Fuse electron at build time
This commit is contained in:
Fedor Indutny
GitHub
parent
770c80b9ee
commit
9e9e5274cf
6 changed files with 74 additions and 33 deletions
6
.github/workflows/ci.yml
vendored
6
.github/workflows/ci.yml
vendored
|
|
@ -59,6 +59,8 @@ jobs:
|
|||
- run: yarn generate
|
||||
- run: yarn prepare-beta-build
|
||||
- run: yarn build
|
||||
env:
|
||||
DISABLE_INSPECT_FUSE: on
|
||||
- name: Rebuild native modules for x64
|
||||
run: yarn electron:install-app-deps
|
||||
- run: yarn test-node
|
||||
|
|
@ -94,6 +96,8 @@ jobs:
|
|||
- run: yarn generate
|
||||
- run: yarn prepare-beta-build
|
||||
- run: yarn build
|
||||
env:
|
||||
DISABLE_INSPECT_FUSE: on
|
||||
- run: xvfb-run --auto-servernum yarn test-node
|
||||
- run: xvfb-run --auto-servernum yarn test-electron
|
||||
env:
|
||||
|
|
@ -134,6 +138,8 @@ jobs:
|
|||
- run: type temp.json | findstr /v certificateSubjectName | findstr /v certificateSha1 > package.json
|
||||
- run: yarn prepare-beta-build
|
||||
- run: yarn build
|
||||
env:
|
||||
DISABLE_INSPECT_FUSE: on
|
||||
- run: yarn test-electron
|
||||
- run: yarn test-release
|
||||
env:
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
},
|
||||
"main": "app/main.js",
|
||||
"scripts": {
|
||||
"postinstall": "yarn build:acknowledgments && yarn build:fuses && patch-package && yarn electron:install-app-deps && rimraf node_modules/dtrace-provider",
|
||||
"postinstall": "yarn build:acknowledgments && patch-package && yarn electron:install-app-deps && rimraf node_modules/dtrace-provider",
|
||||
"postuninstall": "yarn build:acknowledgments",
|
||||
"start": "electron .",
|
||||
"generate": "npm-run-all build-protobuf transpile sass get-expire-time copy-and-concat",
|
||||
|
|
@ -58,7 +58,7 @@
|
|||
"dev:sass": "npm run sass-manifest -- --watch",
|
||||
"dev:sass-bridge": "npm run sass-manifest-bridge -- --watch",
|
||||
"storybook:axe": "build-storybook && axe-storybook",
|
||||
"build": "run-s --print-label generate build:typed-scss build:webpack build:fuses:release build:release build:fuses build:zip",
|
||||
"build": "run-s --print-label generate build:typed-scss build:webpack build:release build:zip",
|
||||
"build:acknowledgments": "node scripts/generate-acknowledgments.js",
|
||||
"build:dev": "run-s --print-label generate build:typed-scss build:webpack",
|
||||
"build:typed-scss": "tsm sticker-creator",
|
||||
|
|
@ -69,8 +69,6 @@
|
|||
"build:webpack:heic-worker": "cross-env NODE_ENV=production webpack -c webpack-heic-worker.config.ts",
|
||||
"build:electron": "electron-builder --config.extraMetadata.environment=$SIGNAL_ENV",
|
||||
"build:release": "cross-env SIGNAL_ENV=production yarn build:electron -- --config.directories.output=release",
|
||||
"build:fuses": "node scripts/fuse-electron.js",
|
||||
"build:fuses:release": "node scripts/fuse-electron.js --release",
|
||||
"build:zip": "node ts/scripts/zip-macos-release.js",
|
||||
"preverify:ts": "yarn build:typed-scss",
|
||||
"verify": "run-p --print-label verify:*",
|
||||
|
|
@ -402,7 +400,7 @@
|
|||
]
|
||||
},
|
||||
"beforeBuild": "scripts/install-cross-deps.js",
|
||||
"afterPack": "ts/scripts/merge-macos-asars.js",
|
||||
"afterPack": "ts/scripts/after-pack.js",
|
||||
"asarUnpack": [
|
||||
"ts/workers/heicConverter.bundle.js",
|
||||
"ts/sql/mainWorker.bundle.js",
|
||||
|
|
|
|||
|
|
@ -1,26 +0,0 @@
|
|||
// Copyright 2021 Signal Messenger, LLC
|
||||
// SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses');
|
||||
|
||||
const IS_RELEASE_BUILD = process.argv.some(argv => argv === '--release');
|
||||
|
||||
flipFuses(require('electron'), {
|
||||
version: FuseVersion.V1,
|
||||
// Disables ELECTRON_RUN_AS_NODE
|
||||
[FuseV1Options.RunAsNode]: false,
|
||||
// Enables cookie encryption
|
||||
[FuseV1Options.EnableCookieEncryption]: true,
|
||||
// Disables the NODE_OPTIONS environment variable
|
||||
[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: !IS_RELEASE_BUILD,
|
||||
// Disables the --inspect and --inspect-brk family of CLI options
|
||||
[FuseV1Options.EnableNodeCliInspectArguments]: !IS_RELEASE_BUILD,
|
||||
// Enables validation of the app.asar archive on macOS
|
||||
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
|
||||
// Enforces that Electron will only load your app from "app.asar" instead of
|
||||
// it's normall search paths
|
||||
[FuseV1Options.OnlyLoadAppFromAsar]: IS_RELEASE_BUILD,
|
||||
}).catch(error => {
|
||||
console.error(error.stack);
|
||||
process.exit(1);
|
||||
});
|
||||
|
|
@ -25,5 +25,3 @@ exports.beforeBuild = async () => {
|
|||
// Let electron-builder handle dependencies
|
||||
return true;
|
||||
};
|
||||
|
||||
exports.beforeBuild();
|
||||
|
|
|
|||
11
ts/scripts/after-pack.ts
Normal file
11
ts/scripts/after-pack.ts
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
// Copyright 2021 Signal Messenger, LLC
|
||||
// SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
import type { AfterPackContext } from 'electron-builder';
|
||||
import { afterPack as fuseElectron } from './fuse-electron';
|
||||
import { afterPack as mergeASARs } from './merge-macos-asars';
|
||||
|
||||
export async function afterPack(context: AfterPackContext): Promise<void> {
|
||||
await mergeASARs(context);
|
||||
await fuseElectron(context);
|
||||
}
|
||||
54
ts/scripts/fuse-electron.ts
Normal file
54
ts/scripts/fuse-electron.ts
Normal file
|
|
@ -0,0 +1,54 @@
|
|||
// Copyright 2021 Signal Messenger, LLC
|
||||
// SPDX-License-Identifier: AGPL-3.0-only
|
||||
|
||||
import path from 'path';
|
||||
import { flipFuses, FuseVersion, FuseV1Options } from '@electron/fuses';
|
||||
import type { AfterPackContext } from 'electron-builder';
|
||||
|
||||
export async function afterPack({
|
||||
appOutDir,
|
||||
packager,
|
||||
electronPlatformName,
|
||||
}: AfterPackContext): Promise<void> {
|
||||
const { productFilename } = packager.appInfo;
|
||||
|
||||
let target;
|
||||
if (electronPlatformName === 'darwin') {
|
||||
target = `${productFilename}.app`;
|
||||
} else if (electronPlatformName === 'win32') {
|
||||
target = `${productFilename}.exe`;
|
||||
} else if (electronPlatformName === 'linux') {
|
||||
// Sadly, `LinuxPackager` type is not exported by electron-builder so we
|
||||
// have to improvise
|
||||
target = (packager as unknown as { executableName: string }).executableName;
|
||||
} else {
|
||||
throw new Error(`Unsupported platform: ${electronPlatformName}`);
|
||||
}
|
||||
|
||||
const electron = path.join(appOutDir, target);
|
||||
|
||||
const enableInspectArguments = Boolean(process.env.DISABLE_INSPECT_FUSE);
|
||||
|
||||
console.log(
|
||||
`Fusing electron at ${electron} ` +
|
||||
`inspect-arguments=${enableInspectArguments}`
|
||||
);
|
||||
await flipFuses(electron, {
|
||||
version: FuseVersion.V1,
|
||||
// Disables ELECTRON_RUN_AS_NODE
|
||||
[FuseV1Options.RunAsNode]: false,
|
||||
// Enables cookie encryption
|
||||
[FuseV1Options.EnableCookieEncryption]: true,
|
||||
// Disables the NODE_OPTIONS environment variable
|
||||
[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
|
||||
// Disables the --inspect and --inspect-brk family of CLI options
|
||||
[FuseV1Options.EnableNodeCliInspectArguments]: enableInspectArguments,
|
||||
// Enables validation of the app.asar archive on macOS
|
||||
// See https://github.com/electron-userland/electron-builder/issues/6507
|
||||
// See https://github.com/electron-userland/electron-builder/issues/6506
|
||||
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false,
|
||||
// Enforces that Electron will only load your app from "app.asar" instead of
|
||||
// it's normall search paths
|
||||
[FuseV1Options.OnlyLoadAppFromAsar]: true,
|
||||
});
|
||||
}
|
||||
Loading…
Reference in a new issue