Stash

Signed-off-by: Michael Telatynski <[email protected]>
element-hq · Jan 22, 2025 · 460b4cc · 460b4cc
1 parent f17f0a6
commit 460b4cc
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 43 deletions.
diff --git a/electron-builder.ts b/electron-builder.ts
@@ -1,8 +1,6 @@
 import * as os from "os";
 import * as fs from "fs";
-import * as path from "path";
-import { Arch, Configuration as BaseConfiguration, AfterPackContext } from "electron-builder";
-import { flipFuses, FuseVersion, FuseV1Options } from "@electron/fuses";
+import { Configuration as BaseConfiguration } from "electron-builder";
 
 /**
  * This script has different outputs depending on your os platform.
@@ -48,46 +46,26 @@ interface Configuration extends BaseConfiguration {
  * @type {import('electron-builder').Configuration}
  * @see https://www.electron.build/configuration/configuration
  */
-const config: Writable<Configuration> = {
+const config: Omit<Writable<Configuration>, "electronFuses"> & {
+    // Make all fuses required to ensure they are all explicitly specified
+    electronFuses: Required<Configuration["electronFuses"]>;
+} = {
     appId: "im.riot.app",
     asarUnpack: "**/*.node",
-    afterPack: async (context: AfterPackContext) => {
-        if (context.electronPlatformName !== "darwin" || context.arch === Arch.universal) {
-            // Burn in electron fuses for proactive security hardening.
-            // On macOS, we only do this for the universal package, as the constituent arm64 and amd64 packages are embedded within.
-            const ext = (<Record<string, string>>{
-                darwin: ".app",
-                win32: ".exe",
-                linux: "",
-            })[context.electronPlatformName];
-
-            let executableName = context.packager.appInfo.productFilename;
-            if (context.electronPlatformName === "linux") {
-                // Linux uses the package name as the executable name
-                executableName = context.packager.appInfo.name;
-            }
-
-            const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`);
-            console.log(`Flipping fuses for: ${electronBinaryPath}`);
-
-            await flipFuses(electronBinaryPath, {
-                version: FuseVersion.V1,
-                strictlyRequireAllFuses: true,
-                resetAdHocDarwinSignature: context.electronPlatformName === "darwin" && context.arch === Arch.universal,
-
-                [FuseV1Options.EnableCookieEncryption]: true,
-                [FuseV1Options.OnlyLoadAppFromAsar]: true,
-                [FuseV1Options.GrantFileProtocolExtraPrivileges]: true,
-
-                [FuseV1Options.RunAsNode]: false,
-                [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
-                [FuseV1Options.EnableNodeCliInspectArguments]: false,
-
-                // Mac app crashes on arm for us when `LoadBrowserProcessSpecificV8Snapshot` is enabled
-                [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,
-                [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
-            });
-        }
+    electronFuses: {
+        enableCookieEncryption: true,
+        onlyLoadAppFromAsar: true,
+        grantFileProtocolExtraPrivileges: true,
+
+        runAsNode: false,
+        enableNodeOptionsEnvironmentVariable: false,
+        enableNodeCliInspectArguments: false,
+        // We need to reset the signature if we are not signing on darwin otherwise it won't launch
+        resetAdHocDarwinSignature: !process.env.APPLE_TEAM_ID,
+
+        // Mac app crashes on arm for us when `LoadBrowserProcessSpecificV8Snapshot` is enabled
+        loadBrowserProcessSpecificV8Snapshot: false,
+        enableEmbeddedAsarIntegrityValidation: true,
     },
     files: [
         "package.json",
@@ -145,8 +123,10 @@ const config: Writable<Configuration> = {
         darkModeSupport: true,
         hardenedRuntime: true,
         gatekeeperAssess: true,
+        strictVerify: true,
         entitlements: "./build/entitlements.mac.plist",
         icon: "build/icons/icon.icns",
+        mergeASARs: true,
     },
     win: {
         target: ["squirrel", "msi"],

diff --git a/package.json b/package.json
@@ -73,7 +73,6 @@
         "@babel/preset-env": "^7.18.10",
         "@babel/preset-typescript": "^7.18.6",
         "@electron/asar": "3.2.18",
-        "@electron/fuses": "^1.7.0",
         "@mapbox/node-pre-gyp": "^1.0.11",
         "@playwright/test": "1.49.1",
         "@stylistic/eslint-plugin": "^2.9.0",

diff --git a/yarn.lock b/yarn.lock
@@ -1007,7 +1007,7 @@
     glob "^7.1.6"
     minimatch "^3.0.4"
 
-"@electron/fuses@^1.7.0", "@electron/fuses@^1.8.0":
+"@electron/fuses@^1.8.0":
   version "1.8.0"
   resolved "https://registry.yarnpkg.com/@electron/fuses/-/fuses-1.8.0.tgz#ad34d3cc4703b1258b83f6989917052cfc1490a0"
   integrity sha512-zx0EIq78WlY/lBb1uXlziZmDZI4ubcCXIMJ4uGjXzZW0nS19TjSPeXPAjzzTmKQlJUZm0SbmZhPKP7tuQ1SsEw==