-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(mac): ElectronAsarIntegrity in electron@15 #6511
feat(mac): ElectronAsarIntegrity in electron@15 #6511
Conversation
🦋 Changeset detectedLatest commit: 4068bd1 The changes in this PR will be included in the next version bump. This PR includes changesets to release 8 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
3f913df
to
7d7bedc
Compare
Sorry about the failing tests, I can't seem to be able to run them locally. Pushed an attempted fix. |
7d7bedc
to
44bc253
Compare
@@ -0,0 +1,5 @@ | |||
--- | |||
"app-builder-lib": minor |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if I made a right decision here. The scheme change below is a breaking change...
const isUnpacked = dirNode.unpacked || (this.unpackPattern != null && this.unpackPattern(file, stat)) | ||
this.fs.addFileNode(file, dirNode, newData == null ? stat.size : Buffer.byteLength(newData), isUnpacked, stat) | ||
const integrity = newData === undefined ? await hashFile(file) : hashFileContents(newData) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This could potentially be optional since it is expensive to generate for the platforms that are not going to use it anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate on this? I personally am in favor of defaulting to more security, i.e. asar integrity, and this will only impact the build-time though. Is this integrity check supposed to be platform-specific?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The integrity check so far only works on macOS. See fuses
if (size > 4294967295) { | ||
throw new Error(`${file}: file size cannot be larger than 4.2GB`) | ||
} | ||
|
||
const node = new Node() | ||
node.size = size | ||
node.integrity = integrity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since integrity?
is optional, should we first check it before setting it on Node()
?
if (integrity) {
node.integrity = integrity
}
Similar to how node.unpacked
is beneath an if-statement (as opposed to being node.unpacked = unpacked
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack.
@@ -214,7 +214,7 @@ export async function createMacApp(packager: MacPackager, appOutDir: string, asa | |||
} | |||
|
|||
if (asarIntegrity != null) { | |||
appPlist.AsarIntegrity = JSON.stringify(asarIntegrity) | |||
appPlist.ElectronAsarIntegrity = asarIntegrity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this break anything for electron pre-15?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is no mention of AsarIntegrity
in electron 14-x-y
, 13-x-y
, 12-x-y
, and 11-x-y
so it is safe to say that it wasn't used at all.
Thanks for the feedback! I believe everything is addressed now. |
✔️ Deploy Preview for car-park-attendant-cleat-11576 ready! 🔨 Explore the source changes: ce472cb 🔍 Inspect the deploy log: https://app.netlify.com/sites/car-park-attendant-cleat-11576/deploys/61d5f6ed4818ce0007208974 😎 Browse the preview: https://deploy-preview-6511--car-park-attendant-cleat-11576.netlify.app |
Can you please take a look at the failing unit tests?
It looks like the snapshots just need to be updated to include the new integrity field, this should do the trick: Also, since this schema has a breaking change, I suggest we incorporate this into a v23.0.0-alpha branch that I'm currently working on. Can we retarget this PR to that branch? |
@mmaietta sorry about that. I didn't get a chance to look into it yesterday, and thanks so much for the command to update the snapshots. Pushed the fix! |
FWIW, I couldn't make |
Looks like my fix didn't quite work and the better approach is to delete the |
6a4c827
to
ce472cb
Compare
Alright. Rebased over the alpha branch and hopefully fixed the tests. Thanks for your patience! |
ce472cb
to
4068bd1
Compare
Awesome. Thanks for merging it! |
* Adding INPUTxxx and OUTPUTxxx CHARSETS to makensis Fixes: #4898 #6232 #6259 * Adding additional details to error console logging * Breaking change: Removing Bintray support since it was sunset. Ref: https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/ * fix: force strip path separators for backslashes on Windows * fix: Force authentication for local Mac Squirrel update server * Breaking Change: Fail-fast for signature verification failures. Adding `-LiteralPath` to update file for injected wildcards * Adding changeset and eslint * Fix error: `-OUTPUTCHARSET is disabled for non Win32 platforms.` * feat(mac): ElectronAsarIntegrity in electron@15 (#6511) * feat(mac): ElectronAsarIntegrity in electron@15 See: electron/electron#30667 Fix: #6506 Fix: #6507 * fix(msi): MSI fails to install when deployed machine-wide via GPO (#6514) * fix(msi): MSI fails to install when deployed machine-wide via GPO * Disable advertised shortcuts, since MSIs with advertised Start Menu shortcuts that have a Shortcut Property fails to install when deployed machine-wide via GPO but works fine in all other contexts. This might be a bug in Windows or a misdiagnosis; see #6508 for more details. Closes #6508 * BREAKING CHANGE: Admins using advertisement must apply an MST to re-enable it. See #6508. * Don't set GitHub Releases draft title since it automatically pulls it from tag name. Fixes #3683 * feat(snap): add lzo to Snap compression options (also as new default) (#6201) * feat(msi): add fileAssociation support for MSI target (#6530) * fix(win): iconId sometimes containing invalid characters, and iconId config option being ignored. * fix(msi): change the fallback value for generated MSI Ids to a unique string for the product. * BREAKING CHANGE: remove MSI option `iconId` * fix: stabilizing tests by moving updater tests to its own node to explicitly segment env.___TOKEN integration tests from other standard unit tests * chore: synchronizing docs and schema plus prettier * Adding changset to set as alpha * Updating changeset documentation * feat(msi): support assisted installer for MSI target (#6550) * Add basic support for assisted installer, with UI to choose between per-user and per-machine. Supported config settings: runAfterFinish, perMachine, oneClick. Not supported: license (EULA), allowToChangeInstallationDirectory, etc. Also prevent oneClick's runAfterFinish from executing when installed silently. Co-authored-by: Fedor Indutny <79877362+indutny-signal@users.noreply.github.com> Co-authored-by: Alex Plumley <alex+git@aplum.ca> Co-authored-by: Mike Maietta <mmaietta@outlook.com> Co-authored-by: Omer Akram <om26er@gmail.com> Co-authored-by: Maximilian Federle <max.federle@gmail.com>
Published in |
Awesome. Thanks! |
@@ -2,6 +2,20 @@ import { createFromBuffer } from "chromium-pickle-js" | |||
import { close, open, read, readFile, Stats } from "fs-extra" | |||
import * as path from "path" | |||
|
|||
/** @internal */ | |||
export interface ReadAsarHeader { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mmaietta I don't think this, below, and AsarFilesystem
should be internal. I get following TS errors when importing electron-builder
:
node_modules/app-builder-lib/out/asar/asar.d.ts:1:66 - error TS2304: Cannot find name 'ReadAsarHeader'.
1 export declare function readAsarHeader(archive: string): Promise<ReadAsarHeader>;
~~~~~~~~~~~~~~
node_modules/app-builder-lib/out/asar/asar.d.ts:2:60 - error TS2304: Cannot find name 'AsarFilesystem'.
2 export declare function readAsar(archive: string): Promise<AsarFilesystem>;
~~~~~~~~~~~~~~
node_modules/app-builder-lib/out/asar/integrity.d.ts:2:10 - error TS2305: Module '"./asar"' has no exported member 'NodeIntegrity'.
2 import { NodeIntegrity } from "./asar";
~~~~~~~~~~~~~
[10:10:15 AM] Found 3 errors. Watching for file changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no qualms with making them public. Can you open a PR for it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure thing. Done: #6692 Thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, I'm happy to report that we have tested 23.0.1 on our app and both asar integrity and merging ASARs appears to be working great! Thanks!
See: electron/electron#30667
Fix: #6506
Fix: #6507