feat: Fuse the electron binary

Disables some node flags in production and enables cookie encryption.
author: Kristóf Marussy <kristof@marussy.com> 2021-12-25 03:03:30 +0100
committer: Kristóf Marussy <kristof@marussy.com> 2021-12-25 03:06:04 +0100
commit: a85c8af24a7ce6706357964116cae0067b1f2a73 (patch)
tree: 2fe77773df9df6e025b0e521116e0473d767f96b
parent: chore: Bump dependency versions (diff)
download: sophie-a85c8af24a7ce6706357964116cae0067b1f2a73.tar.gz
sophie-a85c8af24a7ce6706357964116cae0067b1f2a73.tar.zst
sophie-a85c8af24a7ce6706357964116cae0067b1f2a73.zip
3 files changed, 47 insertions, 0 deletions
diff --git a/.electron-builder.config.js b/.electron-builder.config.js
index e0f59e7..4ff94d7 100644
--- a/.electron-builder.config.js
+++ b/.electron-builder.config.js
@@ -1,5 +1,9 @@
 // @ts-check
+const { Arch } = require('electron-builder');
+const { flipFuses, FuseV1Options, FuseVersion } = require('@electron/fuses');
+const { join } = require('path');
 if (process.env.VITE_APP_VERSION === undefined) {
  const now = new Date;
  process.env.VITE_APP_VERSION = `${now.getUTCFullYear() - 2000}.${now.getUTCMonth() + 1}.${now.getUTCDate()}-${now.getUTCHours() * 60 + now.getUTCMinutes()}`;
@@ -20,6 +24,34 @@ const config = {
  extraMetadata: {
    version: process.env.VITE_APP_VERSION,
  },
+  /**
+   * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context.
+   * @return {Promise<void>} The promise to flip the fuses.
+   * @see https://github.com/electron-userland/electron-builder/issues/6365
+   */
+  afterPack(context) {
+    /** @type {string} */
+    const ext = {
+      darwin: '.app',
+      win32: '.exe',
+    }[context.electronPlatformName] || '';
+    const electronBinaryPath = join(
+      context.appOutDir,
+      `${context.packager.appInfo.productFilename}${ext}`
+    );
+    /** @type {import('@electron/fuses').FuseConfig<boolean>} */
+    const fuseConfig = {
+      version: FuseVersion.V1,
+      resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64,
+      [FuseV1Options.RunAsNode]: false,
+      [FuseV1Options.EnableCookieEncryption]: true,
+      [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
+      [FuseV1Options.EnableNodeCliInspectArguments]: false,
+      [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
+      [FuseV1Options.OnlyLoadAppFromAsar]: true,
+    };
+    return flipFuses(electronBinaryPath, fuseConfig);
+  },
 };
 module.exports = config;
diff --git a/package.json b/package.json
index 488c717..8335b57 100644
--- a/package.json
+++ b/package.json
@@ -40,6 +40,7 @@
    "packages/shared"
  ],
  "devDependencies": {
+    "@electron/fuses": "^1.5.0",
    "@typescript-eslint/eslint-plugin": "^5.8.0",
    "@typescript-eslint/parser": "^5.8.0",
    "cross-env": "^7.0.3",
diff --git a/yarn.lock b/yarn.lock
index ff5e499..717f18a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -335,6 +335,19 @@ __metadata:
  languageName: node
  linkType: hard
+"@electron/fuses@npm:^1.5.0":
+  version: 1.5.0
+  resolution: "@electron/fuses@npm:1.5.0"
+  dependencies:
+    chalk: ^4.1.1
+    fs-extra: ^9.0.1
+    minimist: ^1.2.5
+  bin:
+    electron-fuses: dist/bin.js
+  checksum: 2e3106bf18e8e1f5ce7eae18220252fbf85e883f4a3c0457dc81e0e5b00db290a2eecf8a1e9d79518c26471a06d16bb4c754f4945c45c4eb7ea93d73ef1acf59
+  languageName: node
+  linkType: hard
 "@electron/get@npm:^1.13.0":
  version: 1.13.1
  resolution: "@electron/get@npm:1.13.1"
@@ -4957,6 +4970,7 @@ __metadata:
  version: 0.0.0-use.local
  resolution: "sophie@workspace:."
  dependencies:
+    "@electron/fuses": ^1.5.0
    "@typescript-eslint/eslint-plugin": ^5.8.0
    "@typescript-eslint/parser": ^5.8.0
    cross-env: ^7.0.3
author	Kristóf Marussy <kristof@marussy.com>	2021-12-25 03:03:30 +0100
committer	Kristóf Marussy <kristof@marussy.com>	2021-12-25 03:06:04 +0100
commit	a85c8af24a7ce6706357964116cae0067b1f2a73 (patch)
tree	2fe77773df9df6e025b0e521116e0473d767f96b
parent	chore: Bump dependency versions (diff)
download	sophie-a85c8af24a7ce6706357964116cae0067b1f2a73.tar.gz sophie-a85c8af24a7ce6706357964116cae0067b1f2a73.tar.zst sophie-a85c8af24a7ce6706357964116cae0067b1f2a73.zip

diff --git a/.electron-builder.config.js b/.electron-builder.config.js index e0f59e7..4ff94d7 100644 --- a/.electron-builder.config.js +++ b/.electron-builder.config.js
@@ -1,5 +1,9 @@
1	// @ts-check	1	// @ts-check
2		2
		3	const { Arch } = require('electron-builder');
		4	const { flipFuses, FuseV1Options, FuseVersion } = require('@electron/fuses');
		5	const { join } = require('path');
		6
3	if (process.env.VITE_APP_VERSION === undefined) {	7	if (process.env.VITE_APP_VERSION === undefined) {
4	const now = new Date;	8	const now = new Date;
5	process.env.VITE_APP_VERSION = `${now.getUTCFullYear() - 2000}.${now.getUTCMonth() + 1}.${now.getUTCDate()}-${now.getUTCHours() * 60 + now.getUTCMinutes()}`;	9	process.env.VITE_APP_VERSION = `${now.getUTCFullYear() - 2000}.${now.getUTCMonth() + 1}.${now.getUTCDate()}-${now.getUTCHours() * 60 + now.getUTCMinutes()}`;
@@ -20,6 +24,34 @@ const config = {
20	extraMetadata: {	24	extraMetadata: {
21	version: process.env.VITE_APP_VERSION,	25	version: process.env.VITE_APP_VERSION,
22	},	26	},
		27	/**
		28	* @param {import('electron-builder').AfterPackContext} context The `electron-builder` context.
		29	* @return {Promise<void>} The promise to flip the fuses.
		30	* @see https://github.com/electron-userland/electron-builder/issues/6365
		31	*/
		32	afterPack(context) {
		33	/** @type {string} */
		34	const ext = {
		35	darwin: '.app',
		36	win32: '.exe',
		37	}[context.electronPlatformName] \|\| '';
		38	const electronBinaryPath = join(
		39	context.appOutDir,
		40	`${context.packager.appInfo.productFilename}${ext}`
		41	);
		42	/** @type {import('@electron/fuses').FuseConfig<boolean>} */
		43	const fuseConfig = {
		44	version: FuseVersion.V1,
		45	resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64,
		46	[FuseV1Options.RunAsNode]: false,
		47	[FuseV1Options.EnableCookieEncryption]: true,
		48	[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
		49	[FuseV1Options.EnableNodeCliInspectArguments]: false,
		50	[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
		51	[FuseV1Options.OnlyLoadAppFromAsar]: true,
		52	};
		53	return flipFuses(electronBinaryPath, fuseConfig);
		54	},
23	};	55	};
24		56
25	module.exports = config;	57	module.exports = config;


diff --git a/package.json b/package.json index 488c717..8335b57 100644 --- a/package.json +++ b/package.json
@@ -40,6 +40,7 @@
40	"packages/shared"	40	"packages/shared"
41	],	41	],
42	"devDependencies": {	42	"devDependencies": {
		43	"@electron/fuses": "^1.5.0",
43	"@typescript-eslint/eslint-plugin": "^5.8.0",	44	"@typescript-eslint/eslint-plugin": "^5.8.0",
44	"@typescript-eslint/parser": "^5.8.0",	45	"@typescript-eslint/parser": "^5.8.0",
45	"cross-env": "^7.0.3",	46	"cross-env": "^7.0.3",


diff --git a/yarn.lock b/yarn.lock index ff5e499..717f18a 100644 --- a/yarn.lock +++ b/yarn.lock
@@ -335,6 +335,19 @@ __metadata:
335	languageName: node	335	languageName: node
336	linkType: hard	336	linkType: hard
337		337
		338	"@electron/fuses@npm:^1.5.0":
		339	version: 1.5.0
		340	resolution: "@electron/fuses@npm:1.5.0"
		341	dependencies:
		342	chalk: ^4.1.1
		343	fs-extra: ^9.0.1
		344	minimist: ^1.2.5
		345	bin:
		346	electron-fuses: dist/bin.js
		347	checksum: 2e3106bf18e8e1f5ce7eae18220252fbf85e883f4a3c0457dc81e0e5b00db290a2eecf8a1e9d79518c26471a06d16bb4c754f4945c45c4eb7ea93d73ef1acf59
		348	languageName: node
		349	linkType: hard
		350
338	"@electron/get@npm:^1.13.0":	351	"@electron/get@npm:^1.13.0":
339	version: 1.13.1	352	version: 1.13.1
340	resolution: "@electron/get@npm:1.13.1"	353	resolution: "@electron/get@npm:1.13.1"
@@ -4957,6 +4970,7 @@ __metadata:
4957	version: 0.0.0-use.local	4970	version: 0.0.0-use.local
4958	resolution: "sophie@workspace:."	4971	resolution: "sophie@workspace:."
4959	dependencies:	4972	dependencies:
		4973	"@electron/fuses": ^1.5.0
4960	"@typescript-eslint/eslint-plugin": ^5.8.0	4974	"@typescript-eslint/eslint-plugin": ^5.8.0
4961	"@typescript-eslint/parser": ^5.8.0	4975	"@typescript-eslint/parser": ^5.8.0
4962	cross-env: ^7.0.3	4976	cross-env: ^7.0.3