1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
// @ts-check
const { Arch } = require('electron-builder');
const { flipFuses, FuseV1Options, FuseVersion } = require('@electron/fuses');
const { join } = require('path');
/**
* @type {import('electron-builder').Configuration}
* @see https://www.electron.build/configuration/configuration
*/
const config = {
directories: {
output: 'dist',
buildResources: 'buildResources',
},
files: [
'packages/main/dist/**',
'packages/preload/dist/**',
'packages/renderer/dist/**',
'packages/service-inject/dist/**',
'packages/service-preload/dist/**',
// Do not ship with source maps.
'!**/*.map',
],
afterPack(context) {
return burnFuses(context);
},
};
/**
* Hardens the shipped electron binary by burning some electron fuses.
*
* Enabled chromium cookie encryption and disables options that could be
* used to execute arbitrary code in the main process to circumvent cookie encryption:
* - Running the application as a plain node process is disabled.
* - Setting options through the `NODE_OPTIONS` environment variable is disabled.
* - Attaching a debugger through the `--inspect` family of options is disabled.
* - Will onload load the application from the ASAR archive.
*
* @param {import('electron-builder').AfterPackContext} context The `electron-builder` context.
* @return {Promise<void>} The promise to flip the fuses.
* @see https://github.com/electron/fuses
*/
async function burnFuses(context) {
/** @type {string} */
const ext = {
darwin: '.app',
win32: '.exe',
}[context.electronPlatformName] || '';
const electronBinaryPath = join(
context.appOutDir,
`${context.packager.appInfo.productFilename}${ext}`
);
/** @type {import('@electron/fuses').FuseConfig<boolean>} */
const fuseConfig = {
version: FuseVersion.V1,
resetAdHocDarwinSignature: context.electronPlatformName === 'darwin' && context.arch === Arch.arm64,
[FuseV1Options.RunAsNode]: false,
[FuseV1Options.EnableCookieEncryption]: true,
[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
[FuseV1Options.EnableNodeCliInspectArguments]: false,
// TODO: Revisit this: IF set to 'true' the packaged app doesn't start up on macos (x86)
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false,
[FuseV1Options.OnlyLoadAppFromAsar]: true,
};
return flipFuses(electronBinaryPath, fuseConfig);
}
module.exports = config;
|