fix(darwin): ensure chrome-sandbox is owned by root

.github/workflows/ci.yml

@@ -10,15 +10,16 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         node-version: [10.x, 12.x, 14.x]
+        os: [macOS-latest, ubuntu-latest]
 
     steps:
-      - name: Install dependencies
-        run: sudo apt-get --yes --quiet install lintian
       - uses: actions/checkout@v2
+      - name: Install dependencies
+        run: ci/install-os-dependencies.sh
       - uses: actions/setup-node@v2
         with:
           node-version: ${{ matrix.node-version }}
@@ -33,6 +34,7 @@ jobs:
           npm install --engine-strict
           npm update
       - name: Fix permission for test fixtures
+        if: runner.os == 'ubuntu-latest'
         run: chmod --recursive g-w test/fixtures
       - name: Test
         run: npm test

ci/install-os-dependencies.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+case "$(uname -s)" in
+  Darwin)
+    brew install dpkg fakeroot
+    ;;
+  Linux)
+    sudo apt-get --yes --quiet install lintian
+    ;;
+esac

package.json

@@ -24,6 +24,11 @@
   "bin": {
     "electron-installer-debian": "src/cli.js"
   },
+  "files": [
+    "bin",
+    "src",
+    "resources"
+  ],
   "scripts": {
     "lint": "eslint .",
     "spec": "nyc mocha",

src/installer.js

@@ -111,7 +111,13 @@ class DebianInstaller extends common.ElectronInstaller {
   async createPackage () {
     this.options.logger(`Creating package at ${this.stagingDir}`)
 
-    const output = await spawn('fakeroot', ['dpkg-deb', '--build', this.stagingDir], this.options.logger)
+    const command = ['--build', this.stagingDir]
+    if (process.platform === 'darwin') {
+      command.unshift('--root-owner-group')
+    }
+    command.unshift('dpkg-deb')
+
+    const output = await spawn('fakeroot', command, this.options.logger)
     this.options.logger(`dpkg-deb output: ${output}`)
   }
 

test/installer.js

@@ -129,47 +129,77 @@ describe('module', function () {
     /^No Description or ProductDescription provided/
   )
 
+  if (process.platform !== 'darwin') {
+    describeInstaller(
+      'with debian scripts and lintian overrides',
+      {
+        src: 'test/fixtures/app-with-asar/',
+        options: {
+          productDescription: 'Just a test.',
+          arch: 'i386',
+          scripts: {
+            preinst: 'test/fixtures/debian-scripts/preinst.sh',
+            postinst: 'test/fixtures/debian-scripts/postinst.sh',
+            prerm: 'test/fixtures/debian-scripts/prerm.sh',
+            postrm: 'test/fixtures/debian-scripts/postrm.sh'
+          },
+          lintianOverrides: [
+            'binary-without-manpage',
+            'changelog-file-missing-in-native-package',
+            'executable-not-elf-or-script'
+          ]
+        }
+      },
+      'passes lintian checks',
+      async outputDir => {
+        await assertASARDebExists(outputDir)
+        try {
+          await spawn('lintian', [path.join(outputDir, 'footest_i386.deb')], {
+            updateErrorCallback: (err) => {
+              if (err.code === 'ENOENT' && err.syscall === 'spawn lintian') {
+                err.message = 'Your system is missing the lintian package'
+              }
+            }
+          })
+        } catch (err) {
+          if (!err.stdout) {
+            throw err
+          }
+          const stdout = err.stdout.toString()
+          const lineCount = stdout.match(/\n/g).length
+          if (lineCount > 1) {
+            throw new Error(`Warnings not overriding:\n${stdout}`)
+          }
+        }
+      }
+    )
+  }
+
   describeInstaller(
-    'with debian scripts and lintian overrides',
+    'correct owner and permissions for chrome-sandbox',
     {
       src: 'test/fixtures/app-with-asar/',
       options: {
-        productDescription: 'Just a test.',
-        arch: 'i386',
-        scripts: {
-          preinst: 'test/fixtures/debian-scripts/preinst.sh',
-          postinst: 'test/fixtures/debian-scripts/postinst.sh',
-          prerm: 'test/fixtures/debian-scripts/prerm.sh',
-          postrm: 'test/fixtures/debian-scripts/postrm.sh'
-        },
-        lintianOverrides: [
-          'binary-without-manpage',
-          'changelog-file-missing-in-native-package',
-          'executable-not-elf-or-script'
-        ]
+        arch: 'i386'
       }
     },
-    'passes lintian checks',
+    'chrome-sandbox is owned by root and has the suid bit',
     async outputDir => {
       await assertASARDebExists(outputDir)
-      try {
-        await spawn('lintian', [path.join(outputDir, 'footest_i386.deb')], {
-          updateErrorCallback: (err) => {
-            if (err.code === 'ENOENT' && err.syscall === 'spawn lintian') {
-              err.message = 'Your system is missing the lintian package'
-            }
-          }
-        })
-      } catch (err) {
-        if (!err.stdout) {
-          throw err
-        }
-        const stdout = err.stdout.toString()
-        const lineCount = stdout.match(/\n/g).length
-        if (lineCount > 1) {
-          throw new Error(`Warnings not overriding:\n${stdout}`)
-        }
+
+      const output = await spawn('dpkg-deb', ['--contents', path.join(outputDir, 'footest_i386.deb')])
+      const entries = output.split('\n').map(line => line.split(/\s+/))
+
+      const chromeSandbox = entries.find(entry => entry[5].endsWith('/chrome-sandbox'))
+      if (chromeSandbox === undefined) {
+        throw new Error('Could not find chrome-sandbox')
       }
+
+      const permissions = chromeSandbox[0]
+      chai.expect(permissions).to.equal('-rwsr-xr-x')
+
+      const owner = chromeSandbox[1]
+      chai.expect(owner).to.equal('root/root')
     }
   )