Merge 223fb0f1b9 into f540a67d06

Fix: Dangerzone installed using an msi built with WiX Toolset 3 is not uninstalled by an msi built with WiX Toolset 5
Work around the issue by adding some extra functionality to the "Next" button on the welcome screen of the installer. When the user clicks it to proceed with the installation this: 1. Flips the install scope to "perUser" which is the default in WiX 3 2. Finds the older installation 3. And finally flips the scope back to "perMachine" which is the default in WiX 4 and newer TODO: Revert this once we are reasonably certain there are no affected Dangerzone Installations?
2025-05-03 20:21:49 +02:00 · 2024-10-30 20:10:22 +00:00 · 2024-10-30 22:08:36 +02:00 · 2024-10-30 22:08:23 +02:00 · 2024-10-30 19:11:24 +01:00 · 2024-10-30 19:10:26 +01:00
13 changed files with 65 additions and 35 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -33,8 +33,6 @@ jobs:
            version: "20.04"
          - distro: ubuntu
            version: "22.04"
          - distro: ubuntu
            version: "23.10"
          - distro: ubuntu
            version: "24.04"
          - distro: ubuntu
--- a/.github/workflows/check_repos.yml
+++ b/.github/workflows/check_repos.yml
@ -23,8 +23,6 @@ jobs:
            version: "24.10"  # oracular
          - distro: ubuntu
            version: "24.04"  # noble
          - distro: ubuntu
            version: "23.10"  # mantic
          - distro: ubuntu
            version: "22.04"  # jammy
          - distro: ubuntu
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -163,8 +163,6 @@ jobs:
            version: "20.04"
          - distro: ubuntu
            version: "22.04"
          - distro: ubuntu
            version: "23.10"
          - distro: ubuntu
            version: "24.04"
          - distro: ubuntu
@ -233,8 +231,6 @@ jobs:
            version: "20.04"
          - distro: ubuntu
            version: "22.04"
          - distro: ubuntu
            version: "23.10"
          - distro: ubuntu
            version: "24.04"
          - distro: ubuntu
@ -354,8 +350,6 @@ jobs:
            version: "20.04"
          - distro: ubuntu
            version: "22.04"
          - distro: ubuntu
            version: "23.10"
          - distro: ubuntu
            version: "24.04"
          - distro: ubuntu
--- a/.github/workflows/scan_released.yml
+++ b/.github/workflows/scan_released.yml
@ -13,7 +13,7 @@ jobs:
      - name: Download container image for the latest release
        run: |
          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
-          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container.tar.gz
+          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/container-${VERSION}-i686.tar.gz -O container.tar.gz
      - name: Load container image
        run: docker load -i container.tar.gz
      # NOTE: Scan first without failing, else we won't be able to read the scan
--- a/INSTALL.md
+++ b/INSTALL.md
@ -11,7 +11,6 @@ an isolated environment. It will be installed automatically when installing Dang
 Dangerzone is available for:
 - Ubuntu 24.10 (oracular)
 - Ubuntu 24.04 (noble)
 - Ubuntu 23.10 (mantic)
 - Ubuntu 22.04 (jammy)
 - Ubuntu 20.04 (focal)
 - Debian 13 (trixie)
@ -290,7 +289,7 @@ Our [GitHub Releases page](https://github.com/freedomofpress/dangerzone/releases
 hosts the following files:
 * Windows installer (`Dangerzone-<version>.msi`)
 * macOS archives (`Dangerzone-<version>-<arch>.dmg`)
-* Container image (`container.tar.gz`)
+* Container images (`container-<version>-<arch>.tar.gz`)
 * Source package (`dangerzone-<version>.tar.gz`)
 All these files are accompanied by signatures (as `.asc` files). We'll explain
@ -315,10 +314,10 @@ gpg --verify Dangerzone-0.6.1-arm64.dmg.asc Dangerzone-0.6.1-arm64.dmg
 gpg --verify Dangerzone-0.6.1-i686.dmg.asc Dangerzone-0.6.1-i686.dmg
 ```
-For the container image:
+For the container images:
 ```
-gpg --verify container.tar.gz.asc container.tar.gz
+gpg --verify container-0.6.1-i686.tar.gz.asc container-0.6.1-i686.tar.gz
 ```
 For the source package:
--- a/RELEASE.md
+++ b/RELEASE.md
@ -285,6 +285,11 @@ Once we are confident that the release will be out shortly, and doesn't need any
  * You can verify the correct Python version is used with `poetry debug info`
 - [ ] Verify and checkout the git tag for this release
 - [ ] Run `poetry install --sync`
 - [ ] On the silicon mac, build the container image:
  ```
  python3 ./install/common/build-image.py
  ```
  Then copy the `share/container.tar.gz` to the assets folder on `dangerzone-$VERSION-arm64.tar.gz`, along with the `share/image-id.txt` file.
 - [ ] Run `poetry run ./install/macos/build-app.py`; this will make `dist/Dangerzone.app`
 - [ ] Make sure that the build application works with the containerd graph
  driver (see [#933](https://github.com/freedomofpress/dangerzone/issues/933))
@ -403,6 +408,8 @@ Build the latest container:
 python3 ./install/common/build-image.py
 ```
 Copy the container image to the assets folder on `dangerzone-$VERSION-i686.tar.gz`.
 Create a .rpm:
 ```sh
@ -449,9 +456,9 @@ To publish the release:
  * Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
  * You can use `./dev_scripts/upload-asset.py`, if you want to upload an asset
    using an access token.
- [ ] Upload the `container.tar.gz` i686 image that was created in the previous step
+- [ ] Upload the `container-$VERSION-i686.tar.gz` and `container-$VERSION-arm64.tar.gz` images that were created in the previous step
-  **Important:** Make sure that it's the same container image as the ones that
+  **Important:** Make sure that it's the same container images as the ones that
  are shipped in other platforms (see our [Pre-release](#Pre-release) section)
 - [ ] Upload the detached signatures (.asc) and checksum file.
--- a/dangerzone/gvisor_wrapper/entrypoint.py
+++ b/dangerzone/gvisor_wrapper/entrypoint.py
@ -142,9 +142,6 @@ runsc_argv = [
    "--rootless=true",
    "--network=none",
    "--root=/home/dangerzone/.containers",
    # Disable DirectFS for to make the seccomp filter even stricter,
    # at some performance cost.
    "--directfs=false",
 ]
 if os.environ.get("RUNSC_DEBUG"):
    runsc_argv += ["--debug=true", "--alsologtostderr=true"]
--- a/dev_scripts/env.py
+++ b/dev_scripts/env.py
@ -696,8 +696,6 @@ class Env:
                    DOCKERFILE_CONMON_UPDATE + DOCKERFILE_BUILD_DEV_DEBIAN_DEPS
                )
            elif self.distro == "ubuntu" and self.version in (
                "23.10",
                "mantic",
                "24.04",
                "noble",
                "24.10",
@ -784,8 +782,6 @@ class Env:
                # package (see https://github.com/freedomofpress/dangerzone/issues/685)
                install_deps = DOCKERFILE_CONMON_UPDATE + DOCKERFILE_BUILD_DEBIAN_DEPS
            elif self.distro == "ubuntu" and self.version in (
                "23.10",
                "mantic",
                "24.04",
                "noble",
                "24.10",
--- a/dev_scripts/qa.py
+++ b/dev_scripts/qa.py
@ -978,11 +978,6 @@ class QAUbuntu2204(QADebianBased):
    VERSION = "22.04"
 class QAUbuntu2310(QADebianBased):
    DISTRO = "ubuntu"
    VERSION = "23.10"
 class QAUbuntu2404(QADebianBased):
    DISTRO = "ubuntu"
    VERSION = "24.04"
--- a/dev_scripts/sign-assets.py
+++ b/dev_scripts/sign-assets.py
@ -11,7 +11,8 @@ log = logging.getLogger(__name__)
 DZ_ASSETS = [
-    "container.tar.gz",
+    "container-{version}-i686.tar.gz",
    "container-{version}-arm64.tar.gz",
    "Dangerzone-{version}.msi",
    "Dangerzone-{version}-arm64.dmg",
    "Dangerzone-{version}-i686.dmg",
--- a/install/windows/build-wxs.py
+++ b/install/windows/build-wxs.py
@ -155,10 +155,51 @@ def main():
        Id="ARPURLINFOABOUT",
        Value="https://freedom.press",
    )
    ui_el = ET.SubElement(package_el, "UI")
    ET.SubElement(
-        package_el, "ui:WixUI", Id="WixUI_InstallDir", InstallDirectory="INSTALLFOLDER"
+        ui_el, "ui:WixUI", Id="WixUI_InstallDir", InstallDirectory="INSTALLFOLDER"
    )
-    ET.SubElement(package_el, "UIRef", Id="WixUI_ErrorProgressText")
+    ET.SubElement(ui_el, "UIRef", Id="WixUI_ErrorProgressText")
    # Workaround for an issue after upgrading from WiX Toolset 3 to 5 where the older
    # version of Dangerzone is not uninstalled during the upgrade
    #
    # Work around the issue by adding some extra functionality to the "Next" button on the welcome screen
    # of the installer. When the user clicks it to proceed with the installation this:
    # 1. Flips the install scope to "perUser" which is the default in WiX 3
    # 2. Finds the older installation
    # 3. And finally flips the scope back to "perMachine" which is the default in WiX 4 and newer
    #
    # Adapted from this stack overflow answer: https://stackoverflow.com/a/35064434
    #
    # TODO: Revert this once we are reasonably certain there are no affected Dangerzone Installations?
    ET.SubElement(
        ui_el,
        "Publish",
        Dialog="WelcomeDlg",
        Control="Next",
        Property="ALLUSERS",
        Value="{}",
    )
    ET.SubElement(
        ui_el,
        "Publish",
        Dialog="WelcomeDlg",
        Control="Next",
        Event="DoAction",
        Value="FindRelatedProducts",
    )
    ET.SubElement(
        ui_el,
        "Publish",
        Dialog="WelcomeDlg",
        Control="Next",
        Property="ALLUSERS",
        Value="1",
    )
    ET.SubElement(
        package_el,
        "WixVariable",
--- a/setup-windows.py
+++ b/setup-windows.py
@ -4,7 +4,6 @@ from cx_Freeze import Executable, setup
 with open("share/version.txt") as f:
    version = f.read().strip()
 packages = ["dangerzone", "dangerzone.gui"]
 setup(
    name="dangerzone",
@ -12,10 +11,13 @@ setup(
    # On Windows description will show as the app's name in the "Open With" menu. See:
    # https://github.com/freedomofpress/dangerzone/issues/283#issuecomment-1365148805
    description="Dangerzone",
    packages=packages,
    options={
        "build_exe": {
-            "packages": packages,
+            # Explicitly specify pymupdf.util module to fix building the executables
            # with cx_freeze. See https://github.com/marcelotduarte/cx_Freeze/issues/2653
            # for more details.
            # TODO: Upgrade to cx_freeze 7.3.0 which should include a fix.
            "packages": ["dangerzone", "dangerzone.gui", "pymupdf.utils"],
            "excludes": ["test", "tkinter"],
            "include_files": [("share", "share"), ("LICENSE", "LICENSE")],
            "include_msvcr": True,
--- a/tests/isolation_provider/base.py
+++ b/tests/isolation_provider/base.py
@ -164,6 +164,7 @@ class IsolationProviderTermination:
        terminate_proc_mock = mocker.patch.object(
            provider, "terminate_doc_to_pixels_proc", return_value=None
        )
        kill_pg_orig = base.kill_process_group
        kill_pg_mock = mocker.patch(
            "dangerzone.isolation_provider.base.kill_process_group", return_value=None
        )
@ -178,6 +179,7 @@ class IsolationProviderTermination:
        # Reset the function to the original state.
        provider.terminate_doc_to_pixels_proc = terminate_proc_orig  # type: ignore [method-assign]
        base.kill_process_group = kill_pg_orig
        # Really kill the spawned process, so that it doesn't linger after the tests
        # complete.
Author	SHA1	Message	Date
jkarasti	fb2805e59f	Merge `223fb0f1b9` into `f540a67d06`	2024-10-30 20:10:22 +00:00
jkarasti	223fb0f1b9	Fix: Dangerzone installed using an msi built with WiX Toolset 3 is not uninstalled by an msi built with WiX Toolset 5 Work around the issue by adding some extra functionality to the "Next" button on the welcome screen of the installer. When the user clicks it to proceed with the installation this: 1. Flips the install scope to "perUser" which is the default in WiX 3 2. Finds the older installation 3. And finally flips the scope back to "perMachine" which is the default in WiX 4 and newer TODO: Revert this once we are reasonably certain there are no affected Dangerzone Installations?	2024-10-30 22:08:36 +02:00
jkarasti	8603cd3b86	Change: Wrap installer ui related things in a `UI` element fix	2024-10-30 22:08:23 +02:00
Alexis Métaireau	f540a67d06	Update RELEASE.md to upload container.tar.gz for both i686 and arm64 architectures. Some checks are pending Tests / macOS (x86_64) (push) Blocked by required conditions Details Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 39) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Tests / run tests (fedora 39) (push) Blocked by required conditions Details Tests / run tests (fedora 40) (push) Blocked by required conditions Details Tests / run tests (fedora 41) (push) Blocked by required conditions Details Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Scan latest app and container / security-scan-container (push) Waiting to run Details Scan latest app and container / security-scan-app (push) Waiting to run Details	2024-10-30 19:11:24 +01:00
Alex Pyrgiotis	68f8338d20	Revert "Disable gVisor's DirectFS feature." This reverts commit `73b0f8b7d4`. Unfortunately, disabling DirectFS causes a problem in Linux systems that enable Yama mode 2. Turns out that Tails is such a system, so we have to revert this change, if we want to support it. Refs #982	2024-10-30 19:10:26 +01:00
Alex Pyrgiotis	d561878e03	tests: Restore previously mocked function Restore the `isolation_provider.base.kill_process_group()` function, which was previously mocked, at the end of the `test_linger_unkillable()` test. This function is initially mocked, in order to simulate a hang process. After the mocking completes, the test needs the original function once more, in order to actually kill the spawned process.	2024-10-30 16:45:45 +01:00
Alexis Métaireau	59e1666c28	Drop support for Ubuntu Mantic (23.10), which is EOL since 11 Jul 2024.	2024-10-30 16:43:50 +01:00
jkarasti	95d7d8a4d9	Fix: Error with cx_freeze when building the windows executables	2024-10-30 17:41:15 +02:00
jkarasti	ed2791bbbc	Revert: "fix win build failure due to package autodiscovery" This reverts commit `4d9f729654`. The error described in #178 doesen't happen anymore so this workaround is not needed.	2024-10-30 17:41:15 +02:00