Release process¶
Before release¶
Check versions¶
Update
requirements*.txt(usepip list -o).Make sure that
setup.pyhas proper requirements.Check
.travis.yaml.Check
tox.ini.Check
NEWEST_PYTHON,NEWEST_DJANGOandNEWEST_CRYPTOGRAPHYintest_settings.py.Update
VERSIONand__version__inca/django_ca/__init__.py(see PEP 440).Update the docker images in dev.py docker-test.
Other tasks¶
Check if any version of a dependency is no longer supported and we can depcreate support for it:
Make sure that
setup.pyhas proper classifiers.Make sure that
docs/source/changelog.rstis up to date.
Run testsuite¶
First, run
./dev.py clean.Check code quality (
./dev.py code-quality).Check test coverage (
./dev.py coverage).Make sure that
./dev.py docker-testruns through.Make sure that
toxruns through for all environments.
Test demo¶
Make sure that the demo works:
rm -rf ca/db.sqlite3 ca/files/
./dev.py init-demo
# test commands from the output:
openssl verify -CAfile...
Test admin interface¶
Check if the output of CAs and certs look okay: http://localhost:8000/admin
Check if the profile selection when creating a certificate works.
Check if pasting a CSR shows values from the CSR next to the “Subject” field.
Docker¶
Create a docker image:
export DOCKER_BUILDKIT=1
docker build --progress=plain -t mathiasertl/django-ca .
… and follow instructions at Use Docker to test the Docker image.
docker-compose¶
Verify that docker-compose uses up-to-date version of 3rd-party containers.
Follow Quickstart with docker-compose to set up a CA.
Use
localhostas hostname.Do not set
NGINX_TEMPLATEin.env.Do not add a
docker-compose.override.yml(it’s only for TLS).
You should now be able to visit http://localhost/admin and log in. You are able to sign a certificate, but only for the “child” CA.
In order to sign a certificate, we first need a private key and a CSR:
$ openssl genrsa -out cert.key 4096
$ openssl req -new -key cert.key -out cert.csr -utf8 -batch \
> -subj '/CN=hostname/emailAddress=root@hostname'
Now, let’s create a certificate for the root CA. Because it’s only present for Celery, we need to create it using the CLI:
$ docker-compose exec backend manage sign_cert --ca="Root CA" \
> --subject="/CN=signed-in-backend.example.com"
Please paste the CSR:
...
Check that the same fails in the frontend container (because the root CA is only available in the backend):
$ docker-compose exec frontend manage sign_cert --ca="Root CA" \
> --subject="/CN=signed-in-backend.example.com"
Finally, verify that CRL and OCSP validation works:
$ docker-compose exec backend manage dump_ca "Root CA" > root.pem
$ docker-compose exec backend manage dump_cert signed-in-backend.example.com > cert.pem
$ openssl verify -CAfile root.pem -crl_download -crl_check cert.pem
cert.pem: OK
$ openssl x509 -in cert.pem -noout -text | grep OCSP
OCSP - URI:http://localhost/django_ca/ocsp/...
$ openssl ocsp -CAfile root.pem -issuer root.pem -cert cert.pem -resp_text \
> -url http://localhost/django_ca/ocsp/...
...
Response verify OK
cert.pem: good
Release process¶
Push the last commit and make sure that Travis and Read The Docs are updated.
Tag the release:
git tag -s $version -m "release $version"Push the tag:
git push origin --tagsCreate a release on GitHub.
Create package for PyPi:
python setup.py sdist bdist_wheel.Upload package to PyPi:
twine upload dist/*Tag and upload the docker image (note that we create a image revision by appending
-1):docker tag mathiasertl/django-ca mathiasertl/django-ca:$version docker tag mathiasertl/django-ca mathiasertl/django-ca:$version-1 docker push mathiasertl/django-ca:$version-1 docker push mathiasertl/django-ca:$version docker push mathiasertl/django-ca
After a release¶
Update
VERSIONand__version__inca/django_ca/__init__.pyto the next development release (see PEP 440).Update
django_ca/deprecation.py.Update version in
setup.py.Drop support for older software versions in
.travis.yml,tox.inianddev.py docker-test.Remove files in dist:
rm -rf dist/*Update
docker-compose.ymlto use thelatestversion of django-ca.Start new changelog entry in
docs/source/changelog.rst.