Matrix/element-desktop
Matrix/element-desktop
1
0
Fork 0
mirror of https://github.com/vector-im/element-desktop.git synced 2024-07-04 05:23:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Burn Node-related Electron fuses as a proactive hardening measure (#1412)

Browse source 
Co-authored-by: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Co-authored-by: Valere <valeref@matrix.org>
This commit is contained in:
Michael Telatynski 2024-01-09 15:56:04 +00:00 committed by GitHub
parent 69da4935b9
commit b479798f42
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 76 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
.github/workflows/build_and_test.yaml vendored
View file

@ -106,17 +106,22 @@ jobs:
- name: macOS Universal
os: macos
artifact: macos
executable: "/Volumes/Element/Element.app/Contents/MacOS/Element"
prepare_cmd: "hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element"
executable: "/Users/runner/Applications/Element.app/Contents/MacOS/Element"
# We need to mount the DMG and copy the app to the Applications folder as a mounted DMG is
# read-only and thus would not allow us to override the fuses as is required for Playwright.
prepare_cmd: |
hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element &&
rsync -a /Volumes/Element/Element.app ~/Applications/ &&
hdiutil detach /Volumes/Element
- name: "Linux (amd64) (sqlcipher: system)"
os: ubuntu
artifact: linux-amd64-sqlcipher-system
executable: "element-desktop"
executable: "/opt/Element/element-desktop"
prepare_cmd: "sudo apt install ./dist/*.deb"
- name: "Linux (amd64) (sqlcipher: static)"
os: ubuntu
artifact: linux-amd64-sqlcipher-static
executable: "element-desktop"
executable: "/opt/Element/element-desktop"
prepare_cmd: "sudo apt install ./dist/*.deb"
- name: Windows (x86)
os: windows
@ -147,6 +152,15 @@ jobs:
run: ${{ matrix.prepare_cmd }}
if: matrix.prepare_cmd
# We previously disabled the `EnableNodeCliInspectArguments` fuse, but Playwright requires
# it to to be enabled to test Electron apps, so turn it back on.
- name: Set EnableNodeCliInspectArguments fuse enabled
run: $RUN_AS npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on
shell: bash
env:
# We need sudo on Linux as it is installed in /opt/
RUN_AS: ${{ runner.os == 'Linux' && 'sudo' || '' }}
- name: Run tests
uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1
timeout-minutes: 5

8
.github/workflows/build_macos.yaml vendored
View file

@ -88,10 +88,10 @@ jobs:
- name: Check app was signed & notarised successfully
if: inputs.sign != ''
run: |
hdiutil attach dist/*.dmg
codesign -dv --verbose=4 /Volumes/Element*/*.app
spctl -a -vvv -t install /Volumes/Element*/*.app
hdiutil detach /Volumes/Element*
hdiutil attach dist/*.dmg -mountpoint /Volumes/Element
codesign -dv --verbose=4 /Volumes/Element/*.app
spctl -a -vvv -t install /Volumes/Element/*.app
hdiutil detach /Volumes/Element
- name: "[Unsigned] Build App"
if: inputs.sign == ''

43
electron-builder.js
View file

@ -1,5 +1,8 @@
const os = require("os");
const fs = require("fs");
const path = require("path");
const Arch = require("electron-builder").Arch;
const { flipFuses, FuseVersion, FuseV1Options } = require("@electron/fuses");
// Typescript conversion blocked on https://github.com/electron-userland/electron-builder/issues/7775
@ -21,7 +24,6 @@ const fs = require("fs");
*/
const NIGHTLY_APP_ID = "im.riot.nightly";
const NIGHTLY_APP_NAME = "element-desktop-nightly";
const NIGHTLY_DEB_NAME = "element-nightly";
const pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));
@ -33,6 +35,43 @@ const pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));
const config = {
appId: "im.riot.app",
asarUnpack: "**/*.node",
afterPack: async (context) => {
if (context.electronPlatformName !== "darwin" || context.arch === Arch.universal) {
// Burn in electron fuses for proactive security hardening.
// On macOS, we only do this for the universal package, as the constituent arm64 and amd64 packages are embedded within.
const ext = {
darwin: ".app",
win32: ".exe",
linux: "",
}[context.electronPlatformName];
let executableName = context.packager.appInfo.productFilename;
if (context.electronPlatformName === "linux") {
// Linux uses the package name as the executable name
executableName = context.packager.appInfo.name;
}
const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`);
console.log(`Flipping fuses for: ${electronBinaryPath}`);
await flipFuses(electronBinaryPath, {
version: FuseVersion.V1,
resetAdHocDarwinSignature: context.electronPlatformName === "darwin" && context.arch === Arch.universal,
[FuseV1Options.EnableCookieEncryption]: true,
[FuseV1Options.OnlyLoadAppFromAsar]: true,
[FuseV1Options.RunAsNode]: false,
[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
[FuseV1Options.EnableNodeCliInspectArguments]: false,
// Mac app crashes on arm for us when `LoadBrowserProcessSpecificV8Snapshot` is enabled
[FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,
// https://github.com/electron/fuses/issues/7
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false,
});
}
},
files: [
"package.json",
{
@ -137,7 +176,7 @@ if (process.env.ED_NIGHTLY) {
config.appId = NIGHTLY_APP_ID;
config.extraMetadata.productName += " Nightly";
config.extraMetadata.name = NIGHTLY_APP_NAME;
config.extraMetadata.name += "-nightly";
config.extraMetadata.description += " (nightly unstable build)";
config.deb.fpm.push("--name", NIGHTLY_DEB_NAME);

3
package.json
View file

@ -117,7 +117,8 @@
"tar": "^6.1.2",
"ts-jest": "^29.0.0",
"ts-node": "^10.9.1",
"typescript": "5.3.3"
"typescript": "5.3.3",
"@electron/fuses": "^1.7.0"
},
"hakDependencies": {
"matrix-seshat": "^3.0.1",

13
yarn.lock
View file

@ -1148,6 +1148,15 @@
glob "^7.1.6"
minimatch "^3.0.4"
"@electron/fuses@^1.7.0":
version "1.7.0"
resolved "https://registry.yarnpkg.com/@electron/fuses/-/fuses-1.7.0.tgz#0800d5404fffe5683705297990fea089d49811a2"
integrity sha512-mfhLoZGQdqrSU/SeOFBs6r+D7g1tYiVs2C/hh7t3NFQ0chcXGoWrrad17rCQL1ImNJuCXs4cu23YBj5CAnj5SA==
dependencies:
chalk "^4.1.1"
fs-extra "^9.0.1"
minimist "^1.2.5"
"@electron/get@^2.0.0":
version "2.0.3"
resolved "https://registry.yarnpkg.com/@electron/get/-/get-2.0.3.tgz#fba552683d387aebd9f3fcadbcafc8e12ee4f960"
@ -3021,7 +3030,7 @@ chalk@^2.4.2:
escape-string-regexp "^1.0.5"
supports-color "^5.3.0"
chalk@^4.0.0, chalk@^4.0.2, chalk@^4.1.2:
chalk@^4.0.0, chalk@^4.0.2, chalk@^4.1.1, chalk@^4.1.2:
version "4.1.2"
resolved "https://registry.yarnpkg.com/chalk/-/chalk-4.1.2.tgz#aac4e2b7734a740867aeb16bf02aad556a1e7a01"
integrity sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==
@ -5761,7 +5770,7 @@ minimatch@^5.0.1, minimatch@^5.1.0, minimatch@^5.1.1:
dependencies:
brace-expansion "^2.0.1"
minimist@^1.2.0, minimist@^1.2.6, minimist@^1.2.8:
minimist@^1.2.0, minimist@^1.2.5, minimist@^1.2.6, minimist@^1.2.8:
version "1.2.8"
resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.8.tgz#c1a464e7693302e082a075cee0c057741ac4772c"
integrity sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==