1 files changed, 69 insertions, 0 deletions
diff --git a/.electron-builder.config.cjs b/.electron-builder.config.cjs
new file mode 100644
index 0000000..5238c69
--- /dev/null
+++ b/.electron-builder.config.cjs
@@ -0,0 +1,69 @@
+// @ts-check
+const { Arch } = require('electron-builder');
+const { flipFuses, FuseV1Options, FuseVersion } = require('@electron/fuses');
+const { join } = require('path');
+/**
+ * @type {import('electron-builder').Configuration}
+ * @see https://www.electron.build/configuration/configuration
+ */
+const config = {
+  directories: {
+    output: 'dist',
+    buildResources: 'buildResources',
+  },
+  files: [
+    'packages/main/dist/**',
+    'packages/preload/dist/**',
+    'packages/renderer/dist/**',
+    'packages/service-inject/dist/**',
+    'packages/service-preload/dist/**',
+    // Do not ship with source maps.
+    '!**/*.map',
+  ],
+  afterPack(context) {
+    return burnFuses(context);
+  },
+};
+/**
+ * Hardens the shipped electron binary by burning some electron fuses.
+ *
+ * Enabled chromium cookie encryption and disables options that could be
+ * used to execute arbitrary code in the main process to circumvent cookie encryption:
+ * - Running the application as a plain node process is disabled.
+ * - Setting options through the `NODE_OPTIONS` environment variable is disabled.
+ * - Attaching a debugger through the `--inspect` family of options is disabled.
+ * - Embedded ASAR integrity validation is enabled.
+ * - Will onload load the application from the ASAR archive.
+ *
+ * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context.
+ * @return {Promise<void>} The promise to flip the fuses.
+ * @see https://github.com/electron/fuses
+ */
+async function burnFuses(context) {
+  /** @type {string} */
+  const ext = {
+    darwin: '.app',
+    win32: '.exe',
+  }[context.electronPlatformName] || '';
+  const electronBinaryPath = join(
+    context.appOutDir,
+    `${context.packager.appInfo.productFilename}${ext}`
+  );
+  /** @type {import('@electron/fuses').FuseConfig<boolean>} */
+  const fuseConfig = {
+    version: FuseVersion.V1,
+    resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64,
+    [FuseV1Options.RunAsNode]: false,
+    [FuseV1Options.EnableCookieEncryption]: true,
+    [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
+    [FuseV1Options.EnableNodeCliInspectArguments]: false,
+    [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
+    [FuseV1Options.OnlyLoadAppFromAsar]: true,
+  };
+  return flipFuses(electronBinaryPath, fuseConfig);
+}
+module.exports = config;

diff --git a/.electron-builder.config.cjs b/.electron-builder.config.cjs new file mode 100644 index 0000000..5238c69 --- /dev/null +++ b/.electron-builder.config.cjs
@@ -0,0 +1,69 @@
	1	// @ts-check
	2
	3	const { Arch } = require('electron-builder');
	4	const { flipFuses, FuseV1Options, FuseVersion } = require('@electron/fuses');
	5	const { join } = require('path');
	6
	7	/**
	8	* @type {import('electron-builder').Configuration}
	9	* @see https://www.electron.build/configuration/configuration
	10	*/
	11	const config = {
	12	directories: {
	13	output: 'dist',
	14	buildResources: 'buildResources',
	15	},
	16	files: [
	17	'packages/main/dist/**',
	18	'packages/preload/dist/**',
	19	'packages/renderer/dist/**',
	20	'packages/service-inject/dist/**',
	21	'packages/service-preload/dist/**',
	22	// Do not ship with source maps.
	23	'!*/.map',
	24	],
	25	afterPack(context) {
	26	return burnFuses(context);
	27	},
	28	};
	29
	30	/**
	31	* Hardens the shipped electron binary by burning some electron fuses.
	32	*
	33	* Enabled chromium cookie encryption and disables options that could be
	34	* used to execute arbitrary code in the main process to circumvent cookie encryption:
	35	* - Running the application as a plain node process is disabled.
	36	* - Setting options through the `NODE_OPTIONS` environment variable is disabled.
	37	* - Attaching a debugger through the `--inspect` family of options is disabled.
	38	* - Embedded ASAR integrity validation is enabled.
	39	* - Will onload load the application from the ASAR archive.
	40	*
	41	* @param {import('electron-builder').AfterPackContext} context The `electron-builder` context.
	42	* @return {Promise<void>} The promise to flip the fuses.
	43	* @see https://github.com/electron/fuses
	44	*/
	45	async function burnFuses(context) {
	46	/** @type {string} */
	47	const ext = {
	48	darwin: '.app',
	49	win32: '.exe',
	50	}[context.electronPlatformName] \|\| '';
	51	const electronBinaryPath = join(
	52	context.appOutDir,
	53	`${context.packager.appInfo.productFilename}${ext}`
	54	);
	55	/** @type {import('@electron/fuses').FuseConfig<boolean>} */
	56	const fuseConfig = {
	57	version: FuseVersion.V1,
	58	resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64,
	59	[FuseV1Options.RunAsNode]: false,
	60	[FuseV1Options.EnableCookieEncryption]: true,
	61	[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
	62	[FuseV1Options.EnableNodeCliInspectArguments]: false,
	63	[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
	64	[FuseV1Options.OnlyLoadAppFromAsar]: true,
	65	};
	66	return flipFuses(electronBinaryPath, fuseConfig);
	67	}
	68
	69	module.exports = config;