From b5b65704f97227e904aba0034c2882371a0a9936 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Tue, 2 Jan 2024 12:41:44 +0000 Subject: [PATCH 01/23] Move electron-builder config to typescript file Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- electron-builder.ts | 83 +++++++++++++++++++++++++++++++++++++++++++++ package.json | 76 ----------------------------------------- 2 files changed, 83 insertions(+), 76 deletions(-) create mode 100644 electron-builder.ts diff --git a/electron-builder.ts b/electron-builder.ts new file mode 100644 index 000000000..5b8a92f02 --- /dev/null +++ b/electron-builder.ts @@ -0,0 +1,83 @@ +import { build, type Configuration, Platform } from "electron-builder"; + +/** + * @type {import('electron-builder').Configuration} + * @see https://www.electron.build/configuration/configuration + */ +const options: Configuration = { + appId: "im.riot.app", + asarUnpack: "**/*.node", + afterPack: "scripts/afterPack.ts", + files: [ + "package.json", + { + from: ".hak/hakModules", + to: "node_modules", + }, + "lib/**", + ], + extraResources: [ + { + from: "res/img", + to: "img", + }, + "webapp.asar", + ], + linux: { + target: ["tar.gz", "deb"], + category: "Network;InstantMessaging;Chat", + maintainer: "support@element.io", + icon: "build/icons", + }, + deb: { + packageCategory: "net", + depends: [ + "libgtk-3-0", + "libnotify4", + "libnss3", + "libxss1", + "libxtst6", + "xdg-utils", + "libatspi2.0-0", + "libuuid1", + "libsecret-1-0", + "libasound2", + "libgbm1", + ], + recommends: ["libsqlcipher0", "element-io-archive-keyring"], + }, + mac: { + category: "public.app-category.social-networking", + darkModeSupport: true, + hardenedRuntime: true, + gatekeeperAssess: true, + entitlements: "./build/entitlements.mac.plist", + icon: "build/icons/icon.icns", + }, + win: { + target: ["squirrel"], + signingHashAlgorithms: ["sha256"], + icon: "build/icons/icon.ico", + }, + directories: { + output: "dist", + }, + protocols: [ + { + name: "element", + schemes: ["element"], + }, + ], +}; + +// Promise is returned +build({ + targets: Platform.MAC.createTarget(), + config: options, +}) + .then((result) => { + console.log(JSON.stringify(result)); + }) + .catch((error) => { + console.error(error); + }); diff --git a/package.json b/package.json index 818ce5075..6e38530f4 100644 --- a/package.json +++ b/package.json @@ -127,82 +127,6 @@ "resolutions": { "@types/node": "16.18.68" }, - "build": { - "appId": "im.riot.app", - "asarUnpack": "**/*.node", - "files": [ - "package.json", - { - "from": ".hak/hakModules", - "to": "node_modules" - }, - "lib/**" - ], - "extraResources": [ - { - "from": "res/img", - "to": "img" - }, - "webapp.asar" - ], - "linux": { - "target": [ - "tar.gz", - "deb" - ], - "category": "Network;InstantMessaging;Chat", - "maintainer": "support@element.io", - "icon": "build/icons" - }, - "deb": { - "packageCategory": "net", - "depends": [ - "libgtk-3-0", - "libnotify4", - "libnss3", - "libxss1", - "libxtst6", - "xdg-utils", - "libatspi2.0-0", - "libuuid1", - "libsecret-1-0", - "libasound2", - "libgbm1" - ], - "recommends": [ - "libsqlcipher0", - "element-io-archive-keyring" - ] - }, - "mac": { - "category": "public.app-category.social-networking", - "darkModeSupport": true, - "hardenedRuntime": true, - "gatekeeperAssess": true, - "entitlements": "./build/entitlements.mac.plist", - "icon": "build/icons/icon.icns" - }, - "win": { - "target": [ - "squirrel" - ], - "signingHashAlgorithms": [ - "sha256" - ], - "icon": "build/icons/icon.ico" - }, - "directories": { - "output": "dist" - }, - "protocols": [ - { - "name": "element", - "schemes": [ - "element" - ] - } - ] - }, "jest": { "testEnvironment": "node", "testMatch": [ From e545f44d94df314da56148faffcf0063fad849e9 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Tue, 2 Jan 2024 13:03:35 +0000 Subject: [PATCH 02/23] Replace generate-builder-config.ts with electron-builder.ts Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_linux.yaml | 11 +-- .github/workflows/build_macos.yaml | 10 +- .github/workflows/build_windows.yaml | 11 +-- electron-builder.ts | 133 ++++++++++++++++++++++++--- scripts/generate-builder-config.ts | 129 -------------------------- 5 files changed, 131 insertions(+), 163 deletions(-) delete mode 100755 scripts/generate-builder-config.ts diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index a5bb6a1fa..a6c6abfdb 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -103,24 +103,19 @@ jobs: run: "yarn build:native --target ${{ steps.config.outputs.target }}" - name: "[Nightly] Resolve version" - id: nightly if: inputs.version != '' run: | - echo "config-args=--nightly '${{ inputs.version }}'" >> $GITHUB_OUTPUT + echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV - name: Generate debian files and arguments - id: debian run: | if [ -f changelog.Debian ]; then - echo "config-args=--deb-changelog changelog.Debian" >> $GITHUB_OUTPUT + echo "ED_DEBIAN_CHANGELOG=changelog.Debian" >> $GITHUB_ENV fi - name: Build App run: | - npx ts-node scripts/generate-builder-config.ts \ - ${{ steps.nightly.outputs.config-args }} \ - ${{ steps.debian.outputs.config-args }} - yarn build --publish never -l --config electron-builder.json ${{ steps.config.outputs.build-args }} + yarn build --publish never -l ${{ steps.config.outputs.build-args }} - name: Check native libraries run: | diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index 4087d53c8..87564461b 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -73,18 +73,17 @@ jobs: yarn build:native:universal - name: "[Nightly] Resolve version" - id: nightly if: inputs.version != '' run: | - echo "config-args=--nightly '${{ inputs.version }}'" >> $GITHUB_OUTPUT + echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV # We split these because electron-builder gets upset if we set CSC_LINK even to an empty string - name: "[Signed] Build App" if: inputs.sign != '' run: | - scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --notarytool-team-id='${{ secrets.APPLE_TEAM_ID }}' - yarn build:universal --publish never --config electron-builder.json + yarn build:universal --publish never env: + ED_NOTARYTOOL_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_ID: ${{ secrets.APPLE_ID }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }} @@ -101,8 +100,7 @@ jobs: - name: "[Unsigned] Build App" if: inputs.sign == '' run: | - scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} - yarn build:universal --publish never --config electron-builder.json + yarn build:universal --publish never env: CSC_IDENTITY_AUTO_DISCOVERY: false diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index 581db44fc..e602a5dfe 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -115,7 +115,6 @@ jobs: yarn build:native --target ${{ steps.config.outputs.target }} - name: Install and configure eSigner CKA - id: esigner if: inputs.sign run: | Set-StrictMode -Version 'Latest' @@ -144,22 +143,22 @@ jobs: # Extract thumbprint and subject name $Thumbprint = $CodeSigningCert.Thumbprint $SubjectName = ($CodeSigningCert.Subject -replace ", ?", "`n" | ConvertFrom-StringData).CN - echo "config-args=--signtool-thumbprint '$Thumbprint' --signtool-subject-name '$SubjectName'" >> $env:GITHUB_OUTPUT + + echo "ED_SIGNTOOL_THUMBPRINT=$Thumbprint" >> $GITHUB_ENV + echo "ED_SIGNTOOL_SUBJECT_NAME=$SubjectName" >> $GITHUB_ENV env: INSTALL_DIR: C:\Users\runneradmin\eSignerCKA MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key - name: "[Nightly] Resolve version" - id: nightly if: inputs.version != '' shell: bash run: | - echo "config-args=--nightly '${{ inputs.version }}'" >> $GITHUB_OUTPUT + echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV - name: Build App run: | - yarn ts-node scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} ${{ steps.esigner.outputs.config-args }} - yarn build --publish never -w --config electron-builder.json ${{ steps.config.outputs.build-args }} + yarn build --publish never -w ${{ steps.config.outputs.build-args }} - name: Check app was signed successfully if: inputs.sign != '' diff --git a/electron-builder.ts b/electron-builder.ts index 5b8a92f02..c2c698066 100644 --- a/electron-builder.ts +++ b/electron-builder.ts @@ -1,13 +1,51 @@ -import { build, type Configuration, Platform } from "electron-builder"; +import type { Configuration } from "electron-builder"; +import * as os from "node:os"; +import * as fs from "node:fs"; + +/** + * This script has different outputs depending on your os platform. + * + * On Windows: + * Prefixes the nightly version with `0.0.1-nightly.` as it breaks if it is not semver + * Passes $ED_SIGNTOOL_THUMBPRINT and $ED_SIGNTOOL_SUBJECT_NAME to + * build.win.signingHashAlgorithms and build.win.certificateSubjectName respectively if specified. + * + * On macOS: + * Passes $ED_NOTARYTOOL_TEAM_ID to build.mac.notarize.notarize if specified + * + * On Linux: + * Replaces spaces in the product name with dashes as spaces in paths can cause issues + * Removes libsqlcipher0 recommended dependency if env SQLCIPHER_BUNDLED is asserted. + * Passes $ED_DEBIAN_CHANGELOG to build.deb.fpm if specified + */ + +const NIGHTLY_APP_ID = "im.riot.nightly"; +const NIGHTLY_APP_NAME = "element-desktop-nightly"; +const NIGHTLY_DEB_NAME = "element-nightly"; + +type DeepWriteable = { -readonly [P in keyof T]: DeepWriteable }; + +interface Package { + productName: string; + description: string; +} + +const pkg: Package = JSON.parse(fs.readFileSync("package.json", "utf8")); /** * @type {import('electron-builder').Configuration} * @see https://www.electron.build/configuration/configuration */ -const options: Configuration = { +const config: DeepWriteable> & { + extraMetadata?: { + productName?: string; + name?: string; + version?: string; + description?: string; + }; +} = { appId: "im.riot.app", asarUnpack: "**/*.node", - afterPack: "scripts/afterPack.ts", files: [ "package.json", { @@ -23,11 +61,18 @@ const options: Configuration = { }, "webapp.asar", ], + extraMetadata: { + productName: pkg.productName, + description: pkg.description, + }, linux: { target: ["tar.gz", "deb"], category: "Network;InstantMessaging;Chat", maintainer: "support@element.io", icon: "build/icons", + desktop: { + MimeType: "x-scheme-handler/element", + } as any, }, deb: { packageCategory: "net", @@ -45,6 +90,12 @@ const options: Configuration = { "libgbm1", ], recommends: ["libsqlcipher0", "element-io-archive-keyring"], + fpm: [ + "--deb-field", + "Replaces: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0)", + "--deb-field", + "Breaks: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0)", + ], }, mac: { category: "public.app-category.social-networking", @@ -70,14 +121,68 @@ const options: Configuration = { ], }; -// Promise is returned -build({ - targets: Platform.MAC.createTarget(), - config: options, -}) - .then((result) => { - console.log(JSON.stringify(result)); - }) - .catch((error) => { - console.error(error); - }); +/** + * Allow specifying windows signing cert via env vars + * @param {string} process.env.ED_SIGNTOOL_SUBJECT_NAME + * @param {string} process.env.ED_SIGNTOOL_THUMBPRINT + */ +if (process.env.ED_SIGNTOOL_SUBJECT_NAME && process.env.ED_SIGNTOOL_THUMBPRINT) { + config.win!.certificateSubjectName = process.env.ED_SIGNTOOL_SUBJECT_NAME; + config.win!.certificateSha1 = process.env.ED_SIGNTOOL_THUMBPRINT; +} + +/** + * Allow specifying macOS notary team id via env var + * @param {string} process.env.ED_NOTARYTOOL_TEAM_ID + */ +if (process.env.ED_NOTARYTOOL_TEAM_ID) { + config.mac!.notarize = { + teamId: process.env.ED_NOTARYTOOL_TEAM_ID, + }; +} + +/** + * Allow specifying nightly version via env var + * @param {string} process.env.ED_NIGHTLY + */ +if (process.env.ED_NIGHTLY) { + config.deb!.fpm = []; // Clear the fpm as the breaks deb fields don't apply to nightly + + config.appId = NIGHTLY_APP_ID; + config.extraMetadata!.productName += " Nightly"; + config.extraMetadata!.name = NIGHTLY_APP_NAME; + config.extraMetadata!.description += " (nightly unstable build)"; + config.deb!.fpm!.push("--name", NIGHTLY_DEB_NAME); + + let version = process.env.ED_NIGHTLY; + if (os.platform() === "win32") { + // The windows packager relies on parsing this as semver, so we have to make it look like one. + // This will give our update packages really stupid names, but we probably can't change that either + // because squirrel windows parses them for the version too. We don't really care: nobody sees them. + // We just give the installer a static name, so you'll just see this in the 'about' dialog. + // Turns out if you use 0.0.0 here it makes Squirrel windows crash, so we use 0.0.1. + version = "0.0.1-nightly." + version; + } + config.extraMetadata!.version = version; +} + +if (os.platform() === "linux") { + // Electron crashes on debian if there's a space in the path. + // https://github.com/vector-im/element-web/issues/13171 + config.extraMetadata!.productName = config.extraMetadata!.productName!.replace(/ /g, "-"); + + /** + * Allow specifying deb changelog via env var + * @param {string} process.env.ED_DEB_CHANGELOG + */ + if (process.env.ED_DEBIAN_CHANGELOG) { + config.deb!.fpm!.push(`--deb-changelog=${process.env.ED_DEBIAN_CHANGELOG}`); + } + + if (process.env.SQLCIPHER_BUNDLED) { + // Remove sqlcipher dependency when using bundled + config.deb!.recommends = config.deb!.recommends?.filter((d) => d !== "libsqlcipher0"); + } +} + +export default config; diff --git a/scripts/generate-builder-config.ts b/scripts/generate-builder-config.ts deleted file mode 100755 index 718edca9f..000000000 --- a/scripts/generate-builder-config.ts +++ /dev/null @@ -1,129 +0,0 @@ -#!/usr/bin/env -S npx ts-node - -/** - * Script to generate electron-builder.json config files for builds which don't match package.json, e.g. nightlies - * This script has different outputs depending on your os platform. - * - * On Windows: - * Prefixes the nightly version with `0.0.1-nightly.` as it breaks if it is not semver - * - * On macOS: - * Passes --notarytool-team-id to build.mac.notarize.notarize if specified - * - * On Linux: - * Replaces spaces in the product name with dashes as spaces in paths can cause issues - * Passes --deb-custom-control to build.deb.fpm if specified - * Removes libsqlcipher0 recommended dependency if env SQLCIPHER_BUNDLED is asserted. - */ - -import parseArgs from "minimist"; -import fsProm from "fs/promises"; -import * as os from "os"; -import { Configuration } from "app-builder-lib"; - -const ELECTRON_BUILDER_CFG_FILE = "electron-builder.json"; - -const NIGHTLY_APP_ID = "im.riot.nightly"; -const NIGHTLY_APP_NAME = "element-desktop-nightly"; -const NIGHTLY_DEB_NAME = "element-nightly"; - -const argv = parseArgs<{ - "nightly"?: string; - "signtool-thumbprint"?: string; - "signtool-subject-name"?: string; - "notarytool-team-id"?: string; - "deb-changelog"?: string; -}>(process.argv.slice(2), { - string: ["nightly", "deb-changelog", "signtool-thumbprint", "signtool-subject-name", "notarytool-team-id"], -}); - -type DeepWriteable = { -readonly [P in keyof T]: DeepWriteable }; - -interface PackageBuild extends DeepWriteable> { - extraMetadata?: { - productName?: string; - name?: string; - version?: string; - description?: string; - }; -} - -interface Package { - build: PackageBuild; - productName: string; - description: string; -} - -async function main(): Promise { - // Electron builder doesn't overlay with the config in package.json, so load it here - const pkg: Package = JSON.parse(await fsProm.readFile("package.json", "utf8")); - - const cfg: PackageBuild = { - ...pkg.build, - extraMetadata: { - productName: pkg.productName, - description: pkg.description, - }, - }; - - if (!cfg.deb!.fpm) cfg.deb!.fpm = []; - - if (argv.nightly) { - cfg.appId = NIGHTLY_APP_ID; - cfg.extraMetadata!.productName += " Nightly"; - cfg.extraMetadata!.name = NIGHTLY_APP_NAME; - cfg.extraMetadata!.description += " (nightly unstable build)"; - cfg.deb!.fpm!.push("--name", NIGHTLY_DEB_NAME); - - let version = argv.nightly; - if (os.platform() === "win32") { - // The windows packager relies on parsing this as semver, so we have to make it look like one. - // This will give our update packages really stupid names, but we probably can't change that either - // because squirrel windows parses them for the version too. We don't really care: nobody sees them. - // We just give the installer a static name, so you'll just see this in the 'about' dialog. - // Turns out if you use 0.0.0 here it makes Squirrel windows crash, so we use 0.0.1. - version = "0.0.1-nightly." + version; - } - cfg.extraMetadata!.version = version; - } else { - cfg.deb!.fpm!.push("--deb-field", "Replaces: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0)"); - cfg.deb!.fpm!.push("--deb-field", "Breaks: riot-desktop (<< 1.7.0), riot-web (<< 1.7.0)"); - } - - if (argv["signtool-thumbprint"] && argv["signtool-subject-name"]) { - cfg.win!.certificateSubjectName = argv["signtool-subject-name"]; - cfg.win!.certificateSha1 = argv["signtool-thumbprint"]; - } - - if (argv["notarytool-team-id"]) { - cfg.mac!.notarize = { - teamId: argv["notarytool-team-id"], - }; - } - - if (os.platform() === "linux") { - // Electron crashes on debian if there's a space in the path. - // https://github.com/vector-im/element-web/issues/13171 - cfg.extraMetadata!.productName = cfg.extraMetadata!.productName!.replace(/ /g, "-"); - - if (argv["deb-changelog"]) { - cfg.deb!.fpm!.push(`--deb-changelog=${argv["deb-changelog"]}`); - } - - if (process.env.SQLCIPHER_BUNDLED) { - // Remove sqlcipher dependency when using bundled - cfg.deb!.recommends = cfg.deb!.recommends?.filter((d) => d !== "libsqlcipher0"); - } - } - - await fsProm.writeFile(ELECTRON_BUILDER_CFG_FILE, JSON.stringify(cfg, null, 4)); -} - -main() - .then((ret) => { - process.exit(ret!); - }) - .catch((e) => { - console.error(e); - process.exit(1); - }); From 60f69fad559b10234603901fdb74762978a92458 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Tue, 2 Jan 2024 13:48:44 +0000 Subject: [PATCH 03/23] Burn in Electron fuses to tighten security parameters See https://www.electronjs.org/docs/latest/tutorial/fuses Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- electron-builder.ts | 45 ++++++++++++++++++++++++++++++++++++++++++++- package.json | 1 + yarn.lock | 23 ++++++++++++----------- 3 files changed, 57 insertions(+), 12 deletions(-) diff --git a/electron-builder.ts b/electron-builder.ts index c2c698066..5452fe7dc 100644 --- a/electron-builder.ts +++ b/electron-builder.ts @@ -1,6 +1,9 @@ -import type { Configuration } from "electron-builder"; +import { Arch, Configuration } from "electron-builder"; import * as os from "node:os"; import * as fs from "node:fs"; +import * as path from "node:path"; +import { AfterPackContext } from "app-builder-lib/out/configuration"; +import { flipFuses, FuseV1Options, FuseVersion } from "@electron/fuses"; /** * This script has different outputs depending on your os platform. @@ -32,6 +35,8 @@ interface Package { const pkg: Package = JSON.parse(fs.readFileSync("package.json", "utf8")); +let buildMacOsUniversal = false; + /** * @type {import('electron-builder').Configuration} * @see https://www.electron.build/configuration/configuration @@ -46,6 +51,44 @@ const config: DeepWriteable> & { } = { appId: "im.riot.app", asarUnpack: "**/*.node", + beforePack: async (context: AfterPackContext) => { + if (context.electronPlatformName === "darwin" && context.arch === Arch.universal) { + buildMacOsUniversal = true; + } + }, + afterPack: async (context: AfterPackContext) => { + if (context.electronPlatformName !== "darwin" || context.arch === Arch.universal || !buildMacOsUniversal) { + // Burn in electron fuses, for macOS if we are building a universal package we only need to burn fuses there + const ext = { + darwin: ".app", + win32: ".exe", + linux: [""], + }[context.electronPlatformName]; + + const electronBinaryPath = path.join( + context.appOutDir, + `${context.packager.appInfo.productFilename}${ext}`, + ); + console.log("Flipping fuses for: ", electronBinaryPath); + + await flipFuses(electronBinaryPath, { + version: FuseVersion.V1, + resetAdHocDarwinSignature: context.electronPlatformName === "darwin" && context.arch === Arch.universal, + + [FuseV1Options.EnableCookieEncryption]: true, + [FuseV1Options.OnlyLoadAppFromAsar]: true, + + [FuseV1Options.RunAsNode]: false, + [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, + [FuseV1Options.EnableNodeCliInspectArguments]: false, + + // Mac app crashes when enabled for us on arm, might be fine for you + [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false, + // https://github.com/electron/fuses/issues/7 + [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false, + }); + } + }, files: [ "package.json", { diff --git a/package.json b/package.json index 6e38530f4..dabaff035 100644 --- a/package.json +++ b/package.json @@ -76,6 +76,7 @@ "@babel/preset-env": "^7.18.10", "@babel/preset-typescript": "^7.18.6", "@electron/asar": "^3.2.3", + "@electron/fuses": "^1.7.0", "@types/auto-launch": "^5.0.1", "@types/counterpart": "^0.18.1", "@types/detect-libc": "^1.0.0", diff --git a/yarn.lock b/yarn.lock index dc1047d9a..50029f38a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -66,15 +66,7 @@ "@babel/highlight" "^7.22.13" chalk "^2.4.2" -"@babel/code-frame@^7.12.13": - version "7.23.5" - resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.23.5.tgz#9009b69a8c602293476ad598ff53e4562e15c244" - integrity sha512-CgH3s1a96LipHCmSUmYFPwY7MNx8C3avkq7i4Wl3cfa662ldtUe4VM1TPXX70pfmrlWTb6jLqTYrZyT2ZTJBgA== - dependencies: - "@babel/highlight" "^7.23.4" - chalk "^2.4.2" - -"@babel/code-frame@^7.22.13", "@babel/code-frame@^7.23.5": +"@babel/code-frame@^7.12.13", "@babel/code-frame@^7.22.13", "@babel/code-frame@^7.23.5": version "7.23.5" resolved "https://registry.yarnpkg.com/@babel/code-frame/-/code-frame-7.23.5.tgz#9009b69a8c602293476ad598ff53e4562e15c244" integrity sha512-CgH3s1a96LipHCmSUmYFPwY7MNx8C3avkq7i4Wl3cfa662ldtUe4VM1TPXX70pfmrlWTb6jLqTYrZyT2ZTJBgA== @@ -1156,6 +1148,15 @@ glob "^7.1.6" minimatch "^3.0.4" +"@electron/fuses@^1.7.0": + version "1.7.0" + resolved "https://registry.yarnpkg.com/@electron/fuses/-/fuses-1.7.0.tgz#0800d5404fffe5683705297990fea089d49811a2" + integrity sha512-mfhLoZGQdqrSU/SeOFBs6r+D7g1tYiVs2C/hh7t3NFQ0chcXGoWrrad17rCQL1ImNJuCXs4cu23YBj5CAnj5SA== + dependencies: + chalk "^4.1.1" + fs-extra "^9.0.1" + minimist "^1.2.5" + "@electron/get@^2.0.0": version "2.0.3" resolved "https://registry.yarnpkg.com/@electron/get/-/get-2.0.3.tgz#fba552683d387aebd9f3fcadbcafc8e12ee4f960" @@ -3037,7 +3038,7 @@ chalk@^2.4.2: escape-string-regexp "^1.0.5" supports-color "^5.3.0" -chalk@^4.0.0, chalk@^4.0.2, chalk@^4.1.2: +chalk@^4.0.0, chalk@^4.0.2, chalk@^4.1.1, chalk@^4.1.2: version "4.1.2" resolved "https://registry.yarnpkg.com/chalk/-/chalk-4.1.2.tgz#aac4e2b7734a740867aeb16bf02aad556a1e7a01" integrity sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA== @@ -5785,7 +5786,7 @@ minimatch@^9.0.0, minimatch@^9.0.1, minimatch@^9.0.3: dependencies: brace-expansion "^2.0.1" -minimist@^1.2.0, minimist@^1.2.6, minimist@^1.2.8: +minimist@^1.2.0, minimist@^1.2.5, minimist@^1.2.6, minimist@^1.2.8: version "1.2.8" resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c" integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA== From 1e9320bb4512972b194f04a4f31df10c41246382 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Tue, 2 Jan 2024 13:53:22 +0000 Subject: [PATCH 04/23] Handle Linux better Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- electron-builder.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/electron-builder.ts b/electron-builder.ts index 5452fe7dc..f460a4f08 100644 --- a/electron-builder.ts +++ b/electron-builder.ts @@ -65,10 +65,13 @@ const config: DeepWriteable> & { linux: [""], }[context.electronPlatformName]; - const electronBinaryPath = path.join( - context.appOutDir, - `${context.packager.appInfo.productFilename}${ext}`, - ); + const IS_LINUX = context.electronPlatformName === "linux"; + // .toLowerCase() to accommodate Linux file named `name` but productFileName is `Name` -- Replaces '-dev' because on Linux the executable name is `name` even for the DEV builds + const executableName = IS_LINUX + ? context.packager.appInfo.productFilename.toLowerCase().replace("-dev", "") + : context.packager.appInfo.productFilename; + + const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`); console.log("Flipping fuses for: ", electronBinaryPath); await flipFuses(electronBinaryPath, { From 3a75b9c7151b56ccf6de9f8c2826189aeeb49256 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 3 Jan 2024 17:23:45 +0000 Subject: [PATCH 05/23] Fix fuse setting for Linux packages Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- electron-builder.js | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/electron-builder.js b/electron-builder.js index 8328069ba..644d7c30f 100644 --- a/electron-builder.js +++ b/electron-builder.js @@ -24,7 +24,6 @@ const { flipFuses, FuseVersion, FuseV1Options } = require("@electron/fuses"); */ const NIGHTLY_APP_ID = "im.riot.nightly"; -const NIGHTLY_APP_NAME = "element-desktop-nightly"; const NIGHTLY_DEB_NAME = "element-nightly"; const pkg = JSON.parse(fs.readFileSync("package.json", "utf8")); @@ -52,11 +51,11 @@ const config = { linux: [""], }[context.electronPlatformName]; - const IS_LINUX = context.electronPlatformName === "linux"; - // .toLowerCase() to accommodate Linux file named `name` but productFileName is `Name` -- Replaces '-dev' because on Linux the executable name is `name` even for the DEV builds - const executableName = IS_LINUX - ? context.packager.appInfo.productFilename.toLowerCase().replace("-dev", "") - : context.packager.appInfo.productFilename; + let executableName = context.packager.appInfo.productFilename; + if (context.electronPlatformName === "linux") { + // Linux uses the package name as the executable name + executableName = context.packager.appInfo.name; + } const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`); console.log("Flipping fuses for: ", electronBinaryPath); @@ -183,7 +182,7 @@ if (process.env.ED_NIGHTLY) { config.appId = NIGHTLY_APP_ID; config.extraMetadata.productName += " Nightly"; - config.extraMetadata.name = NIGHTLY_APP_NAME; + config.extraMetadata.name += "-nightly"; config.extraMetadata.description += " (nightly unstable build)"; config.deb.fpm.push("--name", NIGHTLY_DEB_NAME); From 35150a55c1d6bc3dc4cef43f2863b6b3d716a3b3 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 3 Jan 2024 18:12:14 +0000 Subject: [PATCH 06/23] Re-enable fuse EnableNodeCliInspectArguments for playwright test CI Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 4 ++++ .github/workflows/build_linux.yaml | 6 ++++++ .github/workflows/build_macos.yaml | 6 ++++++ .github/workflows/build_windows.yaml | 6 ++++++ electron-builder.js | 4 +++- 5 files changed, 25 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 99e67f83c..230bf8dc2 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -22,6 +22,7 @@ jobs: arch: [x64, x86] with: arch: ${{ matrix.arch }} + test-mode: true # This allows core contributors to test changes to the dockerbuild image within a pull request linux_docker: @@ -89,11 +90,14 @@ jobs: sqlcipher: ${{ matrix.sqlcipher }} docker-image: ${{ needs.linux_docker.outputs.docker-image }} arch: ${{ matrix.arch }} + test-mode: true macos: needs: fetch name: macOS uses: ./.github/workflows/build_macos.yaml + with: + test-mode: true test: needs: diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index acf54141e..622ba8178 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -28,6 +28,10 @@ on: type: string required: false description: "The docker image to use for the build, defaults to ghcr.io/element-hq/element-desktop-dockerbuild" + test-mode: + type: boolean + required: false + description: "Whether to enable EnableNodeCliInspectArguments fuse to enable testing using playwright" jobs: build: runs-on: ubuntu-latest @@ -116,6 +120,8 @@ jobs: - name: Build App run: | yarn build --publish never -l ${{ steps.config.outputs.build-args }} + env: + ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS: ${{ inputs.test-mode && 'true' || '' }} - name: Check native libraries run: | diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index c795e6ef7..6209c540e 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -27,6 +27,10 @@ on: type: boolean required: false description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones" + test-mode: + type: boolean + required: false + description: "Whether to enable EnableNodeCliInspectArguments fuse to enable testing using playwright" base-url: type: string required: false @@ -88,6 +92,7 @@ jobs: APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }} CSC_LINK: ${{ secrets.APPLE_CSC_LINK }} + ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS: ${{ inputs.test-mode && 'true' || '' }} - name: Check app was signed & notarised successfully if: inputs.sign != '' @@ -103,6 +108,7 @@ jobs: yarn build:universal --publish never env: CSC_IDENTITY_AUTO_DISCOVERY: false + ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS: ${{ inputs.test-mode && 'true' || '' }} - name: Prepare artifacts for deployment if: inputs.deploy-mode diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index 7b2bb52ae..29fcf2393 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -27,6 +27,10 @@ on: type: boolean required: false description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones" + test-mode: + type: boolean + required: false + description: "Whether to enable EnableNodeCliInspectArguments fuse to enable testing using playwright" jobs: build: runs-on: windows-latest @@ -163,6 +167,8 @@ jobs: - name: Build App run: | yarn electron-builder --publish never -w ${{ steps.config.outputs.build-args }} + env: + ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS: ${{ inputs.test-mode && 'true' || '' }} - name: Check app was signed successfully if: inputs.sign != '' diff --git a/electron-builder.js b/electron-builder.js index 644d7c30f..c2d226860 100644 --- a/electron-builder.js +++ b/electron-builder.js @@ -69,7 +69,9 @@ const config = { [FuseV1Options.RunAsNode]: false, [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, - [FuseV1Options.EnableNodeCliInspectArguments]: false, + + // This is required for Playwright tests + [FuseV1Options.EnableNodeCliInspectArguments]: !!process.env.ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS, // Mac app crashes when enabled for us on arm, might be fine for you [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false, From 994678fdc435ad2a6daeac6022e49cdd77c26264 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 3 Jan 2024 18:15:03 +0000 Subject: [PATCH 07/23] Set fuse in test code itself Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 8 ++++---- .github/workflows/build_linux.yaml | 6 ------ .github/workflows/build_macos.yaml | 6 ------ .github/workflows/build_windows.yaml | 6 ------ 4 files changed, 4 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 230bf8dc2..aecbade73 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -22,7 +22,6 @@ jobs: arch: [x64, x86] with: arch: ${{ matrix.arch }} - test-mode: true # This allows core contributors to test changes to the dockerbuild image within a pull request linux_docker: @@ -90,14 +89,11 @@ jobs: sqlcipher: ${{ matrix.sqlcipher }} docker-image: ${{ needs.linux_docker.outputs.docker-image }} arch: ${{ matrix.arch }} - test-mode: true macos: needs: fetch name: macOS uses: ./.github/workflows/build_macos.yaml - with: - test-mode: true test: needs: @@ -151,6 +147,10 @@ jobs: run: ${{ matrix.prepare_cmd }} if: matrix.prepare_cmd + # This is required for Playwright testing + - name: Set EnableNodeCliInspectArguments fuse enabled + run: npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on + - name: Run tests uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1 timeout-minutes: 5 diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index 622ba8178..acf54141e 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -28,10 +28,6 @@ on: type: string required: false description: "The docker image to use for the build, defaults to ghcr.io/element-hq/element-desktop-dockerbuild" - test-mode: - type: boolean - required: false - description: "Whether to enable EnableNodeCliInspectArguments fuse to enable testing using playwright" jobs: build: runs-on: ubuntu-latest @@ -120,8 +116,6 @@ jobs: - name: Build App run: | yarn build --publish never -l ${{ steps.config.outputs.build-args }} - env: - ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS: ${{ inputs.test-mode && 'true' || '' }} - name: Check native libraries run: | diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index 6209c540e..c795e6ef7 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -27,10 +27,6 @@ on: type: boolean required: false description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones" - test-mode: - type: boolean - required: false - description: "Whether to enable EnableNodeCliInspectArguments fuse to enable testing using playwright" base-url: type: string required: false @@ -92,7 +88,6 @@ jobs: APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }} CSC_LINK: ${{ secrets.APPLE_CSC_LINK }} - ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS: ${{ inputs.test-mode && 'true' || '' }} - name: Check app was signed & notarised successfully if: inputs.sign != '' @@ -108,7 +103,6 @@ jobs: yarn build:universal --publish never env: CSC_IDENTITY_AUTO_DISCOVERY: false - ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS: ${{ inputs.test-mode && 'true' || '' }} - name: Prepare artifacts for deployment if: inputs.deploy-mode diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index 29fcf2393..7b2bb52ae 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -27,10 +27,6 @@ on: type: boolean required: false description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones" - test-mode: - type: boolean - required: false - description: "Whether to enable EnableNodeCliInspectArguments fuse to enable testing using playwright" jobs: build: runs-on: windows-latest @@ -167,8 +163,6 @@ jobs: - name: Build App run: | yarn electron-builder --publish never -w ${{ steps.config.outputs.build-args }} - env: - ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS: ${{ inputs.test-mode && 'true' || '' }} - name: Check app was signed successfully if: inputs.sign != '' From 97e639f6bf8a9a2c1a1b662d06ff15b5d273a790 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 3 Jan 2024 18:32:04 +0000 Subject: [PATCH 08/23] Fix executable paths Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index aecbade73..05f782fc1 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -111,12 +111,12 @@ jobs: - name: "Linux (amd64) (sqlcipher: system)" os: ubuntu artifact: linux-amd64-sqlcipher-system - executable: "element-desktop" + executable: "/opt/Element/element-desktop" prepare_cmd: "sudo apt install ./dist/*.deb" - name: "Linux (amd64) (sqlcipher: static)" os: ubuntu artifact: linux-amd64-sqlcipher-static - executable: "element-desktop" + executable: "/opt/Element/element-desktop" prepare_cmd: "sudo apt install ./dist/*.deb" - name: Windows (x86) os: windows From fb099005fd359c8c3432e15476c0393247e456e5 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 3 Jan 2024 19:00:06 +0000 Subject: [PATCH 09/23] SUDO Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 05f782fc1..06bb4cdd8 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -148,7 +148,11 @@ jobs: if: matrix.prepare_cmd # This is required for Playwright testing + - name: Set EnableNodeCliInspectArguments fuse enabled (sudo) + if: runner.os == 'Linux' + run: sudo npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on - name: Set EnableNodeCliInspectArguments fuse enabled + if: runner.os != 'Linux' run: npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on - name: Run tests From ceda9ee581b25df6d32b2cfd826c8ebd407d9773 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Wed, 3 Jan 2024 19:16:12 +0000 Subject: [PATCH 10/23] Fix macOS test Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 06bb4cdd8..b9b359f57 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -106,8 +106,11 @@ jobs: - name: macOS Universal os: macos artifact: macos - executable: "/Volumes/Element/Element.app/Contents/MacOS/Element" - prepare_cmd: "hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element" + executable: "~/Applications/Element.app/Contents/MacOS/Element" + prepare_cmd: | + hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element && + cp -r /Volumes/Element/Element.app ~/Applications/ && + hdiutil detach /Volumes/Element - name: "Linux (amd64) (sqlcipher: system)" os: ubuntu artifact: linux-amd64-sqlcipher-system From b5664e3773a7a4457f17783c3fa794394173ea4f Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 09:23:58 +0000 Subject: [PATCH 11/23] DEBUG Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index b9b359f57..860433670 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -158,6 +158,15 @@ jobs: if: runner.os != 'Linux' run: npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on + # TODO remove me + - name: DEBUG + uses: actions/upload-artifact@v3 + if: always() + with: + name: ${{ matrix.artifact }} + path: ${{ matrix.name }}-artifact + retention-days: 1 + - name: Run tests uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1 timeout-minutes: 5 From c7a121fe83cc989fab76a5e7be2b7ac426e6d537 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 09:41:38 +0000 Subject: [PATCH 12/23] DEBUG2 Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 860433670..db65edd80 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -163,8 +163,8 @@ jobs: uses: actions/upload-artifact@v3 if: always() with: - name: ${{ matrix.artifact }} - path: ${{ matrix.name }}-artifact + path: ${{ matrix.executable }} + name: ${{ matrix.name }}-artifact retention-days: 1 - name: Run tests From edcd578e6958646a043cf6d3adeae29dffdab762 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 09:58:00 +0000 Subject: [PATCH 13/23] DEBUG3 Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index db65edd80..9624ce707 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -164,7 +164,7 @@ jobs: if: always() with: path: ${{ matrix.executable }} - name: ${{ matrix.name }}-artifact + name: ${{ matrix.artifact }}-executable retention-days: 1 - name: Run tests From 12c1f26ef5c17c7e1a38adfe12330eeb93e8832a Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 11:35:33 +0000 Subject: [PATCH 14/23] DEBUG4 Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 9624ce707..19a4d3d02 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -109,7 +109,7 @@ jobs: executable: "~/Applications/Element.app/Contents/MacOS/Element" prepare_cmd: | hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element && - cp -r /Volumes/Element/Element.app ~/Applications/ && + rsync -a /Volumes/Element/Element.app ~/Applications/ && hdiutil detach /Volumes/Element - name: "Linux (amd64) (sqlcipher: system)" os: ubuntu @@ -166,6 +166,10 @@ jobs: path: ${{ matrix.executable }} name: ${{ matrix.artifact }}-executable retention-days: 1 + - name: DEBUG2 + run: | + ls -lah ${{ matrix.executable }} + tree ${{ matrix.executable }} - name: Run tests uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1 From 53a657eca660664173db5e8d636b80ae3a1566eb Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 12:14:48 +0000 Subject: [PATCH 15/23] DEBUG5 Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 19a4d3d02..564f891dd 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -151,12 +151,11 @@ jobs: if: matrix.prepare_cmd # This is required for Playwright testing - - name: Set EnableNodeCliInspectArguments fuse enabled (sudo) - if: runner.os == 'Linux' - run: sudo npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on - name: Set EnableNodeCliInspectArguments fuse enabled - if: runner.os != 'Linux' - run: npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on + run: $RUN_AS npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on + env: + # We need sudo on Linux as it is installed in /opt/ + RUN_AS: ${{ runner.os == 'Linux' && 'sudo' || '' }} # TODO remove me - name: DEBUG @@ -167,6 +166,7 @@ jobs: name: ${{ matrix.artifact }}-executable retention-days: 1 - name: DEBUG2 + if: always() && runner.os == 'macOS' run: | ls -lah ${{ matrix.executable }} tree ${{ matrix.executable }} From 9b1d7a15f7a3cbe6ac887608fe5aa6334b853687 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 12:30:32 +0000 Subject: [PATCH 16/23] DEBUG6 Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 564f891dd..64609a088 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -166,9 +166,11 @@ jobs: name: ${{ matrix.artifact }}-executable retention-days: 1 - name: DEBUG2 - if: always() && runner.os == 'macOS' + if: always() + continue-on-error: true run: | ls -lah ${{ matrix.executable }} + ls -lah ${{ matrix.executable }}/* tree ${{ matrix.executable }} - name: Run tests From 86e854ae6805d8b4332533cd36c1b20eb7b1fe5c Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 13:04:59 +0000 Subject: [PATCH 17/23] DEBUG7 Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 64609a088..db2d97d21 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -107,6 +107,7 @@ jobs: os: macos artifact: macos executable: "~/Applications/Element.app/Contents/MacOS/Element" + fuse_executable: "~/Applications/Element.app" prepare_cmd: | hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element && rsync -a /Volumes/Element/Element.app ~/Applications/ && @@ -152,7 +153,7 @@ jobs: # This is required for Playwright testing - name: Set EnableNodeCliInspectArguments fuse enabled - run: $RUN_AS npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on + run: $RUN_AS npx @electron/fuses write --app ${{ matrix.fuse_executable || matrix.executable }} EnableNodeCliInspectArguments=on env: # We need sudo on Linux as it is installed in /opt/ RUN_AS: ${{ runner.os == 'Linux' && 'sudo' || '' }} @@ -162,16 +163,16 @@ jobs: uses: actions/upload-artifact@v3 if: always() with: - path: ${{ matrix.executable }} + path: ${{ matrix.fuse_executable || matrix.executable }} name: ${{ matrix.artifact }}-executable retention-days: 1 - name: DEBUG2 if: always() continue-on-error: true run: | - ls -lah ${{ matrix.executable }} - ls -lah ${{ matrix.executable }}/* - tree ${{ matrix.executable }} + ls -lah ${{ matrix.fuse_executable || matrix.executable }} + ls -lah ${{ matrix.fuse_executable || matrix.executable }}/* + tree ${{ matrix.fuse_executable || matrix.executable }} - name: Run tests uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1 From 8f5dc500d34f67e7d320cc4ca46967bac486a934 Mon Sep 17 00:00:00 2001 From: Valere Date: Thu, 4 Jan 2024 13:11:28 +0000 Subject: [PATCH 18/23] DEBUG8 Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index db2d97d21..3affb02e8 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -154,13 +154,14 @@ jobs: # This is required for Playwright testing - name: Set EnableNodeCliInspectArguments fuse enabled run: $RUN_AS npx @electron/fuses write --app ${{ matrix.fuse_executable || matrix.executable }} EnableNodeCliInspectArguments=on + shell: bash env: # We need sudo on Linux as it is installed in /opt/ RUN_AS: ${{ runner.os == 'Linux' && 'sudo' || '' }} # TODO remove me - name: DEBUG - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: always() with: path: ${{ matrix.fuse_executable || matrix.executable }} From c88431657e428a696d6053087e6c6e301a0130dc Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 14:26:11 +0000 Subject: [PATCH 19/23] Try without `~` Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 3affb02e8..673394b2c 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -106,7 +106,7 @@ jobs: - name: macOS Universal os: macos artifact: macos - executable: "~/Applications/Element.app/Contents/MacOS/Element" + executable: "/Users/runner/Applications/Element.app/Contents/MacOS/Element" fuse_executable: "~/Applications/Element.app" prepare_cmd: | hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element && From 8d2d4334005cf29b29d06165fe65be6d6fa77423 Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 15:09:09 +0000 Subject: [PATCH 20/23] Remove debug Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 673394b2c..bd20c601f 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -107,7 +107,6 @@ jobs: os: macos artifact: macos executable: "/Users/runner/Applications/Element.app/Contents/MacOS/Element" - fuse_executable: "~/Applications/Element.app" prepare_cmd: | hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element && rsync -a /Volumes/Element/Element.app ~/Applications/ && @@ -153,28 +152,12 @@ jobs: # This is required for Playwright testing - name: Set EnableNodeCliInspectArguments fuse enabled - run: $RUN_AS npx @electron/fuses write --app ${{ matrix.fuse_executable || matrix.executable }} EnableNodeCliInspectArguments=on + run: $RUN_AS npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on shell: bash env: # We need sudo on Linux as it is installed in /opt/ RUN_AS: ${{ runner.os == 'Linux' && 'sudo' || '' }} - # TODO remove me - - name: DEBUG - uses: actions/upload-artifact@v4 - if: always() - with: - path: ${{ matrix.fuse_executable || matrix.executable }} - name: ${{ matrix.artifact }}-executable - retention-days: 1 - - name: DEBUG2 - if: always() - continue-on-error: true - run: | - ls -lah ${{ matrix.fuse_executable || matrix.executable }} - ls -lah ${{ matrix.fuse_executable || matrix.executable }}/* - tree ${{ matrix.fuse_executable || matrix.executable }} - - name: Run tests uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1 timeout-minutes: 5 From a4adf02a38eca930c24d3de9fd005ca5cd7c695c Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Thu, 4 Jan 2024 16:44:25 +0000 Subject: [PATCH 21/23] Remove ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- electron-builder.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/electron-builder.js b/electron-builder.js index c2d226860..644d7c30f 100644 --- a/electron-builder.js +++ b/electron-builder.js @@ -69,9 +69,7 @@ const config = { [FuseV1Options.RunAsNode]: false, [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, - - // This is required for Playwright tests - [FuseV1Options.EnableNodeCliInspectArguments]: !!process.env.ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS, + [FuseV1Options.EnableNodeCliInspectArguments]: false, // Mac app crashes when enabled for us on arm, might be fine for you [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false, From a3a7e852cde65b49535ebc0edeb36f397081989d Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Fri, 5 Jan 2024 09:27:06 +0000 Subject: [PATCH 22/23] Iterate Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --- .github/workflows/build_and_test.yaml | 4 +++- .github/workflows/build_macos.yaml | 8 ++++---- electron-builder.js | 18 ++++++------------ 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index bd20c601f..8af5b6555 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -107,6 +107,8 @@ jobs: os: macos artifact: macos executable: "/Users/runner/Applications/Element.app/Contents/MacOS/Element" + # We need to mount the DMG and copy the app to the Applications folder as a mounted DMG is + # read-only and thus would not allow us to override the fuses as is required for Playwright. prepare_cmd: | hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element && rsync -a /Volumes/Element/Element.app ~/Applications/ && @@ -150,7 +152,7 @@ jobs: run: ${{ matrix.prepare_cmd }} if: matrix.prepare_cmd - # This is required for Playwright testing + # Playwright requires this fuse to be enabled to test Electron apps - name: Set EnableNodeCliInspectArguments fuse enabled run: $RUN_AS npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on shell: bash diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index c795e6ef7..449591fc1 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -92,10 +92,10 @@ jobs: - name: Check app was signed & notarised successfully if: inputs.sign != '' run: | - hdiutil attach dist/*.dmg - codesign -dv --verbose=4 /Volumes/Element*/*.app - spctl -a -vvv -t install /Volumes/Element*/*.app - hdiutil detach /Volumes/Element* + hdiutil attach dist/*.dmg -mountpoint /Volumes/Element + codesign -dv --verbose=4 /Volumes/Element/*.app + spctl -a -vvv -t install /Volumes/Element/*.app + hdiutil detach /Volumes/Element - name: "[Unsigned] Build App" if: inputs.sign == '' diff --git a/electron-builder.js b/electron-builder.js index 644d7c30f..7b4fb6e39 100644 --- a/electron-builder.js +++ b/electron-builder.js @@ -28,8 +28,6 @@ const NIGHTLY_DEB_NAME = "element-nightly"; const pkg = JSON.parse(fs.readFileSync("package.json", "utf8")); -let buildMacOsUniversal = false; - /** * @type {import('electron-builder').Configuration} * @see https://www.electron.build/configuration/configuration @@ -37,18 +35,14 @@ let buildMacOsUniversal = false; const config = { appId: "im.riot.app", asarUnpack: "**/*.node", - beforePack: async (context) => { - if (context.electronPlatformName === "darwin" && context.arch === Arch.universal) { - buildMacOsUniversal = true; - } - }, afterPack: async (context) => { - if (context.electronPlatformName !== "darwin" || context.arch === Arch.universal || !buildMacOsUniversal) { - // Burn in electron fuses, for macOS if we are building a universal package we only need to burn fuses there + if (context.electronPlatformName !== "darwin" || context.arch === Arch.universal) { + // Burn in electron fuses for proactive security hardening. + // On macOS, we only do this for the universal package, as the constituent arm64 and amd64 packages are embedded within. const ext = { darwin: ".app", win32: ".exe", - linux: [""], + linux: "", }[context.electronPlatformName]; let executableName = context.packager.appInfo.productFilename; @@ -58,7 +52,7 @@ const config = { } const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`); - console.log("Flipping fuses for: ", electronBinaryPath); + console.log(`Flipping fuses for: ${electronBinaryPath}`); await flipFuses(electronBinaryPath, { version: FuseVersion.V1, @@ -71,7 +65,7 @@ const config = { [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, [FuseV1Options.EnableNodeCliInspectArguments]: false, - // Mac app crashes when enabled for us on arm, might be fine for you + // Mac app crashes on arm for us when `LoadBrowserProcessSpecificV8Snapshot` is enabled [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false, // https://github.com/electron/fuses/issues/7 [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false, From dc69932a9ab32b66e8c2d3d670b00da3c5b7856f Mon Sep 17 00:00:00 2001 From: Michael Telatynski <7t3chguy@gmail.com> Date: Fri, 5 Jan 2024 16:48:09 +0000 Subject: [PATCH 23/23] Update .github/workflows/build_and_test.yaml Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com> --- .github/workflows/build_and_test.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 8af5b6555..14662d716 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -152,7 +152,8 @@ jobs: run: ${{ matrix.prepare_cmd }} if: matrix.prepare_cmd - # Playwright requires this fuse to be enabled to test Electron apps + # We previously disabled the `EnableNodeCliInspectArguments` fuse, but Playwright requires + # it to to be enabled to test Electron apps, so turn it back on. - name: Set EnableNodeCliInspectArguments fuse enabled run: $RUN_AS npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on shell: bash