build: Refactor electron-builder config

2 files changed, 42 insertions, 27 deletions

diff --git a/.electron-builder.config.js b/.electron-builder.config.js
index 71f0686..128ae18 100644
--- a/.electron-builder.config.js
+++ b/.electron-builder.config.js
@@ -20,34 +20,48 @@ const config = {
     'packages/service-inject/dist/**',
     'packages/service-preload/dist/**',
   ],
-  /**
-   * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context.
-   * @return {Promise<void>} The promise to flip the fuses.
-   * @see https://github.com/electron-userland/electron-builder/issues/6365
-   */
   afterPack(context) {
-    /** @type {string} */
-    const ext = {
-      darwin: '.app',
-      win32: '.exe',
-    }[context.electronPlatformName] || '';
-    const electronBinaryPath = join(
-      context.appOutDir,
-      `${context.packager.appInfo.productFilename}${ext}`
-    );
-    /** @type {import('@electron/fuses').FuseConfig<boolean>} */
-    const fuseConfig = {
-      version: FuseVersion.V1,
-      resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64,
-      [FuseV1Options.RunAsNode]: false,
-      [FuseV1Options.EnableCookieEncryption]: true,
-      [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
-      [FuseV1Options.EnableNodeCliInspectArguments]: false,
-      [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
-      [FuseV1Options.OnlyLoadAppFromAsar]: true,
-    };
-    return flipFuses(electronBinaryPath, fuseConfig);
+    return burnFuses(context);
   },
 };
 
+/**
+ * Hardens the shipped electron binary by burning some electron fuses.
+ *
+ * Enabled chromium cookie encryption and disables options that could be
+ * used to execute arbitrary code in the main process to circumvent cookie encryption:
+ * - Running the application as a plain node process is disabled.
+ * - Setting options through the `NODE_OPTIONS` environment variable is disabled.
+ * - Attaching a debugger through the `--inspect` family of options is disabled.
+ * - Embedded ASAR integrity validation is enabled.
+ * - Will onload load the application from the ASAR archive.
+ *
+ * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context.
+ * @return {Promise<void>} The promise to flip the fuses.
+ * @see https://github.com/electron/fuses
+ */
+async function burnFuses(context) {
+  /** @type {string} */
+  const ext = {
+    darwin: '.app',
+    win32: '.exe',
+  }[context.electronPlatformName] || '';
+  const electronBinaryPath = join(
+    context.appOutDir,
+    `${context.packager.appInfo.productFilename}${ext}`
+  );
+  /** @type {import('@electron/fuses').FuseConfig<boolean>} */
+  const fuseConfig = {
+    version: FuseVersion.V1,
+    resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64,
+    [FuseV1Options.RunAsNode]: false,
+    [FuseV1Options.EnableCookieEncryption]: true,
+    [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
+    [FuseV1Options.EnableNodeCliInspectArguments]: false,
+    [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
+    [FuseV1Options.OnlyLoadAppFromAsar]: true,
+  };
+  return flipFuses(electronBinaryPath, fuseConfig);
+}
+
 module.exports = config;
diff --git a/package.json b/package.json
index 5494b2a..db1a648 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,8 @@
     "test": "yarn pretest && yarn workspaces foreach -vpt run test",
     "build": "yarn workspaces foreach -vpt run build",
     "precompile": "cross-env MODE=production yarn run build",
-    "compile": "yarn precompile && electron-builder build --config .electron-builder.config.js --dir",
+    "compile": "yarn precompile && yarn compile:electron-builder",
+    "compile:electron-builder": "electron-builder build --config .electron-builder.config.js --dir",
     "watch": "node scripts/watch.js",
     "typecheck": "yarn workspaces foreach -vpt run typecheck",
     "update-electron-vendors": "node scripts/update-electron-vendors.js",