Skip to content

Commit

Permalink
Update electron-builder and harden fuse configuration (#2106)
Browse files Browse the repository at this point in the history
  • Loading branch information
@t3chguy
t3chguy authored Jan 31, 2025
1 parent ca4c613 commit ae304ce
Show file tree
Hide file tree
Showing 3 changed files with 129 additions and 179 deletions.
75 changes: 29 additions & 46 deletions electron-builder.ts
View file
Original file line number Diff line number Diff line change
@@ -1,16 +1,14 @@
import * as os from "os";
import * as fs from "fs";
import * as path from "path";
import { Arch, Configuration as BaseConfiguration, AfterPackContext } from "electron-builder";
import { flipFuses, FuseVersion, FuseV1Options } from "@electron/fuses";
import * as os from "node:os";
import * as fs from "node:fs";
import { Configuration as BaseConfiguration } from "electron-builder";

/**
* This script has different outputs depending on your os platform.
*
* On Windows:
* Prefixes the nightly version with `0.0.1-nightly.` as it breaks if it is not semver
* Passes $ED_SIGNTOOL_THUMBPRINT and $ED_SIGNTOOL_SUBJECT_NAME to
* build.win.signingHashAlgorithms and build.win.certificateSubjectName respectively if specified.
* build.win.signtoolOptions.signingHashAlgorithms and build.win.signtoolOptions.certificateSubjectName respectively if specified.
*
* On Linux:
* Replaces spaces in the product name with dashes as spaces in paths can cause issues
Expand Down Expand Up @@ -48,45 +46,26 @@ interface Configuration extends BaseConfiguration {
* @type {import('electron-builder').Configuration}
* @see https://www.electron.build/configuration/configuration
*/
const config: Writable<Configuration> = {
const config: Omit<Writable<Configuration>, "electronFuses"> & {
// Make all fuses required to ensure they are all explicitly specified
electronFuses: Required<Configuration["electronFuses"]>;
} = {
appId: "im.riot.app",
asarUnpack: "**/*.node",
afterPack: async (context: AfterPackContext) => {
if (context.electronPlatformName !== "darwin" || context.arch === Arch.universal) {
// Burn in electron fuses for proactive security hardening.
// On macOS, we only do this for the universal package, as the constituent arm64 and amd64 packages are embedded within.
const ext = (<Record<string, string>>{
darwin: ".app",
win32: ".exe",
linux: "",
})[context.electronPlatformName];

let executableName = context.packager.appInfo.productFilename;
if (context.electronPlatformName === "linux") {
// Linux uses the package name as the executable name
executableName = context.packager.appInfo.name;
}

const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`);
console.log(`Flipping fuses for: ${electronBinaryPath}`);

await flipFuses(electronBinaryPath, {
version: FuseVersion.V1,
resetAdHocDarwinSignature: context.electronPlatformName === "darwin" && context.arch === Arch.universal,

[FuseV1Options.EnableCookieEncryption]: true,
[FuseV1Options.OnlyLoadAppFromAsar]: true,

[FuseV1Options.RunAsNode]: false,
[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
[FuseV1Options.EnableNodeCliInspectArguments]: false,

// Mac app crashes on arm for us when `LoadBrowserProcessSpecificV8Snapshot` is enabled
[FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,
// https://github.com/electron/fuses/issues/7
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false,
});
}
electronFuses: {
enableCookieEncryption: true,
onlyLoadAppFromAsar: true,
grantFileProtocolExtraPrivileges: false,

runAsNode: false,
enableNodeOptionsEnvironmentVariable: false,
enableNodeCliInspectArguments: false,
// We need to reset the signature if we are not signing on darwin otherwise it won't launch
resetAdHocDarwinSignature: !process.env.APPLE_TEAM_ID,

loadBrowserProcessSpecificV8Snapshot: false,
// https://github.com/electron/fuses/issues/7
enableEmbeddedAsarIntegrityValidation: false,
},
files: [
"package.json",
Expand Down Expand Up @@ -144,12 +123,16 @@ const config: Writable<Configuration> = {
darkModeSupport: true,
hardenedRuntime: true,
gatekeeperAssess: true,
strictVerify: true,
entitlements: "./build/entitlements.mac.plist",
icon: "build/icons/icon.icns",
mergeASARs: true,
},
win: {
target: ["squirrel", "msi"],
signingHashAlgorithms: ["sha256"],
signtoolOptions: {
signingHashAlgorithms: ["sha256"],
},
icon: "build/icons/icon.ico",
},
msi: {
Expand All @@ -172,8 +155,8 @@ const config: Writable<Configuration> = {
* @param {string} process.env.ED_SIGNTOOL_THUMBPRINT
*/
if (process.env.ED_SIGNTOOL_SUBJECT_NAME && process.env.ED_SIGNTOOL_THUMBPRINT) {
config.win.certificateSubjectName = process.env.ED_SIGNTOOL_SUBJECT_NAME;
config.win.certificateSha1 = process.env.ED_SIGNTOOL_THUMBPRINT;
config.win.signtoolOptions!.certificateSubjectName = process.env.ED_SIGNTOOL_SUBJECT_NAME;
config.win.signtoolOptions!.certificateSha1 = process.env.ED_SIGNTOOL_THUMBPRINT;
}

/**
Expand Down
7 changes: 3 additions & 4 deletions package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,6 @@
"@babel/preset-env": "^7.18.10",
"@babel/preset-typescript": "^7.18.6",
"@electron/asar": "3.2.18",
"@electron/fuses": "^1.7.0",
"@mapbox/node-pre-gyp": "^1.0.11",
"@playwright/test": "1.49.1",
"@stylistic/eslint-plugin": "^2.9.0",
Expand All @@ -85,12 +84,12 @@
"@types/yargs": "^17.0.32",
"@typescript-eslint/eslint-plugin": "^8.0.0",
"@typescript-eslint/parser": "^8.0.0",
"app-builder-lib": "25.1.8",
"app-builder-lib": "^26.0.1",
"chokidar": "^4.0.0",
"detect-libc": "^2.0.0",
"electron": "34.0.1",
"electron-builder": "25.1.8",
"electron-builder-squirrel-windows": "25.1.8",
"electron-builder": "^26.0.1",
"electron-builder-squirrel-windows": "^26.0.1",
"electron-devtools-installer": "^4.0.0",
"eslint": "^8.26.0",
"eslint-config-google": "^0.14.0",
Expand Down
Loading

0 comments on commit ae304ce

Please sign in to comment.