Release process¶
Before release¶
Check versions¶
- Update
requirements*.txt
(usepip list -o
). - Make sure that
setup.py
has proper requirements. - Check
.travis.yaml
. - Check
tox.ini
. - Check
NEWEST_PYTHON
,NEWEST_DJANGO
andNEWEST_CRYPTOGRAPHY
intest_settings.py
. - Update
VERSION
and__version__
inca/django_ca/__init__.py
(see PEP 440). - Update
version
parameter insetup.py
.
Other tasks¶
- Check if any version of a dependency is no longer supported and we can depcreate support for it:
- Make sure that
setup.py
has proper classifiers. - Make sure that
docs/source/changelog.rst
is up to date.
Run testsuite¶
- Check code quality (
python dev.py code-quality
). - Check test coverage (
python dev.py coverage
). - Make sure that
python dev.py docker-test
runs through. - Make sure that tox runs through for all environments.
Test demo¶
Make sure that the demo works:
rm -rf ca/db.sqlite3 ca/files/
./dev.py init-demo
# test commands from the output:
openssl verify -CAfile...
Test admin interface¶
- Check if the output of CAs and certs look okay: http://localhost:8000/admin
- Check if the profile selection when creating a certificate works.
Docker image¶
Create a docker image:
export DOCKER_BUILDKIT=1
docker build --progress=plain -t mathiasertl/django-ca .
… and follow instructions at Use Docker to test the Docker image.
docker-compose¶
- Verify that docker-compose uses up-to-date version of 3rd-party containers.
- Follow instructions to test the docker-compose setup:
$ DJANGO_CA_CA_DEFAULT_HOSTNAME=localhost docker-compose up
$ docker-compose exec backend ./manage.py createsuperuser
$ docker-compose exec backend ./manage.py init_ca --pathlen=1 root /CN=example.com
$ docker-compose exec backend ./manage.py init_ca \
> --path=ca/shared/ --parent=example.com child /CN=child.example.com
You should now be able to visit http://localhost and log in. You are able to sign a certificate, but only for the “child” CA.
Now, let’s create a certificate for the root CA. Because it’s only present for Celery, we need to create it using the CLI:
$ docker-compose exec frontend ./manage.py sign_cert --ca=example.com \
> --subject="/CN=signed-in-backend.example.com
Check that the same fails in the frontend container (because the root CA is only available in the backend):
$ docker-compose exec frontend ./manage.py sign_cert --ca=example.com \
> --subject="/CN=signed-in-backend.example.com"
Finally, verify that CRL and OCSP validation works:
$ docker-compose exec backend ./manage.py dump_ca example.com
$ docker-compose exec backend ./manage.py dump_cert signed-in-backend.example.com > cert.pem
$ openssl verify -CAfile root.pem -crl_download -crl_check cert.pem
cert.pem: OK
$ openssl x509 -in cert.pem -noout -text | grep OCSP
OCSP - URI:http://localhost/django_ca/ocsp/772198A6DAEF88A44C3F34780F0D657A60378EB1/cert/
$ openssl ocsp -CAfile root.pem -issuer root.pem -cert cert.pem -resp_text \
> -url http://localhost/django_ca/ocsp/772198A6DAEF88A44C3F34780F0D657A60378EB1/cert/
...
Response verify OK
cert.pem: good
Release process¶
Push the last commit and make sure that Travis and Read The Docs are updated.
Tag the release:
git tag -s $version -m "release $version"
Push the tag:
git push origin --tags
Create a release on GitHub.
Create package for PyPi:
python setup.py sdist bdist_wheel
.Upload package to PyPi:
twine upload dist/*
Tag and upload the docker image (note that we create a image revision by appending
-1
):docker tag mathiasertl/django-ca mathiasertl/django-ca:$version docker tag mathiasertl/django-ca mathiasertl/django-ca:$version-1 docker push mathiasertl/django-ca:$version-1 docker push mathiasertl/django-ca:$version docker push mathiasertl/django-ca
After a release¶
- Update
VERSION
and__version__
inca/django_ca/__init__.py
to the next development release (see PEP 440). - Update version in
setup.py
. - Drop support for older software versions in
.travis.yml
,tox.ini
anddev.py docker-test
. - Remove files in dist:
rm -rf dist/*
- Update
docker-compose.yml
to use thelatest
version of django-ca.