feat(mac): ElectronAsarIntegrity in electron@15 #6511
Conversation
🦋 Changeset detectedLatest commit: 4068bd1 The changes in this PR will be included in the next version bump. This PR includes changesets to release 8 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
indutny-signal
force-pushed
the
feature/asar-integrity
branch
from
3f913df to
7d7bedc
Compare
|
Sorry about the failing tests, I can't seem to be able to run them locally. Pushed an attempted fix. |
indutny-signal
force-pushed
the
feature/asar-integrity
branch
from
7d7bedc to
44bc253
Compare
| @@ -0,0 +1,5 @@ | |||
| --- | |||
| "app-builder-lib": minor | |||
There was a problem hiding this comment.
Not sure if I made a right decision here. The scheme change below is a breaking change...
| const isUnpacked = dirNode.unpacked || (this.unpackPattern != null && this.unpackPattern(file, stat)) | ||
| this.fs.addFileNode(file, dirNode, newData == null ? stat.size : Buffer.byteLength(newData), isUnpacked, stat) | ||
| const integrity = newData === undefined ? await hashFile(file) : hashFileContents(newData) |
There was a problem hiding this comment.
This could potentially be optional since it is expensive to generate for the platforms that are not going to use it anyway.
There was a problem hiding this comment.
Can you elaborate on this? I personally am in favor of defaulting to more security, i.e. asar integrity, and this will only impact the build-time though. Is this integrity check supposed to be platform-specific?
There was a problem hiding this comment.
The integrity check so far only works on macOS. See fuses
| if (size > 4294967295) { | ||
| throw new Error(`${file}: file size cannot be larger than 4.2GB`) | ||
| } | ||
|
|
||
| const node = new Node() | ||
| node.size = size | ||
| node.integrity = integrity |
There was a problem hiding this comment.
Since integrity? is optional, should we first check it before setting it on Node()?
if (integrity) {
node.integrity = integrity
}
Similar to how node.unpacked is beneath an if-statement (as opposed to being node.unpacked = unpacked)
| @@ -214,7 +214,7 @@ export async function createMacApp(packager: MacPackager, appOutDir: string, asa | |||
| } | |||
|
|
|||
| if (asarIntegrity != null) { | |||
| appPlist.AsarIntegrity = JSON.stringify(asarIntegrity) | |||
| appPlist.ElectronAsarIntegrity = asarIntegrity | |||
There was a problem hiding this comment.
Will this break anything for electron pre-15?
There was a problem hiding this comment.
There is no mention of AsarIntegrity in electron 14-x-y, 13-x-y, 12-x-y, and 11-x-y so it is safe to say that it wasn't used at all.
|
Thanks for the feedback! I believe everything is addressed now. |
|
✔️ Deploy Preview for car-park-attendant-cleat-11576 ready! 🔨 Explore the source changes: ce472cb 🔍 Inspect the deploy log: https://app.netlify.com/sites/car-park-attendant-cleat-11576/deploys/61d5f6ed4818ce0007208974 😎 Browse the preview: https://deploy-preview-6511--car-park-attendant-cleat-11576.netlify.app |
|
Can you please take a look at the failing unit tests? It looks like the snapshots just need to be updated to include the new integrity field, this should do the trick: Also, since this schema has a breaking change, I suggest we incorporate this into a v23.0.0-alpha branch that I'm currently working on. Can we retarget this PR to that branch? |
|
@mmaietta sorry about that. I didn't get a chance to look into it yesterday, and thanks so much for the command to update the snapshots. Pushed the fix! |
|
FWIW, I couldn't make |
|
Looks like my fix didn't quite work and the better approach is to delete the |
indutny-signal
force-pushed
the
feature/asar-integrity
branch
from
6a4c827 to
ce472cb
Compare
|
Alright. Rebased over the alpha branch and hopefully fixed the tests. Thanks for your patience! |
indutny-signal
force-pushed
the
feature/asar-integrity
branch
from
ce472cb to
4068bd1
Compare
|
Awesome. Thanks for merging it! |
* Adding INPUTxxx and OUTPUTxxx CHARSETS to makensis Fixes: #4898 #6232 #6259 * Adding additional details to error console logging * Breaking change: Removing Bintray support since it was sunset. Ref: https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/ * fix: force strip path separators for backslashes on Windows * fix: Force authentication for local Mac Squirrel update server * Breaking Change: Fail-fast for signature verification failures. Adding `-LiteralPath` to update file for injected wildcards * Adding changeset and eslint * Fix error: `-OUTPUTCHARSET is disabled for non Win32 platforms.` * feat(mac): ElectronAsarIntegrity in electron@15 (#6511) * feat(mac): ElectronAsarIntegrity in electron@15 See: electron/electron#30667 Fix: #6506 Fix: #6507 * fix(msi): MSI fails to install when deployed machine-wide via GPO (#6514) * fix(msi): MSI fails to install when deployed machine-wide via GPO * Disable advertised shortcuts, since MSIs with advertised Start Menu shortcuts that have a Shortcut Property fails to install when deployed machine-wide via GPO but works fine in all other contexts. This might be a bug in Windows or a misdiagnosis; see #6508 for more details. Closes #6508 * BREAKING CHANGE: Admins using advertisement must apply an MST to re-enable it. See #6508. * Don't set GitHub Releases draft title since it automatically pulls it from tag name. Fixes #3683 * feat(snap): add lzo to Snap compression options (also as new default) (#6201) * feat(msi): add fileAssociation support for MSI target (#6530) * fix(win): iconId sometimes containing invalid characters, and iconId config option being ignored. * fix(msi): change the fallback value for generated MSI Ids to a unique string for the product. * BREAKING CHANGE: remove MSI option `iconId` * fix: stabilizing tests by moving updater tests to its own node to explicitly segment env.___TOKEN integration tests from other standard unit tests * chore: synchronizing docs and schema plus prettier * Adding changset to set as alpha * Updating changeset documentation * feat(msi): support assisted installer for MSI target (#6550) * Add basic support for assisted installer, with UI to choose between per-user and per-machine. Supported config settings: runAfterFinish, perMachine, oneClick. Not supported: license (EULA), allowToChangeInstallationDirectory, etc. Also prevent oneClick's runAfterFinish from executing when installed silently. Co-authored-by: Fedor Indutny <[email protected]> Co-authored-by: Alex Plumley <[email protected]> Co-authored-by: Mike Maietta <[email protected]> Co-authored-by: Omer Akram <[email protected]> Co-authored-by: Maximilian Federle <[email protected]>
|
Published in |
|
Awesome. Thanks! |
| @@ -2,6 +2,20 @@ import { createFromBuffer } from "chromium-pickle-js" | |||
| import { close, open, read, readFile, Stats } from "fs-extra" | |||
| import * as path from "path" | |||
|
|
|||
| /** @internal */ | |||
| export interface ReadAsarHeader { | |||
There was a problem hiding this comment.
@mmaietta I don't think this, below, and AsarFilesystem should be internal. I get following TS errors when importing electron-builder:
node_modules/app-builder-lib/out/asar/asar.d.ts:1:66 - error TS2304: Cannot find name 'ReadAsarHeader'.
1 export declare function readAsarHeader(archive: string): Promise<ReadAsarHeader>;
~~~~~~~~~~~~~~
node_modules/app-builder-lib/out/asar/asar.d.ts:2:60 - error TS2304: Cannot find name 'AsarFilesystem'.
2 export declare function readAsar(archive: string): Promise<AsarFilesystem>;
~~~~~~~~~~~~~~
node_modules/app-builder-lib/out/asar/integrity.d.ts:2:10 - error TS2305: Module '"./asar"' has no exported member 'NodeIntegrity'.
2 import { NodeIntegrity } from "./asar";
~~~~~~~~~~~~~
[10:10:15 AM] Found 3 errors. Watching for file changes.
There was a problem hiding this comment.
I have no qualms with making them public. Can you open a PR for it?
There was a problem hiding this comment.
Sure thing. Done: #6692 Thank you!
There was a problem hiding this comment.
btw, I'm happy to report that we have tested 23.0.1 on our app and both asar integrity and merging ASARs appears to be working great! Thanks!
See: electron/electron#30667
Fix: #6506
Fix: #6507