diff options
-rw-r--r-- | .electron-builder.config.js | 66 | ||||
-rw-r--r-- | package.json | 3 |
2 files changed, 42 insertions, 27 deletions
diff --git a/.electron-builder.config.js b/.electron-builder.config.js index 71f0686..128ae18 100644 --- a/.electron-builder.config.js +++ b/.electron-builder.config.js | |||
@@ -20,34 +20,48 @@ const config = { | |||
20 | 'packages/service-inject/dist/**', | 20 | 'packages/service-inject/dist/**', |
21 | 'packages/service-preload/dist/**', | 21 | 'packages/service-preload/dist/**', |
22 | ], | 22 | ], |
23 | /** | ||
24 | * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context. | ||
25 | * @return {Promise<void>} The promise to flip the fuses. | ||
26 | * @see https://github.com/electron-userland/electron-builder/issues/6365 | ||
27 | */ | ||
28 | afterPack(context) { | 23 | afterPack(context) { |
29 | /** @type {string} */ | 24 | return burnFuses(context); |
30 | const ext = { | ||
31 | darwin: '.app', | ||
32 | win32: '.exe', | ||
33 | }[context.electronPlatformName] || ''; | ||
34 | const electronBinaryPath = join( | ||
35 | context.appOutDir, | ||
36 | `${context.packager.appInfo.productFilename}${ext}` | ||
37 | ); | ||
38 | /** @type {import('@electron/fuses').FuseConfig<boolean>} */ | ||
39 | const fuseConfig = { | ||
40 | version: FuseVersion.V1, | ||
41 | resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64, | ||
42 | [FuseV1Options.RunAsNode]: false, | ||
43 | [FuseV1Options.EnableCookieEncryption]: true, | ||
44 | [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, | ||
45 | [FuseV1Options.EnableNodeCliInspectArguments]: false, | ||
46 | [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true, | ||
47 | [FuseV1Options.OnlyLoadAppFromAsar]: true, | ||
48 | }; | ||
49 | return flipFuses(electronBinaryPath, fuseConfig); | ||
50 | }, | 25 | }, |
51 | }; | 26 | }; |
52 | 27 | ||
28 | /** | ||
29 | * Hardens the shipped electron binary by burning some electron fuses. | ||
30 | * | ||
31 | * Enabled chromium cookie encryption and disables options that could be | ||
32 | * used to execute arbitrary code in the main process to circumvent cookie encryption: | ||
33 | * - Running the application as a plain node process is disabled. | ||
34 | * - Setting options through the `NODE_OPTIONS` environment variable is disabled. | ||
35 | * - Attaching a debugger through the `--inspect` family of options is disabled. | ||
36 | * - Embedded ASAR integrity validation is enabled. | ||
37 | * - Will onload load the application from the ASAR archive. | ||
38 | * | ||
39 | * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context. | ||
40 | * @return {Promise<void>} The promise to flip the fuses. | ||
41 | * @see https://github.com/electron/fuses | ||
42 | */ | ||
43 | async function burnFuses(context) { | ||
44 | /** @type {string} */ | ||
45 | const ext = { | ||
46 | darwin: '.app', | ||
47 | win32: '.exe', | ||
48 | }[context.electronPlatformName] || ''; | ||
49 | const electronBinaryPath = join( | ||
50 | context.appOutDir, | ||
51 | `${context.packager.appInfo.productFilename}${ext}` | ||
52 | ); | ||
53 | /** @type {import('@electron/fuses').FuseConfig<boolean>} */ | ||
54 | const fuseConfig = { | ||
55 | version: FuseVersion.V1, | ||
56 | resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64, | ||
57 | [FuseV1Options.RunAsNode]: false, | ||
58 | [FuseV1Options.EnableCookieEncryption]: true, | ||
59 | [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, | ||
60 | [FuseV1Options.EnableNodeCliInspectArguments]: false, | ||
61 | [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true, | ||
62 | [FuseV1Options.OnlyLoadAppFromAsar]: true, | ||
63 | }; | ||
64 | return flipFuses(electronBinaryPath, fuseConfig); | ||
65 | } | ||
66 | |||
53 | module.exports = config; | 67 | module.exports = config; |
diff --git a/package.json b/package.json index 5494b2a..db1a648 100644 --- a/package.json +++ b/package.json | |||
@@ -20,7 +20,8 @@ | |||
20 | "test": "yarn pretest && yarn workspaces foreach -vpt run test", | 20 | "test": "yarn pretest && yarn workspaces foreach -vpt run test", |
21 | "build": "yarn workspaces foreach -vpt run build", | 21 | "build": "yarn workspaces foreach -vpt run build", |
22 | "precompile": "cross-env MODE=production yarn run build", | 22 | "precompile": "cross-env MODE=production yarn run build", |
23 | "compile": "yarn precompile && electron-builder build --config .electron-builder.config.js --dir", | 23 | "compile": "yarn precompile && yarn compile:electron-builder", |
24 | "compile:electron-builder": "electron-builder build --config .electron-builder.config.js --dir", | ||
24 | "watch": "node scripts/watch.js", | 25 | "watch": "node scripts/watch.js", |
25 | "typecheck": "yarn workspaces foreach -vpt run typecheck", | 26 | "typecheck": "yarn workspaces foreach -vpt run typecheck", |
26 | "update-electron-vendors": "node scripts/update-electron-vendors.js", | 27 | "update-electron-vendors": "node scripts/update-electron-vendors.js", |