container: Add workarounds for Podman Desktop support on Windows

In case we run on Windows and use Podman Desktop (for which we currently
offer experimental support), we must not pass some Podman flags in order
to avoid conversion errors.

Refs #1127

Makefile

@@ -22,7 +22,7 @@ fix: ## apply all the suggestions from ruff
 	ruff format
 
 .PHONY: test
-test:
+test: ## Run the tests
 	# Make each GUI test run as a separate process, to avoid segfaults due to
 	# shared state.
 	# See more in https://github.com/freedomofpress/dangerzone/issues/493
@@ -47,11 +47,11 @@ test-large: test-large-init  ## Run large test set
 	python -m pytest --tb=no tests/test_large_set.py::TestLargeSet -v $(JUNIT_FLAGS) --junitxml=$(TEST_LARGE_RESULTS)
 	python $(TEST_LARGE_RESULTS)/report.py $(TEST_LARGE_RESULTS)
 
-Dockerfile: Dockerfile.env Dockerfile.in
+Dockerfile: Dockerfile.env Dockerfile.in ## Regenerate the Dockerfile from its template
 	poetry run jinja2 Dockerfile.in Dockerfile.env > Dockerfile
 
 .PHONY: poetry-install
-poetry-install:
+poetry-install: ## Install project dependencies
 	poetry install
 
 .PHONY: build-clean
@@ -59,19 +59,19 @@ build-clean:
 	poetry run doit clean
 
 .PHONY: build-macos-intel
-build-macos-intel: build-clean poetry-install
+build-macos-intel: build-clean poetry-install ## Build macOS intel package (.dmg)
 	poetry run doit -n 8
 
 .PHONY: build-macos-arm
-build-macos-arm: build-clean poetry-install
+build-macos-arm: build-clean poetry-install ## Build macOS Apple Silicon package (.dmg)
 	poetry run doit -n 8 macos_build_dmg
 
 .PHONY: build-linux
-build-linux: build-clean poetry-install
+build-linux: build-clean poetry-install ## Build linux packages (.rpm and .deb)
 	poetry run doit -n 8 fedora_rpm debian_deb
 
 .PHONY: regenerate-reference-pdfs
-regenerate-reference-pdfs:
+regenerate-reference-pdfs: ## Regenerate the reference PDFs
 	pytest tests/test_cli.py -k regenerate --generate-reference-pdfs
 # Makefile self-help borrowed from the securedrop-client project
 # Explaination of the below shell command should it ever break.

dangerzone/__init__.py

@@ -4,6 +4,12 @@ import sys
 
 logger = logging.getLogger(__name__)
 
+# Call freeze_support() to avoid passing unknown options to the subprocess.
+# See https://github.com/freedomofpress/dangerzone/issues/873
+import multiprocessing
+
+multiprocessing.freeze_support()
+
 
 try:
     from . import vendor  # type: ignore [attr-defined]

dangerzone/gui/main_window.py

@@ -3,7 +3,6 @@ import os
 import platform
 import tempfile
 import typing
-from multiprocessing import freeze_support
 from multiprocessing.pool import ThreadPool
 from pathlib import Path
 from typing import List, Optional
@@ -228,7 +227,9 @@ class MainWindow(QtWidgets.QMainWindow):
                 if not is_version_valid:
                     self.handle_docker_desktop_version_check(is_version_valid, version)
             except errors.UnsupportedContainerRuntime as e:
-                pass  # It's catched later in the flow.
+                pass  # It's caught later in the flow.
+            except errors.NoContainerTechException as e:
+                pass  # It's caught later in the flow.
 
         self.show()
 
@@ -1236,9 +1237,6 @@ class DocumentsListWidget(QtWidgets.QListWidget):
     def start_conversion(self) -> None:
         if not self.thread_pool_initized:
             max_jobs = self.dangerzone.isolation_provider.get_max_parallel_conversions()
-            # Call freeze_support() to avoid passing unknown options to the subprocess.
-            # See https://github.com/freedomofpress/dangerzone/issues/873
-            freeze_support()
             self.thread_pool = ThreadPool(max_jobs)
 
         for doc in self.docs_list:

dangerzone/isolation_provider/container.py

@@ -56,7 +56,14 @@ class Container(IsolationProvider):
             security_args = ["--log-driver", "none"]
             security_args += ["--security-opt", "no-new-privileges"]
             if container_utils.get_runtime_version() >= (4, 1):
-                security_args += ["--userns", "nomap"]
+                # We perform a platform check to avoid the following Podman Desktop
+                # error on Windows:
+                #
+                #   Error: nomap is only supported in rootless mode
+                #
+                # See also: https://github.com/freedomofpress/dangerzone/issues/1127
+                if platform.system() != "Windows":
+                    security_args += ["--userns", "nomap"]
         else:
             security_args = ["--security-opt=no-new-privileges:true"]
 
@@ -67,7 +74,15 @@ class Container(IsolationProvider):
         # [1] https://github.com/freedomofpress/dangerzone/issues/846
         # [2] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
         seccomp_json_path = str(get_resource_path("seccomp.gvisor.json"))
-        security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
+        # We perform a platform check to avoid the following Podman Desktop
+        # error on Windows:
+        #
+        #   Error: opening seccomp profile failed: open
+        #   C:\[...]\dangerzone\share\seccomp.gvisor.json: no such file or directory
+        #
+        # See also: https://github.com/freedomofpress/dangerzone/issues/1127
+        if runtime.name == "podman" and platform.system() != "Windows":
+            security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
 
         security_args += ["--cap-drop", "all"]
         security_args += ["--cap-add", "SYS_CHROOT"]

install/common/build-image.py

@@ -5,7 +5,7 @@ import subprocess
 import sys
 from pathlib import Path
 
-BUILD_CONTEXT = "dangerzone/"
+BUILD_CONTEXT = "dangerzone"
 IMAGE_NAME = "dangerzone.rocks/dangerzone"
 if platform.system() in ["Darwin", "Windows"]:
     CONTAINER_RUNTIME = "docker"
@@ -122,7 +122,8 @@ def main():
 
     subprocess.run(
         [
-            "./dev_scripts/repro-build.py",
+            sys.executable,
+            str(Path("dev_scripts") / "repro-build.py"),
             "build",
             "--runtime",
             args.runtime,

setup-windows.py

@@ -13,7 +13,7 @@ setup(
     description="Dangerzone",
     options={
         "build_exe": {
-            "packages": ["dangerzone", "dangerzone.gui"],
+            "packages": ["dangerzone", "dangerzone.gui", "pymupdf._wxcolors"],
             "excludes": ["test", "tkinter"],
             "include_files": [("share", "share"), ("LICENSE", "LICENSE")],
             "include_msvcr": True,