`.
+
+#### 9. Dangerzone CLI succeeds in converting multiple documents
+
+_(Only for Windows and Linux)_
+
+Run Dangerzone CLI against a list of documents. Ensure that conversions happen
+sequentially, are completed successfully, and we see their progress.
+
+#### 10. Dangerzone can open a document for conversion via right-click -> "Open With"
+
+_(Only for Windows, MacOS and Qubes)_
+
+Go to a directory with office documents, right-click on one, and click on "Open
+With". We should be able to open the file with Dangerzone, and then convert it.
+
+#### 11. Dangerzone shows helpful errors for setup issues on Qubes
+
+_(Only for Qubes)_
+
+Check what errors does Dangerzone throw in the following scenarios. The errors
+should point the user to the Qubes notifications in the top-right corner:
+
+1. The `dz-dvm` template does not exist. We can trigger this scenario by
+   temporarily renaming this template.
+2. The Dangerzone RPC policy does not exist. We can trigger this scenario by
+   temporarily renaming the `dz.Convert` policy.
+3. The `dz-dvm` disposable Qube cannot start due to insufficient resources. We
+   can trigger this scenario by temporarily increasing the minimum required RAM
+   of the `dz-dvm` template to more than the available amount.
+
 ## Release
 
 Once we are confident that the release will be out shortly, and doesn't need any more changes:
 
 - [ ] Create a PGP-signed git tag for the version, e.g., for dangerzone `v0.1.0`:
 
-  ```bash
+  ```
   git tag -s v0.1.0
   git push origin v0.1.0
   ```
@@ -80,17 +254,6 @@ Once we are confident that the release will be out shortly, and doesn't need any
 
 ### macOS Release
 
-> [!TIP]
-> You can automate these steps from your macOS terminal app with:
->
-> ```
-> doit clean
-> doit -n 8 apple_id=<email>                  # for Intel macOS
-> doit -n 8 apple_id=<email> macos_build_dmg  # for Apple Silicon macOS
-> ```
-
-The following needs to happen for both Silicon and Intel chipsets.
-
 #### Initial Setup
 
 - Build machine must have:
@@ -105,83 +268,48 @@ The following needs to happen for both Silicon and Intel chipsets.
 
 #### Releasing and Signing
 
-Here is what you need to do:
-
 - [ ] Verify and install the latest supported Python version from
   [python.org](https://www.python.org/downloads/macos/) (do not use the one from
   brew as it is known to [cause issues](https://github.com/freedomofpress/dangerzone/issues/471))
-
-- [ ] Checkout the dependencies, and clean your local copy:
-
-  ```bash
-
-  # In case of a new Python installation or minor version upgrade, e.g., from
-  # 3.11 to 3.12, reinstall Poetry
-  python3 -m pip install poetry
-
-  # You can verify the correct Python version is used
-  poetry debug info
-
-  # Replace with the actual version
-  export DZ_VERSION=$(cat share/version.txt)
-
-  # Verify and checkout the git tag for this release:
-  git checkout -f v$VERSION
-
-  # Clean the git repository
-  git clean -df
-
-  # Clean up the environment
-  poetry env remove --all
-
-  # Install the dependencies
-  poetry install --sync
+  * In case of a new Python installation or minor version upgrade, e.g., from
+    3.11 to 3.12 , reinstall Poetry with `python3 -m pip install poetry`
+  * You can verify the correct Python version is used with `poetry debug info`
+- [ ] Verify and checkout the git tag for this release
+- [ ] Run `poetry install --sync`
+- [ ] On the silicon mac, build the container image:
   ```
-
-- [ ] Build the container image and the OCR language data
-
-  ```bash
-  poetry run ./install/common/build-image.py
-  poetry run ./install/common/download-tessdata.py
-
-  # Copy the container image to the assets folder
-  cp share/container.tar.gz ~dz/release-assets/$VERSION/dangerzone-$VERSION-arm64.tar.gz
-  cp share/image-id.txt ~dz/release-assets/$VERSION/.
+  python3 ./install/common/build-image.py
   ```
+  Then copy the `share/container.tar.gz` to the assets folder on `dangerzone-$VERSION-arm64.tar.gz`, along with the `share/image-id.txt` file.
+- [ ] Run `poetry run ./install/macos/build-app.py`; this will make `dist/Dangerzone.app`
+- [ ] Make sure that the built application works with the containerd graph
+  driver (see [#933](https://github.com/freedomofpress/dangerzone/issues/933))
+- [ ] Run `poetry run ./install/macos/build-app.py --only-codesign`; this will make `dist/Dangerzone.dmg`
+  * You need to run this command as the account that has access to the code signing certificate
+  * You must run this command from the MacOS UI, from a terminal application.
+- [ ] Notarize it: `xcrun notarytool submit --wait --apple-id "<email>" --keychain-profile "dz-notarytool-release-key" dist/Dangerzone.dmg`
+  * You need to change the `<email>` in the above command with the email
+    associated with the Apple Developer ID.
+  * This command assumes that you have created, and stored in the Keychain, an
+    application password associated with your Apple Developer ID, which will be
+    used specifically for `notarytool`.
+- [ ] Wait for it to get approved:
+  * If it gets rejected, you should be able to see why with the same command
+    (or use the `log` option for a more verbose JSON output)
+  * You will also receive an update in your email.
+- [ ] After it's approved, staple the ticket: `xcrun stapler staple dist/Dangerzone.dmg`
 
-- [ ] Build the app bundle
+This process ends up with the final file:
 
-  ```bash
-  poetry run ./install/macos/build-app.py
-  ```
+```
+dist/Dangerzone.dmg
+```
 
-- [ ] Sign the application bundle, and notarize it
-
-  You need to run this command as the account that has access to the code signing certificate
-
-  This command assumes that you have created, and stored in the Keychain, an
-  application password associated with your Apple Developer ID, which will be
-  used specifically for `notarytool`.
-
-  ```bash
-  # Sign the .App and make it a .dmg
-  poetry run ./install/macos/build-app.py --only-codesign
-
-  # Notarize it. You must run this command from the MacOS UI
-  # from a terminal application.
-  xcrun notarytool submit ./dist/Dangerzone.dmg --apple-id $APPLE_ID --keychain-profile "dz-notarytool-release-key" --wait && xcrun stapler staple dist/Dangerzone.dmg
-
-  # Copy the .dmg to the assets folder
-  ARCH=$(uname -m)
-  if [ "$ARCH" = "x86_64" ]; then
-      ARCH="i686"
-  fi
-  cp dist/Dangerzone.dmg ~dz/release-assets/$VERSION/Dangerzone-$VERSION-$ARCH.dmg
-  ```
+Rename `Dangerzone.dmg` to `Dangerzone-$VERSION.dmg`.
 
 ### Windows Release
 
-The Windows release is performed in a Windows 11 virtual machine (as opposed to a physical one).
+The Windows release is performed in a Windows 11 virtual machine as opposed to a physical one.
 
 #### Initial Setup
 
@@ -195,31 +323,8 @@ The Windows release is performed in a Windows 11 virtual machine (as opposed to
 
 #### Releasing and Signing
 
-- [ ] Checkout the dependencies, and clean your local copy:
-  ```bash
-  # In case of a new Python installation or minor version upgrade, e.g., from
-  # 3.11 to 3.12, reinstall Poetry
-  python3 -m pip install poetry
-
-  # You can verify the correct Python version is used
-  poetry debug info
-
-  # Replace with the actual version
-  export DZ_VERSION=$(cat share/version.txt)
-
-  # Verify and checkout the git tag for this release:
-  git checkout -f v$VERSION
-
-  # Clean the git repository
-  git clean -df
-
-  # Clean up the environment
-  poetry env remove --all
-
-  # Install the dependencies
-  poetry install --sync
-  ```
-
+- [ ] Verify and checkout the git tag for this release
+- [ ] Run `poetry install --sync`
 - [ ] Copy the container image into the VM
   > [!IMPORTANT]
   > Instead of running `python .\install\windows\build-image.py` in the VM, run the build image script on the host (making sure to build for `linux/amd64`). Copy `share/container.tar.gz` and `share/image-id.txt` from the host into the `share` folder in the VM.
@@ -230,17 +335,12 @@ Rename `Dangerzone.msi` to `Dangerzone-$VERSION.msi`.
 
 ### Linux release
 
-> [!TIP]
-> You can automate these steps from any Linux distribution with:
+> [!INFO]
+> Below we explain how we build packages for each Linux distribution we support.
 >
-> ```
-> doit clean
-> doit -n 8 fedora_rpm debian_deb
-> ```
->
-> You can then add the created artifacts to the appropriate APT/YUM repo.
+> There is also a `release.sh` script available which creates all
+> the `.rpm` and `.deb` files with a single command.
 
-Below we explain how we build packages for each Linux distribution we support.
 
 #### Debian/Ubuntu
 
@@ -253,15 +353,21 @@ instructions in our build section](https://github.com/freedomofpress/dangerzone/
 or create your own locally with:
 
 ```sh
-# Create and run debian bookworm development environment
 ./dev_scripts/env.py --distro debian --version bookworm build-dev
 ./dev_scripts/env.py --distro debian --version bookworm run --dev bash
+cd dangerzone
+```
 
-# Build the latest container
-./dev_scripts/env.py --distro debian --version bookworm run --dev bash -c "cd dangerzone && poetry run ./install/common/build-image.py"
+Build the latest container:
 
-# Create a .deb
-./dev_scripts/env.py --distro debian --version bookworm run --dev bash -c "cd dangerzone && ./install/linux/build-deb.py"
+```sh
+python3 ./install/common/build-image.py
+```
+
+Create a .deb:
+
+```sh
+./install/linux/build-deb.py
 ```
 
 Publish the .deb under `./deb_dist` to the
@@ -280,12 +386,22 @@ or create your own locally with:
 
 ```sh
 ./dev_scripts/env.py --distro fedora --version 41 build-dev
+./dev_scripts/env.py --distro fedora --version 41 run --dev bash
+cd dangerzone
+```
 
-# Build the latest container (skip if already built):
-./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && poetry run ./install/common/build-image.py"
+Build the latest container:
 
-# Create a .rpm:
-./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && ./install/linux/build-rpm.py"
+```sh
+python3 ./install/common/build-image.py
+```
+
+Copy the container image to the assets folder on `dangerzone-$VERSION-i686.tar.gz`.
+
+Create a .rpm:
+
+```sh
+./install/linux/build-rpm.py
 ```
 
 Publish the .rpm under `./dist` to the
@@ -296,7 +412,7 @@ Publish the .rpm under `./dist` to the
 Create a .rpm for Qubes:
 
 ```sh
-./dev_scripts/env.py --distro fedora --version 41 run --dev bash -c "cd dangerzone && ./install/linux/build-rpm.py --qubes"
+./install/linux/build-rpm.py --qubes
 ```
 
 and similarly publish it to the [`freedomofpress/yum-tools-prod`](https://github.com/freedomofpress/yum-tools-prod)
@@ -304,37 +420,36 @@ repo.
 
 ## Publishing the Release
 
-To publish the release, you can follow these steps:
+To publish the release:
 
 - [ ] Create an archive of the Dangerzone source in `tar.gz` format:
-  ```bash
-  export VERSION=$(cat share/version.txt)
-  git archive --format=tar.gz -o dangerzone-${VERSION:?}.tar.gz --prefix=dangerzone/ v${VERSION:?}
-  ```
+  * You can use the following command:
+
+    ```
+    export DZ_VERSION=$(cat share/version.txt)
+    git archive --format=tar.gz -o dangerzone-${DZ_VERSION:?}.tar.gz --prefix=dangerzone/ v${DZ_VERSION:?}
+    ```
 
 - [ ] Run container scan on the produced container images (some time may have passed since the artifacts were built)
-  ```bash
+  ```
   gunzip --keep -c ./share/container.tar.gz > /tmp/container.tar
   docker pull anchore/grype:latest
   docker run --rm -v /tmp/container.tar:/container.tar anchore/grype:latest /container.tar
   ```
 
 - [ ] Collect the assets in a single directory, calculate their SHA-256 hashes, and sign them.
-  There is an `./dev_scripts/sign-assets.py` script to automate this task.
+  * You can use `./dev_scripts/sign-assets.py`, if you want to automate this
+    task.
+- [ ] Create a new **draft** release on GitHub and upload the macOS and Windows installers.
+  * Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
+  * You can use `./dev_scripts/upload-asset.py`, if you want to upload an asset
+    using an access token.
+- [ ] Upload the `container-$VERSION-i686.tar.gz` and `container-$VERSION-arm64.tar.gz` images that were created in the previous step
 
-  **Important:** Before running the script, make sure that it's the same container images as
-  the ones that are shipped in other platforms (see our [Pre-release](#Pre-release) section)
-
-  ```bash
-  # Sign all the assets
-  ./dev_scripts/sign-assets.py ~/release-assets/$VERSION/github --version $VERSION
-  ```
-
-- [ ] Upload all the assets to the draft release on GitHub.
-  ```bash
-  find ~/release-assets/$VERSION/github | xargs -n1 ./dev_scripts/upload-asset.py --token ~/token --draft
-  ```
+  **Important:** Make sure that it's the same container images as the ones that
+  are shipped in other platforms (see our [Pre-release](#Pre-release) section)
 
+- [ ] Upload the detached signatures (.asc) and checksum file.
 - [ ] Update the [Dangerzone website](https://github.com/freedomofpress/dangerzone.rocks) to link to the new installers.
 - [ ] Update the brew cask release of Dangerzone with a [PR like this one](https://github.com/Homebrew/homebrew-cask/pull/116319)
 - [ ] Update version and download links in `README.md`

dev_scripts/generate-release-tasks.py

@@ -1,67 +0,0 @@
-#!/usr/bin/env python3
-import pathlib
-import subprocess
-
-RELEASE_FILE = "RELEASE.md"
-QA_FILE = "QA.md"
-
-
-def git_root():
-    """Get the root directory of the Git repo."""
-    # FIXME: Use a Git Python binding for this.
-    # FIXME: Make this work if called outside the repo.
-    path = (
-        subprocess.run(
-            ["git", "rev-parse", "--show-toplevel"],
-            check=True,
-            stdout=subprocess.PIPE,
-        )
-        .stdout.decode()
-        .strip("\n")
-    )
-    return pathlib.Path(path)
-
-
-def extract_checkboxes(filename):
-    headers = []
-    result = []
-
-    with open(filename, "r") as f:
-        lines = f.readlines()
-
-    current_level = 0
-    for line in lines:
-        line = line.rstrip()
-
-        # If it's a header, store it
-        if line.startswith("#"):
-            # Count number of # to determine header level
-            level = len(line) - len(line.lstrip("#"))
-            if level < current_level or not current_level:
-                headers.extend(["", line, ""])
-                current_level = level
-            elif level > current_level:
-                continue
-            else:
-                headers = ["", line, ""]
-
-        # If it's a checkbox
-        elif "- [ ]" in line or "- [x]" in line or "- [X]" in line:
-            # Print the last header if we haven't already
-            if headers:
-                result.extend(headers)
-                headers = []
-                current_level = 0
-
-            # If this is the "Do the QA tasks" line, recursively get QA tasks
-            if "Do the QA tasks" in line:
-                result.append(line)
-                qa_tasks = extract_checkboxes(git_root() / QA_FILE)
-                result.append(qa_tasks)
-            else:
-                result.append(line)
-    return "\n".join(result)
-
-
-if __name__ == "__main__":
-    print(extract_checkboxes(git_root() / RELEASE_FILE))

dev_scripts/qa.py

@@ -20,32 +20,17 @@ EOL_PYTHON_URL = "https://endoflife.date/api/python.json"
 CONTENT_QA = r"""## QA
 
 To ensure that new releases do not introduce regressions, and support existing
-and newer platforms, we have to test that the produced packages work as expected.
-
-Check the following:
+and newer platforms, we have to do the following:
 
 - [ ] Make sure that the tip of the `main` branch passes the CI tests.
 - [ ] Make sure that the Apple account has a valid application password and has
       agreed to the latest Apple terms (see [macOS release](#macos-release)
       section).
-
-Because it is repetitive, we wrote a script to help with the QA.
-It can run the tasks for you, pausing when it needs manual intervention.
-
-You can run it with a command like:
-
-```bash
-poetry run ./dev_scripts/qa.py {distro}-{version}
-```
-
-### The checklist
-
 - [ ] Create a test build in Windows and make sure it works:
   - [ ] Check if the suggested Python version is still supported.
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Build and run the Dangerzone .exe
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -54,7 +39,6 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Create and run an app bundle.
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -63,7 +47,6 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Create and run an app bundle.
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -72,7 +55,6 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Create a .deb package and install it system-wide.
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -81,7 +63,6 @@ poetry run ./dev_scripts/qa.py {distro}-{version}
   - [ ] Create a new development environment with Poetry.
   - [ ] Build the container image and ensure the development environment uses
     the new image.
-  - [ ] Download the OCR language data using `./install/common/download-tessdata.py`
   - [ ] Run the Dangerzone tests.
   - [ ] Create an .rpm package and install it system-wide.
   - [ ] Test some QA scenarios (see [Scenarios](#Scenarios) below).
@@ -574,7 +555,7 @@ class Reference:
         # Convert spaces to dashes
         anchor = anchor.replace(" ", "-")
         # Remove non-alphanumeric (except dash and underscore)
-        anchor = re.sub("[^a-zA-Z-_]", "", anchor)
+        anchor = re.sub("[^a-zA-Z\-_]", "", anchor)
 
         return anchor
 
@@ -593,8 +574,8 @@ class QABase(abc.ABC):
 
     platforms = {}
 
-    REF_QA = Reference("QA.md", content=CONTENT_QA)
-    REF_QA_SCENARIOS = Reference("QA.md", content=CONTENT_QA_SCENARIOS)
+    REF_QA = Reference("RELEASE.md", content=CONTENT_QA)
+    REF_QA_SCENARIOS = Reference("RELEASE.md", content=CONTENT_QA_SCENARIOS)
 
     # The following class method is available since Python 3.6. For more details, see:
     # https://docs.python.org/3.6/whatsnew/3.6.html#pep-487-simpler-customization-of-class-creation
@@ -1072,10 +1053,6 @@ class QAFedora(QALinux):
         )
 
 
-class QAFedora41(QAFedora):
-    VERSION = "41"
-
-
 class QAFedora40(QAFedora):
     VERSION = "40"
 

docs/developer/doit.md

@@ -1,58 +0,0 @@
-# Using the Doit Automation Tool
-
-Developers can use the [Doit](https://pydoit.org/) automation tool to create
-release artifacts. The purpose of the tool is to automate our manual release
-instructions in `RELEASE.md` file. Not everything is automated yet, since we're
-still experimenting with this tool. You can find our task definitions in this
-repo's `dodo.py` file.
-
-## Why Doit?
-
-We picked Doit out of the various tools out there for the following reasons:
-
-* **Pythonic:** The configuration file and tasks can be written in Python. Where
-  applicable, it's easy to issue shell commands as well.
-* **File targets:** Doit borrows the file target concept from Makefiles. Tasks
-  can have file dependencies, and targets they build. This makes it easy to
-  define a dependency graph (DAG) for tasks.
-* **Hash-based caching:** Unlike Makefiles, doit does not look at the
-  modification timestamp of source/target files, to figure out if it needs to
-  run them.  Instead, it hashes those files, and will run a task only if the
-  hash of a file dependency has changed.
-* **Parallelization:** Tasks can be run in parallel with the `-n` argument,
-  which is similar to `make`'s `-j` argument.
-
-## How to Doit?
-
-First, enter your Poetry shell. Then, make sure that your environment is clean,
-and you have ample disk space. You can run:
-
-```bash
-doit clean --dry-run  # if you want to see what would happen
-doit clean  # you'll be asked to cofirm that you want to clean everything
-```
-
-Finally, you can build all the release artifacts with `doit`, or a specific task
-with:
-
-```
-doit <task>
-```
-
-## Tips and tricks
-
-* You can run `doit list --all -s` to see the full list of tasks, their
-  dependencies, and whether they are up to date.
-* You can run `doit info <task>` to see which dependencies are missing.
-* You can change this line in `pyproject.toml` to `true`, to allow using the
-  Docker/Podman build cache:
-
-  ```
-  use_cache = true
-  ```
-
-* You can pass the following global parameters with `doit <param>=<value>`:
-  - `runtime`: The container runtime to use. Either `podman` or `docker`
-  - `release_dir`: Where to store the release artifacts. Default path is
-    `~/release-assets/<version>`
-  - `apple_id`: The Apple ID to use when signing/notarizing the macOS DMG.

dodo.py

@@ -12,23 +12,17 @@ VERSION = open("share/version.txt").read().strip()
 FEDORA_VERSIONS = ["40", "41"]
 DEBIAN_VERSIONS = ["bullseye", "focal", "jammy", "mantic", "noble", "trixie"]
 
-### Global parameters
-#
-# Read more about global parameters in
-# https://pydoit.org/task-args.html#command-line-variables-doit-get-var
-
-CONTAINER_RUNTIME = get_var("runtime", "podman")
-DEFAULT_RELEASE_DIR = Path.home() / "release-assets" / VERSION
-# XXX: Workaround for https://github.com/pydoit/doit/issues/164
-RELEASE_DIR = Path(get_var("release_dir", None) or DEFAULT_RELEASE_DIR)
-APPLE_ID = get_var("apple_id", None)
+# In the case of an Apple Silicon machine, there's no need to run anything else than
+# building the .dmg.
+if ARCH == "arm64":
+    DOIT_CONFIG = {'default_tasks': ['macos_build_dmg']}
 
 ### Task Parameters
 
 PARAM_APPLE_ID = {
     "name": "apple_id",
     "long": "apple-id",
-    "default": APPLE_ID,
+    "default": "fpf@example.com",
     "help": "The Apple developer ID that will be used for signing the .dmg",
 }
 
@@ -42,12 +36,19 @@ PARAM_USE_CACHE = {
     "default": False,
 }
 
+### Global parameters
+#
+# Read more about global parameters in
+# https://pydoit.org/task-args.html#command-line-variables-doit-get-var
+
+CONTAINER_RUNTIME = get_var('runtime', 'podman')
+RELEASE_DIR = Path(get_var("release_dir", Path.home() / "release-assets" / VERSION))
+
 ### File dependencies
 #
-# Define all the file dependencies for our tasks in a single place, since some file
+# Define all the file dependencies we'll see later in tasks here, since some file
 # dependencies are shared between tasks.
 
-
 def list_files(path, recursive=False):
     """List files in a directory, and optionally traverse into subdirectories."""
     filepaths = []
@@ -117,6 +118,7 @@ def copy_dir(src, dst):
 
 def create_release_dir():
     RELEASE_DIR.mkdir(parents=True, exist_ok=True)
+    (RELEASE_DIR / "assets").mkdir(exist_ok=True)
     (RELEASE_DIR / "tmp").mkdir(exist_ok=True)
 
 
@@ -150,9 +152,6 @@ def build_rpm(version, cwd, qubes=False):
     return build_linux_pkg(distro="Fedora", version=version, cwd=cwd, qubes=qubes)
 
 
-### Tasks
-
-
 def task_clean_container_runtime():
     """Clean the storage space of the container runtime."""
     return {
@@ -187,7 +186,10 @@ def task_macos_check_system():
     """Run macOS specific system checks, as well as the generic ones."""
     return {
         "actions": None,
-        "task_dep": ["check_container_runtime", "macos_check_cert"],
+        "task_dep": [
+            "check_container_runtime",
+            "macos_check_cert",
+        ],
     }
 
 
@@ -219,24 +221,29 @@ def task_build_image():
     return {
         "actions": [
             f"python install/common/build-image.py --use-cache=%(use_cache)s --runtime={CONTAINER_RUNTIME}",
-            ["cp", img_src, img_dst],
-            ["cp", img_id_src, img_id_dst],
+            f"cp {img_src} {img_dst}",
+            f"cp {img_id_src} {img_id_dst}",
         ],
         "params": [PARAM_USE_CACHE],
         "file_dep": IMAGE_DEPS,
         "targets": [img_src, img_dst, img_id_src, img_id_dst],
-        "task_dep": ["init_release_dir", "check_container_runtime"],
+        "task_dep": [
+            "init_release_dir",
+            "check_container_runtime",
+        ],
         "clean": True,
     }
 
 
 def task_poetry_install():
     """Setup the Poetry environment"""
-    return {"actions": ["poetry install --sync"], "clean": ["poetry env remove --all"]}
+    return {
+        "actions": ["poetry install --sync"],
+    }
 
 
 def task_macos_build_dmg():
-    """Build the macOS .dmg file for Dangerzone."""
+    """Build the macOS app bundle for Dangerzone."""
     dz_dir = RELEASE_DIR / "tmp" / "macos"
     dmg_src = dz_dir / "dist" / "Dangerzone.dmg"
     dmg_dst = RELEASE_DIR / f"Dangerzone-{VERSION}-{ARCH}.dmg"  # FIXME: Add -arch
@@ -250,18 +257,17 @@ def task_macos_build_dmg():
                 f" --keychain-profile dz-notarytool-release-key {dmg_src}"
             ),
             f"xcrun stapler staple {dmg_src}",
-            ["cp", dmg_src, dmg_dst],
+            ["cp", "-r", dmg_src, dmg_dst],
             ["rm", "-rf", dz_dir],
         ],
         "params": [PARAM_APPLE_ID],
         "file_dep": DMG_DEPS,
         "task_dep": [
-            "macos_check_system",
             "init_release_dir",
             "poetry_install",
             "download_tessdata",
         ],
-        "targets": [dmg_src, dmg_dst],
+        "targets": [dmg_dst],
         "clean": True,
     }
 
@@ -299,7 +305,10 @@ def task_debian_deb():
             ["rm", "-rf", dz_dir],
         ],
         "file_dep": DEB_DEPS,
-        "task_dep": ["init_release_dir", "debian_env"],
+        "task_dep": [
+            "init_release_dir",
+            "debian_env",
+        ],
         "targets": [deb_dst],
         "clean": True,
     }
@@ -310,7 +319,6 @@ def task_fedora_env():
     for version in FEDORA_VERSIONS:
         yield {
             "name": version,
-            "doc": f"Build Fedora {version} dev environments",
             "actions": [
                 [
                     "python3",
@@ -331,7 +339,6 @@ def task_fedora_rpm():
     for version in FEDORA_VERSIONS:
         for qubes in (True, False):
             qubes_ident = "-qubes" if qubes else ""
-            qubes_desc = " for Qubes" if qubes else ""
             dz_dir = RELEASE_DIR / "tmp" / f"f{version}{qubes_ident}"
             rpm_names = [
                 f"dangerzone{qubes_ident}-{VERSION}-1.fc{version}.x86_64.rpm",
@@ -342,7 +349,6 @@ def task_fedora_rpm():
 
             yield {
                 "name": version + qubes_ident,
-                "doc": f"Build a Fedora {version} package{qubes_desc}",
                 "actions": [
                     (copy_dir, [".", dz_dir]),
                     build_rpm(version, cwd=dz_dir, qubes=qubes),
@@ -350,7 +356,10 @@ def task_fedora_rpm():
                     ["rm", "-rf", dz_dir],
                 ],
                 "file_dep": RPM_DEPS,
-                "task_dep": ["init_release_dir", f"fedora_env:{version}"],
+                "task_dep": [
+                    "init_release_dir",
+                    f"fedora_env:{version}",
+                ],
                 "targets": rpm_dst,
                 "clean": True,
             }
@@ -366,40 +375,3 @@ def task_git_archive():
         "targets": [target],
         "task_dep": ["init_release_dir"],
     }
-
-
-#######################################################################################
-#
-#                              END OF TASKS
-#
-# The following task should be the LAST one in the dodo file, so that it runs first when
-# running `do clean`.
-
-
-def clean_prompt():
-    ans = input(
-        f"""
-You have not specified a target to clean.
-This means that doit will clean the following targets:
-
-* ALL the containers, images, and build cache in {CONTAINER_RUNTIME.capitalize()}
-* ALL the built targets and directories
-
-For a full list of the targets that doit will clean, run: doit clean --dry-run
-
-Are you sure you want to clean everything (y/N): \
-"""
-    )
-    if ans.lower() in ["yes", "y"]:
-        return
-    else:
-        print("Exiting...")
-        exit(1)
-
-
-def task_clean_prompt():
-    """Make sure that the user really wants to run the clean tasks."""
-    return {
-        "actions": None,
-        "clean": [clean_prompt],
-    }

install/common/build-image.py

@@ -17,16 +17,15 @@ elif platform.system() == "Linux":
 
 ARCH = platform.machine()
 
-
 def str2bool(v):
     if isinstance(v, bool):
         return v
-    if v.lower() in ("yes", "true", "t", "y", "1"):
+    if v.lower() in ('yes', 'true', 't', 'y', '1'):
         return True
-    elif v.lower() in ("no", "false", "f", "n", "0"):
+    elif v.lower() in ('no', 'false', 'f', 'n', '0'):
         return False
     else:
-        raise argparse.ArgumentTypeError("Boolean value expected.")
+        raise argparse.ArgumentTypeError('Boolean value expected.')
 
 
 def main():
@@ -52,7 +51,7 @@ def main():
     parser.add_argument(
         "--use-cache",
         type=str2bool,
-        nargs="?",
+        nargs='?',
         default=False,
         const=True,
         help="Use the builder's cache to speed up the builds (not suitable for release builds)",

poetry.lock

@@ -1210,4 +1210,4 @@ type = ["pytest-mypy"]
 [metadata]
 lock-version = "2.0"
 python-versions = ">=3.9,<3.13"
-content-hash = "a2937fd8ead7b45da571cb943ab43918a9c6d3dcbc6935dc8d0af3d1d4190371"
+content-hash = "8367cee9a978ba6df32f44e902d223156e321b2cb4ea8a9d7a4bf1f88392a8c0"

pyproject.toml

@@ -23,6 +23,7 @@ pyxdg = {version = "*", platform = "linux"}
 requests = "*"
 markdown = "*"
 packaging = "*"
+doit = "^0.36.0"
 
 [tool.poetry.scripts]
 dangerzone = 'dangerzone:main'
@@ -34,7 +35,6 @@ setuptools = "*"
 cx_freeze = {version = "^7.2.5", platform = "win32"}
 pywin32 = {version = "*", platform = "win32"}
 pyinstaller = {version = "*", platform = "darwin"}
-doit = "^0.36.0"
 
 # Dependencies required for linting the code.
 [tool.poetry.group.lint.dependencies]
@@ -67,12 +67,25 @@ skip_gitignore = true
 # This is necessary due to https://github.com/PyCQA/isort/issues/1835
 follow_links = false
 
-[tool.doit]
-verbosity = 3
+[tool.doit.commands.clean]
+# XXX: Change this to false if you REALLY want to clean your environment. Note
+# that this command will:
+# * prune container images,
+# * clean the Git repo, and
+# * remove all tasks output
+#
+# Else, the `doit clean` comamnd will print the commands that would run instead.
+dryrun = true
+
+[tool.doit.tasks.macos_check_cert]
+apple_id = "fpf@example.com"
+
+[tool.doit.tasks.macos_codesign]
+apple_id = "fpf@example.com"
 
 [tool.doit.tasks.build_image]
-# DO NOT change this to 'true' for release artifacts.
 use_cache = false
+force_tag = ""
 
 [build-system]
 requires = ["poetry-core>=1.2.0"]