From 64ebe8a3fcf1118f97b3fffd90ee8dd3c5f9fd7d Mon Sep 17 00:00:00 2001 From: Kristóf Marussy Date: Tue, 28 Dec 2021 16:14:35 +0100 Subject: build: Refactor electron-builder config --- .electron-builder.config.js | 66 +++++++++++++++++++++++++++------------------ 1 file changed, 40 insertions(+), 26 deletions(-) (limited to '.electron-builder.config.js') diff --git a/.electron-builder.config.js b/.electron-builder.config.js index 71f0686..128ae18 100644 --- a/.electron-builder.config.js +++ b/.electron-builder.config.js @@ -20,34 +20,48 @@ const config = { 'packages/service-inject/dist/**', 'packages/service-preload/dist/**', ], - /** - * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context. - * @return {Promise} The promise to flip the fuses. - * @see https://github.com/electron-userland/electron-builder/issues/6365 - */ afterPack(context) { - /** @type {string} */ - const ext = { - darwin: '.app', - win32: '.exe', - }[context.electronPlatformName] || ''; - const electronBinaryPath = join( - context.appOutDir, - `${context.packager.appInfo.productFilename}${ext}` - ); - /** @type {import('@electron/fuses').FuseConfig} */ - const fuseConfig = { - version: FuseVersion.V1, - resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64, - [FuseV1Options.RunAsNode]: false, - [FuseV1Options.EnableCookieEncryption]: true, - [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, - [FuseV1Options.EnableNodeCliInspectArguments]: false, - [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true, - [FuseV1Options.OnlyLoadAppFromAsar]: true, - }; - return flipFuses(electronBinaryPath, fuseConfig); + return burnFuses(context); }, }; +/** + * Hardens the shipped electron binary by burning some electron fuses. + * + * Enabled chromium cookie encryption and disables options that could be + * used to execute arbitrary code in the main process to circumvent cookie encryption: + * - Running the application as a plain node process is disabled. + * - Setting options through the `NODE_OPTIONS` environment variable is disabled. + * - Attaching a debugger through the `--inspect` family of options is disabled. + * - Embedded ASAR integrity validation is enabled. + * - Will onload load the application from the ASAR archive. + * + * @param {import('electron-builder').AfterPackContext} context The `electron-builder` context. + * @return {Promise} The promise to flip the fuses. + * @see https://github.com/electron/fuses + */ +async function burnFuses(context) { + /** @type {string} */ + const ext = { + darwin: '.app', + win32: '.exe', + }[context.electronPlatformName] || ''; + const electronBinaryPath = join( + context.appOutDir, + `${context.packager.appInfo.productFilename}${ext}` + ); + /** @type {import('@electron/fuses').FuseConfig} */ + const fuseConfig = { + version: FuseVersion.V1, + resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64, + [FuseV1Options.RunAsNode]: false, + [FuseV1Options.EnableCookieEncryption]: true, + [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false, + [FuseV1Options.EnableNodeCliInspectArguments]: false, + [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true, + [FuseV1Options.OnlyLoadAppFromAsar]: true, + }; + return flipFuses(electronBinaryPath, fuseConfig); +} + module.exports = config; -- cgit v1.2.3-54-g00ecf