Release process¶
Before release¶
Check versions¶
- Update
requirements*.txt(usepip list -o). - Make sure that
setup.pyhas proper requirements. - Check
.travis.yaml. - Check
tox.ini. - Check
NEWEST_PYTHON,NEWEST_DJANGOandNEWEST_CRYPTOGRAPHYintest_settings.py. - Update
VERSIONand__version__inca/django_ca/__init__.py(see PEP 440). - Update
versionparameter insetup.py.
Other tasks¶
- Check if any version of a dependency is no longer supported and we can depcreate support for it:
- Make sure that
setup.pyhas proper classifiers. - Make sure that
docs/source/changelog.rstis up to date.
Run testsuite¶
- Check code quality (
python dev.py code-quality). - Check test coverage (
python dev.py coverage). - Make sure that
python dev.py docker-testruns through. - Make sure that tox runs through for all environments.
Test demo¶
Make sure that the demo works:
rm -rf ca/db.sqlite3 ca/files/
./dev.py init-demo
# test commands from the output:
openssl verify -CAfile...
Test admin interface¶
- Check if the output of CAs and certs look okay: http://localhost:8000/admin
- Check if the profile selection when creating a certificate works.
Docker image¶
Create a docker image:
export DOCKER_BUILDKIT=1
docker build --progress=plain -t mathiasertl/django-ca .
… and follow instructions at Use Docker to test the Docker image.
docker-compose¶
- Verify that docker-compose uses up-to-date version of 3rd-party containers.
- Follow instructions to test the docker-compose setup:
$ DJANGO_CA_CA_DEFAULT_HOSTNAME=localhost docker-compose up
$ docker-compose exec backend ./manage.py createsuperuser
$ docker-compose exec backend ./manage.py init_ca --pathlen=1 root /CN=example.com
$ docker-compose exec backend ./manage.py init_ca \
> --path=ca/shared/ --parent=example.com child /CN=child.example.com
You should now be able to visit http://localhost and log in. You are able to sign a certificate, but only for the “child” CA.
Now, let’s create a certificate for the root CA. Because it’s only present for Celery, we need to create it using the CLI:
$ docker-compose exec frontend ./manage.py sign_cert --ca=example.com \
> --subject="/CN=signed-in-backend.example.com
Check that the same fails in the frontend container (because the root CA is only available in the backend):
$ docker-compose exec frontend ./manage.py sign_cert --ca=example.com \
> --subject="/CN=signed-in-backend.example.com"
Finally, verify that CRL and OCSP validation works:
$ docker-compose exec backend ./manage.py dump_ca example.com
$ docker-compose exec backend ./manage.py dump_cert signed-in-backend.example.com > cert.pem
$ openssl verify -CAfile root.pem -crl_download -crl_check cert.pem
cert.pem: OK
$ openssl x509 -in cert.pem -noout -text | grep OCSP
OCSP - URI:http://localhost/django_ca/ocsp/772198A6DAEF88A44C3F34780F0D657A60378EB1/cert/
$ openssl ocsp -CAfile root.pem -issuer root.pem -cert cert.pem -resp_text \
> -url http://localhost/django_ca/ocsp/772198A6DAEF88A44C3F34780F0D657A60378EB1/cert/
...
Response verify OK
cert.pem: good
Release process¶
Push the last commit and make sure that Travis and Read The Docs are updated.
Tag the release:
git tag -s $version -m "release $version"Push the tag:
git push origin --tagsCreate a release on GitHub.
Create package for PyPi:
python setup.py sdist bdist_wheel.Upload package to PyPi:
twine upload dist/*Tag and upload the docker image (note that we create a image revision by appending
-1):docker tag mathiasertl/django-ca mathiasertl/django-ca:$version docker tag mathiasertl/django-ca mathiasertl/django-ca:$version-1 docker push mathiasertl/django-ca:$version-1 docker push mathiasertl/django-ca:$version docker push mathiasertl/django-ca
After a release¶
- Update
VERSIONand__version__inca/django_ca/__init__.pyto the next development release (see PEP 440). - Update version in
setup.py. - Drop support for older software versions in
.travis.yml,tox.inianddev.py docker-test. - Remove files in dist:
rm -rf dist/* - Update
docker-compose.ymlto use thelatestversion of django-ca.