diff options
Diffstat (limited to '.electron-builder.config.cjs')
-rw-r--r-- | .electron-builder.config.cjs | 72 |
1 files changed, 27 insertions, 45 deletions
diff --git a/.electron-builder.config.cjs b/.electron-builder.config.cjs index aa7d9e0..4402088 100644 --- a/.electron-builder.config.cjs +++ b/.electron-builder.config.cjs | |||
@@ -1,6 +1,9 @@ | |||
1 | |||
1 | const { Arch } = require('electron-builder'); | 2 | const { Arch } = require('electron-builder'); |
2 | const { flipFuses, FuseV1Options, FuseVersion } = require('@electron/fuses'); | 3 | const { FuseV1Options, FuseVersion } = require('@electron/fuses'); |
3 | const { join } = require('path'); | 4 | |
5 | const burnFuses = require('./config/burnFuses.cjs'); | ||
6 | const enableWaylandAutoDetection = require('./config/enableWaylandAutoDetection.cjs'); | ||
4 | 7 | ||
5 | /** | 8 | /** |
6 | * @type {import('electron-builder').Configuration} | 9 | * @type {import('electron-builder').Configuration} |
@@ -15,55 +18,34 @@ const config = { | |||
15 | 'packages/main/dist/**', | 18 | 'packages/main/dist/**', |
16 | 'packages/preload/dist/**', | 19 | 'packages/preload/dist/**', |
17 | 'packages/renderer/dist/**', | 20 | 'packages/renderer/dist/**', |
18 | 'packages/service-inject/dist/**', | ||
19 | 'packages/service-preload/dist/**', | 21 | 'packages/service-preload/dist/**', |
22 | 'locales/**', | ||
20 | // Do not ship with source maps. | 23 | // Do not ship with source maps. |
21 | '!**/*.map', | 24 | '!**/*.map', |
22 | ], | 25 | ], |
23 | afterPack(context) { | 26 | afterPack(context) { |
24 | return burnFuses(context); | 27 | /* |
28 | * Enables chromium cookie encryption and disables options that could be | ||
29 | * used to execute arbitrary code in the main process to circumvent cookie encryption: | ||
30 | */ | ||
31 | return burnFuses(context, { | ||
32 | version: FuseVersion.V1, | ||
33 | resetAdHocDarwinSignature: | ||
34 | context.electronPlatformName === 'darwin' && context.arch === Arch.arm64, | ||
35 | [FuseV1Options.RunAsNode]: false, | ||
36 | [FuseV1Options.EnableCookieEncryption]: true, | ||
37 | [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, | ||
38 | [FuseV1Options.EnableNodeCliInspectArguments]: false, | ||
39 | // TODO: Revisit this: IF set to `true` the packaged app doesn't start up on macos (x86) | ||
40 | [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false, | ||
41 | [FuseV1Options.OnlyLoadAppFromAsar]: true, | ||
42 | }); | ||
25 | }, | 43 | }, |
44 | async afterSign(context) { | ||
45 | if (context.electronPlatformName === 'linux') { | ||
46 | await enableWaylandAutoDetection(context); | ||
47 | } | ||
48 | } | ||
26 | }; | 49 | }; |
27 | 50 | ||
28 | /** | ||
29 | * Hardens the shipped electron binary by burning some electron fuses. | ||
30 | * | ||
31 | * Enabled chromium cookie encryption and disables options that could be | ||
32 | * used to execute arbitrary code in the main process to circumvent cookie encryption: | ||
33 | * - Running the application as a plain node process is disabled. | ||
34 | * - Setting options through the `NODE_OPTIONS` environment variable is disabled. | ||
35 | * - Attaching a debugger through the `--inspect` family of options is disabled. | ||
36 | * - Will onload load the application from the ASAR archive. | ||
37 | * | ||
38 | * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context. | ||
39 | * @return {Promise<void>} The promise to flip the fuses. | ||
40 | * @see https://github.com/electron/fuses | ||
41 | */ | ||
42 | async function burnFuses(context) { | ||
43 | /** @type {string} */ | ||
44 | const ext = | ||
45 | { | ||
46 | darwin: '.app', | ||
47 | win32: '.exe', | ||
48 | }[context.electronPlatformName] || ''; | ||
49 | const electronBinaryPath = join( | ||
50 | context.appOutDir, | ||
51 | `${context.packager.appInfo.productFilename}${ext}`, | ||
52 | ); | ||
53 | /** @type {import('@electron/fuses').FuseConfig<boolean>} */ | ||
54 | const fuseConfig = { | ||
55 | version: FuseVersion.V1, | ||
56 | resetAdHocDarwinSignature: | ||
57 | context.electronPlatformName === 'darwin' && context.arch === Arch.arm64, | ||
58 | [FuseV1Options.RunAsNode]: false, | ||
59 | [FuseV1Options.EnableCookieEncryption]: true, | ||
60 | [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, | ||
61 | [FuseV1Options.EnableNodeCliInspectArguments]: false, | ||
62 | // TODO: Revisit this: IF set to 'true' the packaged app doesn't start up on macos (x86) | ||
63 | [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false, | ||
64 | [FuseV1Options.OnlyLoadAppFromAsar]: true, | ||
65 | }; | ||
66 | return flipFuses(electronBinaryPath, fuseConfig); | ||
67 | } | ||
68 | |||
69 | module.exports = config; | 51 | module.exports = config; |