Retain Grype ignore list from current branch

When security scanning our poetry.lock file for the **released**
Dangerzone version, retain the Grype ignore
list (.grype.yaml) of the current branch, which would be otherwise
overwritten by a git checkout to the latest released tag (v0.9.0 as of
writing this). This way, we can instruct Grype to ignore vulnerabilities
in the latest Dangerzone release.

.github/workflows/check_repos.yml

@@ -19,6 +19,8 @@ jobs:
     strategy:
       matrix:
         include:
+          - distro: ubuntu
+            version: "25.04"  # plucky
           - distro: ubuntu
             version: "24.10"  # oracular
           - distro: ubuntu
@@ -32,8 +34,8 @@ jobs:
           - distro: debian
             version: "11"  # bullseye
     steps:
-      - name: Add packages.freedom.press PGP key (gpg)
-        if: matrix.version != 'trixie'
+      - name: Add packages.freedom.press PGP key (gpg --keyring)
+        if: matrix.version != 'trixie' && matrix.version != "25.04"
         run: |
           apt-get update && apt-get install -y gnupg2 ca-certificates
           dirmngr  # NOTE: This is a command that's necessary only in containers
@@ -46,7 +48,7 @@ jobs:
           mv ./fpf-apt-tools-archive-keyring.gpg /etc/apt/keyrings/.
 
       - name: Add packages.freedom.press PGP key (sq)
-        if: matrix.version == 'trixie'
+        if: matrix.version == 'trixie' || matrix.version == '25.04'
         run: |
           apt-get update && apt-get install -y ca-certificates sq
           mkdir -p /etc/apt/keyrings/
@@ -55,7 +57,10 @@ jobs:
           sq network keyserver \
              --server hkps://keys.openpgp.org \
              search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-             --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+             --output - \
+          | sq packet dearmor \
+          > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+
       - name: Add packages.freedom.press to our APT sources
         run: |
           . /etc/os-release
@@ -79,6 +84,8 @@ jobs:
             version: 40
           - distro: fedora
             version: 41
+          - distro: fedora
+            version: 42
     steps:
       - name: Add packages.freedom.press to our YUM sources
         run: |

.github/workflows/scan_released.yml

@@ -20,7 +20,7 @@ jobs:
       - name: Download container image for the latest release and load it
         run: |
           VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | grep "tag_name" | cut -d '"' -f 4)
-          CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz
+          CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar
           wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME}
           docker load -i ${CONTAINER_FILENAME}
       - name: Get image tag
@@ -67,8 +67,12 @@ jobs:
           fetch-depth: 0
       - name: Checkout the latest released tag
         run: |
+          # Grab the latest Grype ignore list before git checkout overwrites it.
+          cp .grype.yaml .grype.yaml.new
           VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | jq -r '.tag_name')
           git checkout $VERSION
+          # Restore the newest Grype ignore list.
+          mv .grype.yaml.new .grype.yaml
       # NOTE: Scan first without failing, else we won't be able to read the scan
       # report.
       - name: Scan application (no fail)

.grype.yaml

@@ -45,4 +45,12 @@ ignore:
   # present in Debian Bookworm. Also, libcurl is an HTTP client, and the
   # Dangerzone container does not make any network calls.
   - vulnerability: CVE-2025-0665
-
+  # CVE-2025-43859
+  # ==============
+  #
+  # GitHub advisory: https://github.com/advisories/GHSA-vqfr-h8mv-ghfj
+  # Verdict: Dangerzone is not affected because the vulnerable code is triggered
+  # when parsing HTTP requests, e.g., by web **servers**. Dangerzone on the
+  # other hand performs HTTP requests, i.e., it operates as **client**.
+  - vulnerability: CVE-2025-43859
+  - vulnerability: GHSA-vqfr-h8mv-ghfj

CHANGELOG.md

@@ -7,6 +7,10 @@ since 0.4.1, and this project adheres to [Semantic Versioning](https://semver.or
 
 ## [Unreleased](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...HEAD)
 
+## Changed
+
+- Update installation instructions (and CI checks) for Debian derivatives ([#1141](https://github.com/freedomofpress/dangerzone/pull/1141))
+
 ## [0.9.0](https://github.com/freedomofpress/dangerzone/compare/v0.9.0...0.8.1)
 
 ### Added

INSTALL.md

@@ -110,30 +110,30 @@ Dangerzone is available for:
   </tr>
 </table>
 
-First, retrieve the PGP keys.
+First, retrieve the PGP keys. The instructions differ depending on the specific
+distribution you are using:
 
-Starting with Trixie, follow these instructions to download the PGP keys:
+For Debian Trixie and Ubuntu Plucky (25.04), follow these instructions to
+download the PGP keys:
 
 ```bash
-sudo apt-get update && sudo apt-get install sq -y
-mkdir -p /etc/apt/keyrings/
+sudo apt-get update && sudo apt-get install sq ca-certificates -y
 sq network keyserver \
    --server hkps://keys.openpgp.org \
    search "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-   --output /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+   --output - | sq packet dearmor fpfdz.gpg
+sudo mkdir -p /etc/apt/keyrings/
+sudo mv fpfdz.gpg /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
 ```
 
 On other Debian-derivatives:
 
 ```sh
 sudo apt-get update && sudo apt-get install gnupg2 ca-certificates -y
-gpg --keyserver hkps://keys.openpgp.org \
-    --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
-    --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
 sudo mkdir -p /etc/apt/keyrings/
-sudo gpg --no-default-keyring --keyring ./fpf-apt-tools-archive-keyring.gpg \
-    --armor --export "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281" \
-    > /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg
+sudo gpg --keyserver hkps://keys.openpgp.org \
+    --no-default-keyring --keyring /etc/apt/keyrings/fpf-apt-tools-archive-keyring.gpg \
+    --recv-keys "DE28 AB24 1FA4 8260 FAC9 B8BA A7C9 B385 2260 4281"
 ```
 
 Then, on all distributions, add the URL of the repo in your APT sources:

README.md

@@ -14,15 +14,15 @@ _Read more about Dangerzone in the [official site](https://dangerzone.rocks/abou
 
 Follow the instructions for each platform:
 
-* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#macos)
-* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.8.1//INSTALL.md#windows)
-* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
-* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#ubuntu-debian)
-* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#fedora)
-* [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.8.0/INSTALL.md#qubes-os)
-* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#tails)
+* [macOS](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#macos)
+* [Windows](https://github.com/freedomofpress/dangerzone/blob/v0.9.0//INSTALL.md#windows)
+* [Ubuntu Linux](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#ubuntu-debian)
+* [Debian Linux](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#ubuntu-debian)
+* [Fedora Linux](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#fedora)
+* [Qubes OS (beta)](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#qubes-os)
+* [Tails](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#tails)
 
-You can read more about our operating system support [here](https://github.com/freedomofpress/dangerzone/blob/v0.8.1/INSTALL.md#operating-system-support).
+You can read more about our operating system support [here](https://github.com/freedomofpress/dangerzone/blob/v0.9.0/INSTALL.md#operating-system-support).
 
 ## Some features
 

RELEASE.md

@@ -21,6 +21,7 @@ Here is a list of tasks that should be done before issuing the release:
 - [ ] Update screenshot in `README.md`, if necessary
 - [ ] CHANGELOG.md should be updated to include a list of all major changes since the last release
 - [ ] A draft release should be created. Copy the release notes text from the template at [`docs/templates/release-notes`](https://github.com/freedomofpress/dangerzone/tree/main/docs/templates/)
+- [ ] Send the release notes to editorial for review
 - [ ] Do the QA tasks
 
 ## Add new Linux platforms and remove obsolete ones

docs/podman-desktop.md

@@ -12,7 +12,20 @@ You will be required to open a terminal and follow these steps:
 
 ## On macOS
 
-To set the container runtime to podman, use this command:
+You will need to configure podman to access the shared Dangerzone resources:
+
+```bash
+podman machine stop
+podman machine rm
+cat > ~/.config/containers/containers.conf <<EOF
+[machine]
+volumes = ["/Users:/Users", "/private:/private", "/var/folders:/var/folders", "/Applications/Dangerzone.app:/Applications/Dangerzone.app"]
+EOF
+podman machine init
+podman machine set --rootful=false  
+podman machine start
+```
+Then, set the container runtime to podman using this command:
 
 ```bash
 /Applications/Dangerzone.app/Contents/MacOS/dangerzone-cli --set-container-runtime podman

install/windows/build-wxs.py

@@ -193,7 +193,7 @@ def main():
         Path="C:\\Program Files (x86)\\Dangerzone",
     )
     ET.SubElement(directory_search_el, "FileSearch", Name="dangerzone.exe")
-    registry_search_el = ET.SubElement(package_el, "Property", Id="DANGERZONE080FOUND")
+    registry_search_el = ET.SubElement(package_el, "Property", Id="DANGERZONE08FOUND")
     ET.SubElement(
         registry_search_el,
         "RegistrySearch",
@@ -202,11 +202,19 @@ def main():
         Name="DisplayName",
         Type="raw",
     )
+    ET.SubElement(
+        registry_search_el,
+        "RegistrySearch",
+        Root="HKLM",
+        Key="SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{8AAC0808-3556-4164-9D15-6EC1FB673AB2}",
+        Name="DisplayName",
+        Type="raw",
+    )
     ET.SubElement(
         package_el,
         "Launch",
-        Condition="NOT OLDDANGERZONEFOUND AND NOT DANGERZONE080FOUND",
-        Message="A previous version of [ProductName] is already installed. Please uninstall it from Programs and Features before proceeding with the installation.",
+        Condition="NOT OLDDANGERZONEFOUND AND NOT DANGERZONE08FOUND",
+        Message='A previous version of [ProductName] is already installed. Please uninstall it from "Apps & Features" before proceeding with the installation.',
     )
 
     # Add the ProgramMenuFolder StandardDirectory

poetry.lock

@@ -405,33 +405,33 @@ test = ["pytest (>=6)"]
 
 [[package]]
 name = "h11"
-version = "0.14.0"
+version = "0.16.0"
 description = "A pure-Python, bring-your-own-I/O implementation of HTTP/1.1"
 optional = false
-python-versions = ">=3.7"
+python-versions = ">=3.8"
 groups = ["dev"]
 markers = "platform_machine == \"x86_64\" or platform_machine == \"i686\" or platform_machine == \"aarch64\" or platform_machine == \"armv7l\" or platform_machine == \"ppc64le\" or platform_machine == \"s390x\" or sys_platform != \"linux\" or platform_machine != \"x86_64\" and platform_machine != \"i686\" and platform_machine != \"aarch64\" and platform_machine != \"armv7l\" and platform_machine != \"ppc64le\" and platform_machine != \"s390x\""
 files = [
-    {file = "h11-0.14.0-py3-none-any.whl", hash = "sha256:e3fe4ac4b851c468cc8363d500db52c2ead036020723024a109d37346efaa761"},
-    {file = "h11-0.14.0.tar.gz", hash = "sha256:8f19fbbe99e72420ff35c00b27a34cb9937e902a8b810e2c88300c6f0a3b699d"},
+    {file = "h11-0.16.0-py3-none-any.whl", hash = "sha256:63cf8bbe7522de3bf65932fda1d9c2772064ffb3dae62d55932da54b31cb6c86"},
+    {file = "h11-0.16.0.tar.gz", hash = "sha256:4e35b956cf45792e4caa5885e69fba00bdbc6ffafbfa020300e549b208ee5ff1"},
 ]
 
 [[package]]
 name = "httpcore"
-version = "1.0.7"
+version = "1.0.9"
 description = "A minimal low-level HTTP client."
 optional = false
 python-versions = ">=3.8"
 groups = ["dev"]
 markers = "platform_machine == \"x86_64\" or platform_machine == \"i686\" or platform_machine == \"aarch64\" or platform_machine == \"armv7l\" or platform_machine == \"ppc64le\" or platform_machine == \"s390x\" or sys_platform != \"linux\" or platform_machine != \"x86_64\" and platform_machine != \"i686\" and platform_machine != \"aarch64\" and platform_machine != \"armv7l\" and platform_machine != \"ppc64le\" and platform_machine != \"s390x\""
 files = [
-    {file = "httpcore-1.0.7-py3-none-any.whl", hash = "sha256:a3fff8f43dc260d5bd363d9f9cf1830fa3a458b332856f34282de498ed420edd"},
-    {file = "httpcore-1.0.7.tar.gz", hash = "sha256:8551cb62a169ec7162ac7be8d4817d561f60e08eaa485234898414bb5a8a0b4c"},
+    {file = "httpcore-1.0.9-py3-none-any.whl", hash = "sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55"},
+    {file = "httpcore-1.0.9.tar.gz", hash = "sha256:6e34463af53fd2ab5d807f399a9b45ea31c3dfa2276f15a2c3f00afff6e176e8"},
 ]
 
 [package.dependencies]
 certifi = "*"
-h11 = ">=0.13,<0.15"
+h11 = ">=0.16"
 
 [package.extras]
 asyncio = ["anyio (>=4.0,<5.0)"]