Retain Grype ignore list from current branch

When security scanning our poetry.lock file for the **released**
Dangerzone version, retain the Grype ignore
list (.grype.yaml) of the current branch, which would be otherwise
overwritten by a git checkout to the latest released tag (v0.9.0 as of
writing this). This way, we can instruct Grype to ignore vulnerabilities
in the latest Dangerzone release.

.github/workflows/check_repos.yml

@@ -19,6 +19,8 @@ jobs:
     strategy:
       matrix:
         include:
+          - distro: ubuntu
+            version: "25.04"  # plucky
           - distro: ubuntu
             version: "24.10"  # oracular
           - distro: ubuntu
@@ -32,8 +34,8 @@ jobs:
           - distro: debian
             version: "11"  # bullseye
     steps:
-      - name: Add packages.freedom.press PGP key (gpg)
+      - name: Add packages.freedom.press PGP key (gpg --keyring)
-        if: matrix.version != 'trixie'
+        if: matrix.version != 'trixie' && matrix.version != "25.04"
         run: |
           apt-get update && apt-get install -y gnupg2 ca-certificates
           dirmngr  # NOTE: This is a command that's necessary only in containers
@@ -46,7 +48,7 @@ jobs:
           mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/.
 
       - name: Add packages.freedom.press PGP key (sq)
-        if: matrix.version == 'trixie'
+        if: matrix.version == 'trixie' || matrix.version == '25.04'
         run: |
           apt-get update && apt-get install -y ca-certificates sq
           mkdir -p /etc/apt/keyrings/
@@ -55,7 +57,10 @@ jobs:
           sq network keyserver \
              --server hkps://keys.openpgp.org \
              search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-             --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+             --output - \
+          | sq packet dearmor \
+          > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+
       - name: Add packages.freedom.press to our APT sources
         run: |
           . /etc/os-release
@@ -79,6 +84,8 @@ jobs:
             version: 40
           - distro: fedora
             version: 41
+          - distro: fedora
+            version: 42
     steps:
       - name: Add packages.freedom.press to our YUM sources
         run: |

.github/workflows/scan_released.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Download container image for the latest release and load it
         run: |
           VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | grep "tag_name" | cut -d '"' -f 4)
-          CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz
+          CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar
           wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME}
           docker load -i ${CONTAINER_FILENAME}
       - name: Get image tag
@@ -67,8 +67,12 @@ jobs:
           fetch-depth: 0
       - name: Checkout the latest released tag
         run: |
+          # Grab the latest Grype ignore list before git checkout overwrites it.
+          cp .grype.yaml .grype.yaml.new
           VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
           git checkout $VERSION
+          # Restore the newest Grype ignore list.
+          mv .grype.yaml.new .grype.yaml
       # NOTE: Scan first without failing, else we won't be able to read the scan
       # report.
       - name: Scan application (no fail)

.grype.yaml

@@ -45,4 +45,12 @@ ignore:
   # present in Debian Bookworm. Also, libcurl is an HTTP client, and the
   # Dangerzone container does not make any network calls.
   - vulnerability: CVE-2025-0665
-
+  # CVE-2025-43859
+  # ==============
+  #
+  # GitHub advisory: https://github.com/advisories/GHSA-vqfr-h8mv-ghfj
+  # Verdict: Dangerzone is not affected because the vulnerable code is triggered
+  # when parsing HTTP requests, e.g., by web **servers**. Dangerzone on the
+  # other hand performs HTTP requests, i.e., it operates as **client**.
+  - vulnerability: CVE-2025-43859
+  - vulnerability: GHSA-vqfr-h8mv-ghfj

BUILD.md

@@ -113,7 +113,7 @@ Install Poetry using `pipx`:
 
 ```sh
 pipx install poetry
-pipx inject poetry poetry-plugin-export
+pipx inject poetry
 ```
 
 Clone this repository:
@@ -187,27 +187,27 @@ Overview of the qubes you'll create:
 |--------------|----------|---------|
 | dz           | app qube | Dangerzone development |
 | dz-dvm       | app qube | offline disposable template for performing conversions |
-| fedora-40-dz | template | template for the other two qubes |
+| fedora-41-dz | template | template for the other two qubes |
 
 #### In `dom0`:
 
 The following instructions require typing commands in a terminal in dom0.
 
-1. Create a new Fedora **template** (`fedora-40-dz`) for Dangerzone development:
+1. Create a new Fedora **template** (`fedora-41-dz`) for Dangerzone development:
 
    ```
-   qvm-clone fedora-40 fedora-40-dz
+   qvm-clone fedora-41 fedora-41-dz
    ```
 
    > :bulb: Alternatively, you can use your base Fedora 40 template in the
    > following instructions. In that case, skip this step and replace
-   > `fedora-40-dz` with `fedora-40` in the steps below.
+   > `fedora-41-dz` with `fedora-41` in the steps below.
 
-2. Create an offline disposable template (app qube) called `dz-dvm`, based on the `fedora-40-dz`
+2. Create an offline disposable template (app qube) called `dz-dvm`, based on the `fedora-41-dz`
    template. This will be the qube where the documents will be sanitized:
 
    ```
-   qvm-create --class AppVM --label red --template fedora-40-dz \
+   qvm-create --class AppVM --label red --template fedora-41-dz \
        --prop netvm="" --prop template_for_dispvms=True \
        --prop default_dispvm='' dz-dvm
    ```
@@ -216,7 +216,7 @@ The following instructions require typing commands in a terminal in dom0.
    and initiating the sanitization process:
 
    ```
-   qvm-create --class AppVM --label red --template fedora-40-dz dz
+   qvm-create --class AppVM --label red --template fedora-41-dz dz
    qvm-volume resize dz:private $(numfmt --from=auto 20Gi)
    ```
 
@@ -261,12 +261,12 @@ test it.
    ./install/linux/build-rpm.py --qubes
    ```
 
-4. Copy the produced `.rpm` file into `fedora-40-dz`
+4. Copy the produced `.rpm` file into `fedora-41-dz`
    ```sh
    qvm-copy dist/*.x86_64.rpm
    ```
 
-#### In the `fedora-40-dz` template
+#### In the `fedora-41-dz` template
 
 1. Install the `.rpm` package you just copied
 
@@ -274,7 +274,7 @@ test it.
    sudo dnf install ~/QubesIncoming/dz/*.rpm
    ```
 
-2. Shutdown the `fedora-40-dz` template
+2. Shutdown the `fedora-41-dz` template
 
 ### Developing Dangerzone
 
@@ -305,7 +305,7 @@ For changes in the server side components, you can simply edit them locally,
 and they will be mirrored to the disposable qube through the `dz.ConvertDev`
 RPC call.
 
-The only reason to build a new Qubes RPM and install it in the `fedora-40-dz`
+The only reason to build a new Qubes RPM and install it in the `fedora-41-dz`
 template for development is if:
 1. The project requires new server-side components.
 2. The code for `qubes/dz.ConvertDev` needs to be updated.
@@ -326,7 +326,7 @@ cd dangerzone
 Install Python dependencies:
 
 ```sh
-python3 -m pip install poetry poetry-plugin-export
+python3 -m pip install poetry
 poetry install
 ```
 
@@ -387,7 +387,7 @@ Install Microsoft Visual C++ 14.0 or greater. Get it with ["Microsoft C++ Build
 Install [poetry](https://python-poetry.org/). Open PowerShell, and run:
 
 ```
-python -m pip install poetry poetry-plugin-export
+python -m pip install poetry
 ```
 
 Install git from [here](https://git-scm.com/download/win), open a Windows terminal (`cmd.exe`) and clone this repository:

CHANGELOG.md

@@ -7,6 +7,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 ## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...HEAD)
 
+## Changed
+
+- Update installation instructions (and CI checks) for Debian derivatives ([#1141](https://github.com/freedomofpress/dangerzone/pull/1141))
+
 ## [0.9.0](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...0.8.1)
 
 ### Added
@@ -68,6 +72,7 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
   Thanks [@jkarasti](https://github.com/jkarasti) for the contribution.
 - Work around a `cx_freeze` build issue ([#974](https://github.com/freedomofpress/dangerzone/issues/974))
 - tests: mark the hancom office suite tests for rerun on failures ([#991](https://github.com/freedomofpress/dangerzone/pull/991))
+- Update reference template for Qubes to Fedora 41 ([#1078](https://github.com/freedomofpress/dangerzone/issues/1078))
 
 ## [0.8.1](https://github.com/freedomofpress/dangerzone/compare/v0.8.1...0.8.0)
 

INSTALL.md

@@ -110,30 +110,30 @@ Dangerzone is available for:
   </tr>
 </table>
 
-First, retrieve the PGP keys.
+First, retrieve the PGP keys. The instructions differ depending on the specific
+distribution you are using:
 
-Starting with Trixie, follow these instructions to download the PGP keys:
+For Debian Trixie and Ubuntu Plucky (25.04), follow these instructions to
+download the PGP keys:
 
 ```bash
-sudo apt-get update && sudo apt-get install sq -y
+sudo apt-get update && sudo apt-get install sq ca-certificates -y
-mkdir -p /etc/apt/keyrings/
 sq network keyserver \
    --server hkps://keys.openpgp.org \
    search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-   --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+   --output - | sq packet dearmor fpfdz.gpg
+sudo mkdir -p /etc/apt/keyrings/
+sudo mv fpfdz.gpg /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 ```
 
 On other Debian-derivatives:
 
 ```sh
 sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y
-gpg --keyserver hkps://keys.openpgp.org \
-    --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
-    --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
 sudo mkdir -p /etc/apt/keyrings/
-sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
+sudo gpg --keyserver hkps://keys.openpgp.org \
-    --armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
+    --no-default-keyring --keyring /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \
-    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+    --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
 ```
 
 Then, on all distributions, add the URL of the repo in your APT sources:
@@ -231,8 +231,8 @@ After confirming that it matches, type `y` (for yes) and the installation should
 
 > [!IMPORTANT]
 > This section will install Dangerzone in your **default template**
-> (`fedora-40` as of writing this). If you want to install it in a different
+> (`fedora-41` as of writing this). If you want to install it in a different
-> one, make sure to replace `fedora-40` with the template of your choice.
+> one, make sure to replace `fedora-41` with the template of your choice.
 
 The following steps must be completed once. Make sure you run them in the
 specified qubes.
@@ -249,7 +249,7 @@ Create a **disposable**, offline app qube (`dz-dvm`), based on your default
 template. This will be the qube where the documents will be sanitized:
 
 ```
-qvm-create --class AppVM --label red --template fedora-40 \
+qvm-create --class AppVM --label red --template fedora-41 \
     --prop netvm="" --prop template_for_dispvms=True \
     --prop default_dispvm='' dz-dvm
 ```
@@ -262,7 +262,7 @@ document, with the following contents:
 dz.Convert         *       @anyvm       @dispvm:dz-dvm  allow
 ```
 
-#### In the `fedora-40` template
+#### In the `fedora-41` template
 
 Install Dangerzone:
 

Makefile

@@ -22,7 +22,7 @@ fix: ## apply all the suggestions from ruff
 	ruff format
 
 .PHONY: test
-test:
+test: ## Run the tests
 	# Make each GUI test run as a separate process, to avoid segfaults due to
 	# shared state.
 	# See more in https://github.com/freedomofpress/dangerzone/issues/493
@@ -47,27 +47,31 @@ test-large: test-large-init  ## Run large test set
 	python -m pytest --tb=no tests/test_large_set.py::TestLargeSet -v $(JUNIT_FLAGS) --junitxml=$(TEST_LARGE_RESULTS)
 	python $(TEST_LARGE_RESULTS)/report.py $(TEST_LARGE_RESULTS)
 
-Dockerfile: Dockerfile.env Dockerfile.in
+Dockerfile: Dockerfile.env Dockerfile.in ## Regenerate the Dockerfile from its template
 	poetry run jinja2 Dockerfile.in Dockerfile.env > Dockerfile
 
+.PHONY: poetry-install
+poetry-install: ## Install project dependencies
+	poetry install
+
 .PHONY: build-clean
 build-clean:
-	doit clean
+	poetry run doit clean
 
 .PHONY: build-macos-intel
-build-macos-intel: build-clean
+build-macos-intel: build-clean poetry-install ## Build macOS intel package (.dmg)
-	doit -n 8
+	poetry run doit -n 8
 
 .PHONY: build-macos-arm
-build-macos-arm: build-clean
+build-macos-arm: build-clean poetry-install ## Build macOS Apple Silicon package (.dmg)
-	doit -n 8 macos_build_dmg
+	poetry run doit -n 8 macos_build_dmg
 
 .PHONY: build-linux
-build-linux: build-clean
+build-linux: build-clean poetry-install ## Build linux packages (.rpm and .deb)
-	doit -n 8 fedora_rpm debian_deb
+	poetry run doit -n 8 fedora_rpm debian_deb
 
 .PHONY: regenerate-reference-pdfs
-regenerate-reference-pdfs:
+regenerate-reference-pdfs: ## Regenerate the reference PDFs
 	pytest tests/test_cli.py -k regenerate --generate-reference-pdfs
 # Makefile self-help borrowed from the securedrop-client project
 # Explaination of the below shell command should it ever break.

README.md

@@ -14,15 +14,15 @@ _Read more about Dangerzone in the [official site](https://dangerzone.rocks/abou
 
 Follow the instructions for each platform:
 
-* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#macos)
+* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#macos)
-* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.1//INSTALL.md#windows)
+* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.9.0//INSTALL.md#windows)
-* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
+* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#ubuntu-debian)
-* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
+* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#ubuntu-debian)
-* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#fedora)
+* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#fedora)
-* [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#qubes-os)
+* [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#qubes-os)
-* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#tails)
+* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#tails)
 
-You can read more about our operating system support [here](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#operating-system-support).
+You can read more about our operating system support [here](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#operating-system-support).
 
 ## Some features
 
@@ -82,3 +82,7 @@ Dangerzone gets updates to improve its features _and_ to fix problems. So, updat
 1. Check which version of Dangerzone you are currently using: run Dangerzone, then look for a series of numbers to the right of the logo within the app. The format of the numbers will look similar to `0.4.1`
 2. Now find the latest available version of Dangerzone: go to the [download page](https://dangerzone.rocks/#downloads). Look for the version number displayed. The number will be using the same format as in Step 1.
 3. Is the version on the Dangerzone download page higher than the version of your installed app? Go ahead and update.
+
+### Can I use Podman Desktop?
+
+Yes! We've introduced [experimental support for Podman Desktop](https://github.com/freedomofpress/dangerzone/blob/main/docs/podman-desktop.md) on Windows and macOS.

RELEASE.md

@@ -21,6 +21,7 @@ Here is a list of tasks that should be done before issuing the release:
 - [ ] Update screenshot in `README.md`, if necessary
 - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release
 - [ ] A draft release should be created. Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
+- [ ] Send the release notes to editorial for review
 - [ ] Do the QA tasks
 
 ## Add new Linux platforms and remove obsolete ones
@@ -123,7 +124,7 @@ Here is what you need to do:
 
   # In case of a new Python installation or minor version upgrade, e.g., from
   # 3.11 to 3.12, reinstall Poetry
-  python3 -m pip install poetry poetry-plugin-export
+  python3 -m pip install poetry
 
   # You can verify the correct Python version is used
   poetry debug info
@@ -141,7 +142,7 @@ Here is what you need to do:
   poetry env remove --all
 
   # Install the dependencies
-  poetry install --sync
+  poetry sync
   ```
 
 - [ ] Build the container image and the OCR language data
@@ -205,7 +206,7 @@ The Windows release is performed in a Windows 11 virtual machine (as opposed to
   ```bash
   # In case of a new Python installation or minor version upgrade, e.g., from
   # 3.11 to 3.12, reinstall Poetry
-  python3 -m pip install poetry poetry-plugin-export
+  python3 -m pip install poetry
 
   # You can verify the correct Python version is used
   poetry debug info
@@ -223,7 +224,7 @@ The Windows release is performed in a Windows 11 virtual machine (as opposed to
   poetry env remove --all
 
   # Install the dependencies
-  poetry install --sync
+  poetry sync
   ```
 
 - [ ] Copy the container image into the VM

dangerzone/__init__.py

@@ -4,6 +4,12 @@ import sys
 
 logger = logging.getLogger(__name__)
 
+# Call freeze_support() to avoid passing unknown options to the subprocess.
+# See https://github.com/freedomofpress/dangerzone/issues/873
+import multiprocessing
+
+multiprocessing.freeze_support()
+
 
 try:
     from . import vendor  # type: ignore [attr-defined]

dangerzone/cli.py

@@ -52,7 +52,11 @@ def print_header(s: str) -> None:
 @click.option(
     "--set-container-runtime",
     required=False,
-    help="The path to the container runtime you want to set in the settings",
+    help=(
+        "The name or full path of the container runtime you want Dangerzone to use."
+        " You can specify the value 'default' if you want to take back your choice, and"
+        " let Dangerzone use the default runtime for this OS"
+    ),
 )
 @click.version_option(version=get_version(), message="%(version)s")
 @errors.handle_document_errors
@@ -69,10 +73,16 @@ def cli_main(
     display_banner()
     if set_container_runtime:
         settings = Settings()
-        container_runtime = settings.set_custom_runtime(
+        if set_container_runtime == "default":
-            set_container_runtime, autosave=True
+            settings.unset_custom_runtime()
-        )
+            click.echo(
-        click.echo(f"Set the settings container_runtime to {container_runtime}")
+                "Instructed Dangerzone to use the default container runtime for this OS"
+            )
+        else:
+            container_runtime = settings.set_custom_runtime(
+                set_container_runtime, autosave=True
+            )
+            click.echo(f"Set the settings container_runtime to {container_runtime}")
         sys.exit(0)
     elif not filenames:
         raise click.UsageError("Missing argument 'FILENAMES...'")

dangerzone/gui/main_window.py

@@ -3,7 +3,6 @@ import os
 import platform
 import tempfile
 import typing
-from multiprocessing import freeze_support
 from multiprocessing.pool import ThreadPool
 from pathlib import Path
 from typing import List, Optional
@@ -228,7 +227,9 @@ class MainWindow(QtWidgets.QMainWindow):
                 if not is_version_valid:
                     self.handle_docker_desktop_version_check(is_version_valid, version)
             except errors.UnsupportedContainerRuntime as e:
-                pass  # It's catched later in the flow.
+                pass  # It's caught later in the flow.
+            except errors.NoContainerTechException as e:
+                pass  # It's caught later in the flow.
 
         self.show()
 
@@ -1236,9 +1237,6 @@ class DocumentsListWidget(QtWidgets.QListWidget):
     def start_conversion(self) -> None:
         if not self.thread_pool_initized:
             max_jobs = self.dangerzone.isolation_provider.get_max_parallel_conversions()
-            # Call freeze_support() to avoid passing unknown options to the subprocess.
-            # See https://github.com/freedomofpress/dangerzone/issues/873
-            freeze_support()
             self.thread_pool = ThreadPool(max_jobs)
 
         for doc in self.docs_list:

dangerzone/isolation_provider/container.py

@@ -56,7 +56,14 @@ class Container(IsolationProvider):
             security_args = ["--log-driver", "none"]
             security_args += ["--security-opt", "no-new-privileges"]
             if container_utils.get_runtime_version() >= (4, 1):
-                security_args += ["--userns", "nomap"]
+                # We perform a platform check to avoid the following Podman Desktop
+                # error on Windows:
+                #
+                #   Error: nomap is only supported in rootless mode
+                #
+                # See also: https://github.com/freedomofpress/dangerzone/issues/1127
+                if platform.system() != "Windows":
+                    security_args += ["--userns", "nomap"]
         else:
             security_args = ["--security-opt=no-new-privileges:true"]
 
@@ -67,7 +74,15 @@ class Container(IsolationProvider):
         # [1] https://github.com/freedomofpress/dangerzone/issues/846
         # [2] https://github.com/containers/common/blob/d3283f8401eeeb21f3c59a425b5461f069e199a7/pkg/seccomp/seccomp.json
         seccomp_json_path = str(get_resource_path("seccomp.gvisor.json"))
-        security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
+        # We perform a platform check to avoid the following Podman Desktop
+        # error on Windows:
+        #
+        #   Error: opening seccomp profile failed: open
+        #   C:\[...]\dangerzone\share\seccomp.gvisor.json: no such file or directory
+        #
+        # See also: https://github.com/freedomofpress/dangerzone/issues/1127
+        if runtime.name == "podman" and platform.system() != "Windows":
+            security_args += ["--security-opt", f"seccomp={seccomp_json_path}"]
 
         security_args += ["--cap-drop", "all"]
         security_args += ["--cap-add", "SYS_CHROOT"]

dangerzone/settings.py

@@ -52,6 +52,10 @@ class Settings:
             self.save()
         return container_runtime
 
+    def unset_custom_runtime(self) -> None:
+        self.settings.pop("container_runtime")
+        self.save()
+
     def get(self, key: str) -> Any:
         return self.settings[key]
 

debian/changelog

@@ -2,13 +2,13 @@ dangerzone (0.9.0) unstable; urgency=low
 
   * Released Dangerzone 0.9.0
 
- -- Freedom of the Press Foundation   <info@freedom.press>  Mon, 31 March 2025 15:57:18 +0300
+ -- Freedom of the Press Foundation   <info@freedom.press>  Mon, 31 Mar 2025 15:57:18 +0300
 
 dangerzone (0.8.1) unstable; urgency=low
 
   * Released Dangerzone 0.8.1
 
- -- Freedom of the Press Foundation   <info@freedom.press>  Tue, 22 December 2024 22:03:28 +0300
+ -- Freedom of the Press Foundation   <info@freedom.press>  Tue, 22 Dec 2024 22:03:28 +0300
 
 dangerzone (0.8.0) unstable; urgency=low
 

dev_scripts/qa.py

@@ -331,7 +331,7 @@ Install Poetry using `pipx`:
 
 ```sh
 pipx install poetry
-pipx inject poetry poetry-plugin-export
+pipx inject poetry
 ```
 
 Clone this repository:
@@ -397,7 +397,7 @@ Install Microsoft Visual C++ 14.0 or greater. Get it with ["Microsoft C++ Build
 Install [poetry](https://python-poetry.org/). Open PowerShell, and run:
 
 ```
-python -m pip install poetry poetry-plugin-export
+python -m pip install poetry
 ```
 
 Install git from [here](https://git-scm.com/download/win), open a Windows terminal (`cmd.exe`) and clone this repository:
@@ -835,8 +835,8 @@ class QAWindows(QABase):
         "Install Poetry and the project's dependencies", ref=REF_BUILD, auto=True
     )
     def install_poetry(self):
-        self.run("python", "-m", "pip", "install", "poetry", "poetry-plugin-export")
+        self.run("python", "-m", "pip", "install", "poetry")
-        self.run("poetry", "install", "--sync")
+        self.run("poetry", "sync")
 
     @QABase.task("Build Dangerzone container image", ref=REF_BUILD, auto=True)
     def build_image(self):

docs/developer/doit.md

@@ -42,7 +42,8 @@ doit <task>
 ## Tips and tricks
 
 * You can run `doit list --all -s` to see the full list of tasks, their
-  dependencies, and whether they are up to date.
+  dependencies, and whether they are up to date (U) or will run (R). Note that
+  certain small tasks are always configured to run.
 * You can run `doit info <task>` to see which dependencies are missing.
 * You can pass the following environment variables to the script, in order to
   affect some global parameters:

docs/podman-desktop.md

@@ -0,0 +1,53 @@
+# Podman Desktop support
+
+Starting with Dangerzone 0.9.0, it is possible to use Podman Desktop on
+Windows and macOS. The support for this container runtime is currently only
+experimental. If you try it out and encounter issues, please reach to us, we'll
+be glad to help.
+
+With [Podman Desktop](https://podman-desktop.io/) installed on your machine,
+here are the required steps to change the dangerzone container runtime.
+
+You will be required to open a terminal and follow these steps:
+
+## On macOS
+
+You will need to configure podman to access the shared Dangerzone resources:
+
+```bash
+podman machine stop
+podman machine rm
+cat > ~/.config/containers/containers.conf <<EOF
+[machine]
+volumes = ["/Users:/Users", "/private:/private", "/var/folders:/var/folders", "/Applications/Dangerzone.app:/Applications/Dangerzone.app"]
+EOF
+podman machine init
+podman machine set --rootful=false  
+podman machine start
+```
+Then, set the container runtime to podman using this command:
+
+```bash
+/Applications/Dangerzone.app/Contents/MacOS/dangerzone-cli --set-container-runtime podman
+```
+
+In order to get back to the default behaviour (Docker Desktop on macOS), pass
+the `default` value instead:
+
+```bash
+/Applications/Dangerzone.app/Contents/MacOS/dangerzone-cli --set-container-runtime default
+```
+
+## On Windows
+
+To set the container runtime to podman, use this command:
+
+```bash
+'C:\Program Files\Dangerzone\dangerzone-cli.exe' --set-container-runtime podman
+```
+
+To revert back to the default behavior, pass the `default` value:
+
+```bash
+'C:\Program Files\Dangerzone\dangerzone-cli.exe' --set-container-runtime podman
+```

dodo.py

@@ -8,8 +8,7 @@ from doit.action import CmdAction
 
 ARCH = "arm64" if platform.machine() == "arm64" else "i686"
 VERSION = open("share/version.txt").read().strip()
-FEDORA_VERSIONS = ["40", "41"]
+FEDORA_VERSIONS = ["40", "41", "42"]
-DEBIAN_VERSIONS = ["bullseye", "jammy", "mantic", "noble", "trixie"]
 
 ### Global parameters
 
@@ -44,7 +43,6 @@ def list_language_data():
     tessdata_dir = Path("share") / "tessdata"
     langs = json.loads(open(tessdata_dir.parent / "ocr-languages.json").read()).values()
     targets = [tessdata_dir / f"{lang}.traineddata" for lang in langs]
-    targets.append(tessdata_dir)
     return targets
 
 
@@ -124,7 +122,7 @@ def build_deb(cwd):
 
 def build_rpm(version, cwd, qubes=False):
     """Build an .rpm package on the requested Fedora distro."""
-    return build_linux_pkg(distro="Fedora", version=version, cwd=cwd, qubes=qubes)
+    return build_linux_pkg(distro="fedora", version=version, cwd=cwd, qubes=qubes)
 
 
 ### Tasks
@@ -208,7 +206,7 @@ def task_build_image():
 
 def task_poetry_install():
     """Setup the Poetry environment"""
-    return {"actions": ["poetry install --sync"], "clean": ["poetry env remove --all"]}
+    return {"actions": ["poetry sync"], "clean": ["poetry env remove --all"]}
 
 
 def task_macos_build_dmg():

install/common/build-image.py

@@ -5,7 +5,7 @@ import subprocess
 import sys
 from pathlib import Path
 
-BUILD_CONTEXT = "dangerzone/"
+BUILD_CONTEXT = "dangerzone"
 IMAGE_NAME = "dangerzone.rocks/dangerzone"
 if platform.system() in ["Darwin", "Windows"]:
     CONTAINER_RUNTIME = "docker"
@@ -122,7 +122,8 @@ def main():
 
     subprocess.run(
         [
-            "./dev_scripts/repro-build.py",
+            sys.executable,
+            str(Path("dev_scripts") / "repro-build.py"),
             "build",
             "--runtime",
             args.runtime,

install/common/download-tessdata.py

@@ -51,6 +51,8 @@ def main():
         if files == expected_files:
             logger.info("Skipping tessdata download, language data already exists")
             return
+        elif not files:
+            logger.info("Tesseract dir is empty, proceeding to download language data")
         else:
             logger.info(f"Found {tessdata_dir} but contents do not match")
             return 1

install/windows/build-wxs.py

@@ -193,7 +193,7 @@ def main():
         Path="C:\\Program Files (x86)\\Dangerzone",
     )
     ET.SubElement(directory_search_el, "FileSearch", Name="dangerzone.exe")
-    registry_search_el = ET.SubElement(package_el, "Property", Id="DANGERZONE080FOUND")
+    registry_search_el = ET.SubElement(package_el, "Property", Id="DANGERZONE08FOUND")
     ET.SubElement(
         registry_search_el,
         "RegistrySearch",
@@ -202,11 +202,19 @@ def main():
         Name="DisplayName",
         Type="raw",
     )
+    ET.SubElement(
+        registry_search_el,
+        "RegistrySearch",
+        Root="HKLM",
+        Key="SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8AAC0808-3556-4164-9D15-6EC1FB673AB2}",
+        Name="DisplayName",
+        Type="raw",
+    )
     ET.SubElement(
         package_el,
         "Launch",
-        Condition="NOT OLDDANGERZONEFOUND AND NOT DANGERZONE080FOUND",
+        Condition="NOT OLDDANGERZONEFOUND AND NOT DANGERZONE08FOUND",
-        Message="A previous version of [ProductName] is already installed. Please uninstall it from Programs and Features before proceeding with the installation.",
+        Message='A previous version of [ProductName] is already installed. Please uninstall it from "Apps & Features" before proceeding with the installation.',
     )
 
     # Add the ProgramMenuFolder StandardDirectory

poetry.lock

@@ -405,33 +405,33 @@ test = ["pytest (>=6)"]
 
 [[package]]
 name = "h11"
-version = "0.14.0"
+version = "0.16.0"
 description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1"
 optional = false
-python-versions = ">=3.7"
+python-versions = ">=3.8"
 groups = ["dev"]
 markers = "platform_machine == \"x86_64\" or platform_machine == \"i686\" or platform_machine == \"aarch64\" or platform_machine == \"armv7l\" or platform_machine == \"ppc64le\" or platform_machine == \"s390x\" or sys_platform != \"linux\" or platform_machine != \"x86_64\" and platform_machine != \"i686\" and platform_machine != \"aarch64\" and platform_machine != \"armv7l\" and platform_machine != \"ppc64le\" and platform_machine != \"s390x\""
 files = [
-    {file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"},
+    {file = "h11-0.16.0-py3-none-any.whl", hash = "sha256:63cf8bbe7522de3bf65932fda1d9c2772064ffb3dae62d55932da54b31cb6c86"},
-    {file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"},
+    {file = "h11-0.16.0.tar.gz", hash = "sha256:4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1"},
 ]
 
 [[package]]
 name = "httpcore"
-version = "1.0.7"
+version = "1.0.9"
 description = "A minimal low-level HTTP client."
 optional = false
 python-versions = ">=3.8"
 groups = ["dev"]
 markers = "platform_machine == \"x86_64\" or platform_machine == \"i686\" or platform_machine == \"aarch64\" or platform_machine == \"armv7l\" or platform_machine == \"ppc64le\" or platform_machine == \"s390x\" or sys_platform != \"linux\" or platform_machine != \"x86_64\" and platform_machine != \"i686\" and platform_machine != \"aarch64\" and platform_machine != \"armv7l\" and platform_machine != \"ppc64le\" and platform_machine != \"s390x\""
 files = [
-    {file = "httpcore-1.0.7-py3-none-any.whl", hash = "sha256:a3fff8f43dc260d5bd363d9f9cf1830fa3a458b332856f34282de498ed420edd"},
+    {file = "httpcore-1.0.9-py3-none-any.whl", hash = "sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55"},
-    {file = "httpcore-1.0.7.tar.gz", hash = "sha256:8551cb62a169ec7162ac7be8d4817d561f60e08eaa485234898414bb5a8a0b4c"},
+    {file = "httpcore-1.0.9.tar.gz", hash = "sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8"},
 ]
 
 [package.dependencies]
 certifi = "*"
-h11 = ">=0.13,<0.15"
+h11 = ">=0.16"
 
 [package.extras]
 asyncio = ["anyio (>=4.0,<5.0)"]

setup-windows.py

@@ -13,7 +13,7 @@ setup(
     description="Dangerzone",
     options={
         "build_exe": {
-            "packages": ["dangerzone", "dangerzone.gui"],
+            "packages": ["dangerzone", "dangerzone.gui", "pymupdf._wxcolors"],
             "excludes": ["test", "tkinter"],
             "include_files": [("share", "share"), ("LICENSE", "LICENSE")],
             "include_msvcr": True,