diff options
Diffstat (limited to '.electron-builder.config.cjs')
-rw-r--r-- | .electron-builder.config.cjs | 104 |
1 files changed, 19 insertions, 85 deletions
diff --git a/.electron-builder.config.cjs b/.electron-builder.config.cjs index 3eef91c..4402088 100644 --- a/.electron-builder.config.cjs +++ b/.electron-builder.config.cjs | |||
@@ -1,90 +1,9 @@ | |||
1 | const { readFile, rename, writeFile } = require('node:fs/promises'); | ||
2 | const path = require('node:path'); | ||
3 | 1 | ||
4 | const { Arch } = require('electron-builder'); | 2 | const { Arch } = require('electron-builder'); |
5 | const { flipFuses, FuseV1Options, FuseVersion } = require('@electron/fuses'); | 3 | const { FuseV1Options, FuseVersion } = require('@electron/fuses'); |
6 | 4 | ||
7 | /** | 5 | const burnFuses = require('./config/burnFuses.cjs'); |
8 | * Hardens the shipped electron binary by burning some electron fuses. | 6 | const enableWaylandAutoDetection = require('./config/enableWaylandAutoDetection.cjs'); |
9 | * | ||
10 | * Enabled chromium cookie encryption and disables options that could be | ||
11 | * used to execute arbitrary code in the main process to circumvent cookie encryption: | ||
12 | * - Running the application as a plain node process is disabled. | ||
13 | * - Setting options through the `NODE_OPTIONS` environment variable is disabled. | ||
14 | * - Attaching a debugger through the `--inspect` family of options is disabled. | ||
15 | * - Will onload load the application from the ASAR archive. | ||
16 | * | ||
17 | * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context. | ||
18 | * @return {Promise<void>} The promise to flip the fuses. | ||
19 | * @see https://github.com/electron/fuses | ||
20 | */ | ||
21 | async function burnFuses(context) { | ||
22 | /** @type {string} */ | ||
23 | const ext = | ||
24 | { | ||
25 | darwin: '.app', | ||
26 | win32: '.exe', | ||
27 | }[context.electronPlatformName] || ''; | ||
28 | const electronBinaryPath = path.join( | ||
29 | context.appOutDir, | ||
30 | `${context.packager.appInfo.productFilename}${ext}`, | ||
31 | ); | ||
32 | /** @type {import('@electron/fuses').FuseConfig<boolean>} */ | ||
33 | const fuseConfig = { | ||
34 | version: FuseVersion.V1, | ||
35 | resetAdHocDarwinSignature: | ||
36 | context.electronPlatformName === 'darwin' && context.arch === Arch.arm64, | ||
37 | [FuseV1Options.RunAsNode]: false, | ||
38 | [FuseV1Options.EnableCookieEncryption]: true, | ||
39 | [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, | ||
40 | [FuseV1Options.EnableNodeCliInspectArguments]: false, | ||
41 | // TODO: Revisit this: IF set to 'true' the packaged app doesn't start up on macos (x86) | ||
42 | [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false, | ||
43 | [FuseV1Options.OnlyLoadAppFromAsar]: true, | ||
44 | }; | ||
45 | return flipFuses(electronBinaryPath, fuseConfig); | ||
46 | } | ||
47 | |||
48 | /** | ||
49 | * Adds a wrapper scripts that detects in wayland is in use and enabled it in chromium. | ||
50 | * | ||
51 | * The script in `build-heleprs/detect_wayland.sh` uses the `WAYLAND_DISPLAY` environmental | ||
52 | * variable to detect whether wayland is in use. | ||
53 | * | ||
54 | * If wayland is in use, the script enables the wayland ozone backed for chromium | ||
55 | * and pipewire screen sharing. Otherwise, the x11 ozone backend will be used. | ||
56 | * | ||
57 | * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context. | ||
58 | * @return {Promise<void>} The promise to add the wrapper script. | ||
59 | * @see https://stackoverflow.com/a/45537237 | ||
60 | */ | ||
61 | async function enableWaylandAutoDetection(context) { | ||
62 | const { appOutDir, packager: { appInfo: { productName, productFilename } } } = context; | ||
63 | const electronBinaryPath = path.join(appOutDir, productFilename); | ||
64 | const newFilename = `${productFilename}-bin`; | ||
65 | const newElectronBinaryPath = path.join(appOutDir, newFilename); | ||
66 | await rename(electronBinaryPath, newElectronBinaryPath); | ||
67 | const wrapperScriptPath = path.join(__dirname, 'build-helpers/detect_wayland.sh'); | ||
68 | const wrapperScriptTempate = await readFile(wrapperScriptPath, 'utf8'); | ||
69 | const replacements = new Map([ | ||
70 | ['PRODUCT_NAME', productName], | ||
71 | ['REAL_BINARY_NAME', newFilename], | ||
72 | ]); | ||
73 | const wrapperScript = wrapperScriptTempate.replaceAll( | ||
74 | /\{\{([^}]+)\}\}/g, | ||
75 | (_match, /** @type {string} */ variable) => { | ||
76 | const replacement = replacements.get(variable); | ||
77 | if (replacement === undefined) { | ||
78 | throw new Error(`Unknown variable: ${variable}`); | ||
79 | } | ||
80 | return replacement; | ||
81 | }, | ||
82 | ); | ||
83 | await writeFile(electronBinaryPath, wrapperScript, { | ||
84 | encoding: 'utf8', | ||
85 | mode: 0o755, | ||
86 | }); | ||
87 | } | ||
88 | 7 | ||
89 | /** | 8 | /** |
90 | * @type {import('electron-builder').Configuration} | 9 | * @type {import('electron-builder').Configuration} |
@@ -105,7 +24,22 @@ const config = { | |||
105 | '!**/*.map', | 24 | '!**/*.map', |
106 | ], | 25 | ], |
107 | afterPack(context) { | 26 | afterPack(context) { |
108 | return burnFuses(context); | 27 | /* |
28 | * Enables chromium cookie encryption and disables options that could be | ||
29 | * used to execute arbitrary code in the main process to circumvent cookie encryption: | ||
30 | */ | ||
31 | return burnFuses(context, { | ||
32 | version: FuseVersion.V1, | ||
33 | resetAdHocDarwinSignature: | ||
34 | context.electronPlatformName === 'darwin' && context.arch === Arch.arm64, | ||
35 | [FuseV1Options.RunAsNode]: false, | ||
36 | [FuseV1Options.EnableCookieEncryption]: true, | ||
37 | [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, | ||
38 | [FuseV1Options.EnableNodeCliInspectArguments]: false, | ||
39 | // TODO: Revisit this: IF set to `true` the packaged app doesn't start up on macos (x86) | ||
40 | [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false, | ||
41 | [FuseV1Options.OnlyLoadAppFromAsar]: true, | ||
42 | }); | ||
109 | }, | 43 | }, |
110 | async afterSign(context) { | 44 | async afterSign(context) { |
111 | if (context.electronPlatformName === 'linux') { | 45 | if (context.electronPlatformName === 'linux') { |