Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Burn Node-related Electron fuses as a proactive hardening measure #1412

Merged
merged 24 commits into from
Jan 9, 2024
Merged

Burn Node-related Electron fuses as a proactive hardening measure #1412

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
b5b6570
Move electron-builder config to typescript file
t3chguy Jan 2, 2024
e545f44
Replace generate-builder-config.ts with electron-builder.ts
t3chguy Jan 2, 2024
60f69fa
Burn in Electron fuses to tighten security parameters
t3chguy Jan 2, 2024
1e9320b
Handle Linux better
t3chguy Jan 2, 2024
48a5ee5
Merge branch 'develop' of https://github.com/vector-im/element-deskto…
t3chguy Jan 3, 2024
3a75b9c
Fix fuse setting for Linux packages
t3chguy Jan 3, 2024
35150a5
Re-enable fuse EnableNodeCliInspectArguments for playwright test CI
t3chguy Jan 3, 2024
994678f
Set fuse in test code itself
t3chguy Jan 3, 2024
97e639f
Fix executable paths
t3chguy Jan 3, 2024
fb09900
SUDO
t3chguy Jan 3, 2024
ceda9ee
Fix macOS test
t3chguy Jan 3, 2024
b5664e3
DEBUG
t3chguy Jan 4, 2024
c7a121f
DEBUG2
t3chguy Jan 4, 2024
edcd578
DEBUG3
t3chguy Jan 4, 2024
12c1f26
DEBUG4
t3chguy Jan 4, 2024
53a657e
DEBUG5
t3chguy Jan 4, 2024
9b1d7a1
DEBUG6
t3chguy Jan 4, 2024
86e854a
DEBUG7
t3chguy Jan 4, 2024
8f5dc50
DEBUG8
BillCarsonFr Jan 4, 2024
c884316
Try without `~`
t3chguy Jan 4, 2024
8d2d433
Remove debug
t3chguy Jan 4, 2024
a4adf02
Remove ED_ENABLE_NODE_CLI_INSPECT_ARGUMENTS
t3chguy Jan 4, 2024
a3a7e85
Iterate
t3chguy Jan 5, 2024
dc69932
Update .github/workflows/build_and_test.yaml
t3chguy Jan 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion .github/workflows/build_and_test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,8 @@ jobs:
os: macos
artifact: macos
executable: "/Users/runner/Applications/Element.app/Contents/MacOS/Element"
# We need to mount the DMG and copy the app to the Applications folder as a mounted DMG is
# read-only and thus would not allow us to override the fuses as is required for Playwright.
prepare_cmd: |
hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element &&
rsync -a /Volumes/Element/Element.app ~/Applications/ &&
Expand Down Expand Up @@ -150,7 +152,7 @@ jobs:
run: ${{ matrix.prepare_cmd }}
if: matrix.prepare_cmd

# This is required for Playwright testing
# Playwright requires this fuse to be enabled to test Electron apps
t3chguy marked this conversation as resolved.
Show resolved Hide resolved
- name: Set EnableNodeCliInspectArguments fuse enabled
run: $RUN_AS npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on
shell: bash
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/build_macos.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,10 @@ jobs:
- name: Check app was signed & notarised successfully
if: inputs.sign != ''
run: |
hdiutil attach dist/*.dmg
codesign -dv --verbose=4 /Volumes/Element*/*.app
spctl -a -vvv -t install /Volumes/Element*/*.app
hdiutil detach /Volumes/Element*
hdiutil attach dist/*.dmg -mountpoint /Volumes/Element
codesign -dv --verbose=4 /Volumes/Element/*.app
spctl -a -vvv -t install /Volumes/Element/*.app
hdiutil detach /Volumes/Element

- name: "[Unsigned] Build App"
if: inputs.sign == ''
Expand Down
18 changes: 6 additions & 12 deletions electron-builder.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,27 +28,21 @@ const NIGHTLY_DEB_NAME = "element-nightly";

const pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));

let buildMacOsUniversal = false;

/**
* @type {import('electron-builder').Configuration}
* @see https://www.electron.build/configuration/configuration
*/
const config = {
appId: "im.riot.app",
asarUnpack: "**/*.node",
beforePack: async (context) => {
if (context.electronPlatformName === "darwin" && context.arch === Arch.universal) {
buildMacOsUniversal = true;
}
},
afterPack: async (context) => {
if (context.electronPlatformName !== "darwin" || context.arch === Arch.universal || !buildMacOsUniversal) {
// Burn in electron fuses, for macOS if we are building a universal package we only need to burn fuses there
if (context.electronPlatformName !== "darwin" || context.arch === Arch.universal) {
// Burn in electron fuses for proactive security hardening.
// On macOS, we only do this for the universal package, as the constituent arm64 and amd64 packages are embedded within.
const ext = {
darwin: ".app",
win32: ".exe",
linux: [""],
linux: "",
}[context.electronPlatformName];

let executableName = context.packager.appInfo.productFilename;
Expand All @@ -58,7 +52,7 @@ const config = {
}

const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`);
console.log("Flipping fuses for: ", electronBinaryPath);
console.log(`Flipping fuses for: ${electronBinaryPath}`);

await flipFuses(electronBinaryPath, {
version: FuseVersion.V1,
Expand All @@ -71,7 +65,7 @@ const config = {
[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
[FuseV1Options.EnableNodeCliInspectArguments]: false,

// Mac app crashes when enabled for us on arm, might be fine for you
// Mac app crashes on arm for us when `LoadBrowserProcessSpecificV8Snapshot` is enabled
[FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,
// https://github.com/electron/fuses/issues/7
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false,
Expand Down
Loading