mirror of
https://github.com/bitwarden/browser
synced 2024-12-22 07:57:01 +01:00
191 lines
7.3 KiB
JavaScript
191 lines
7.3 KiB
JavaScript
/* eslint-disable @typescript-eslint/no-var-requires, no-console */
|
|
require("dotenv").config();
|
|
const child_process = require("child_process");
|
|
const path = require("path");
|
|
|
|
const { flipFuses, FuseVersion, FuseV1Options } = require("@electron/fuses");
|
|
const builder = require("electron-builder");
|
|
const fse = require("fs-extra");
|
|
|
|
exports.default = run;
|
|
|
|
async function run(context) {
|
|
console.log("## After pack");
|
|
// console.log(context);
|
|
|
|
if (context.packager.platform.nodeName !== "darwin" || context.arch === builder.Arch.universal) {
|
|
await addElectronFuses(context);
|
|
}
|
|
|
|
if (context.electronPlatformName === "linux") {
|
|
console.log("Creating memory-protection wrapper script");
|
|
const appOutDir = context.appOutDir;
|
|
const oldBin = path.join(appOutDir, context.packager.executableName);
|
|
const newBin = path.join(appOutDir, "bitwarden-app");
|
|
fse.moveSync(oldBin, newBin);
|
|
console.log("Moved binary to bitwarden-app");
|
|
|
|
const wrapperScript = path.join(__dirname, "../resources/memory-dump-wrapper.sh");
|
|
const wrapperBin = path.join(appOutDir, context.packager.executableName);
|
|
fse.copyFileSync(wrapperScript, wrapperBin);
|
|
fse.chmodSync(wrapperBin, "755");
|
|
console.log("Copied memory-protection wrapper script");
|
|
}
|
|
|
|
if (["darwin", "mas"].includes(context.electronPlatformName)) {
|
|
const is_mas = context.electronPlatformName === "mas";
|
|
const is_mas_dev = context.targets.some((e) => e.name === "mas-dev");
|
|
|
|
let id;
|
|
|
|
// Only use the Bitwarden Identities on CI
|
|
if (process.env.GITHUB_ACTIONS === "true") {
|
|
if (is_mas) {
|
|
id = is_mas_dev
|
|
? "E7C9978F6FBCE0553429185C405E61F5380BE8EB"
|
|
: "3rd Party Mac Developer Application: Bitwarden Inc";
|
|
} else {
|
|
id = "Developer ID Application: 8bit Solutions LLC";
|
|
}
|
|
// Locally, use the first valid code signing identity, unless CSC_NAME is set
|
|
} else if (process.env.CSC_NAME) {
|
|
id = process.env.CSC_NAME;
|
|
} else {
|
|
const identities = getIdentities();
|
|
if (identities.length === 0) {
|
|
throw new Error("No valid identities found");
|
|
}
|
|
id = identities[0].id;
|
|
}
|
|
|
|
console.log(
|
|
`Signing proxy binary before the main bundle, using identity '${id}', for build ${context.electronPlatformName}`,
|
|
);
|
|
|
|
const appName = context.packager.appInfo.productFilename;
|
|
const appPath = `${context.appOutDir}/${appName}.app`;
|
|
const proxyPath = path.join(appPath, "Contents", "MacOS", "desktop_proxy");
|
|
const inheritProxyPath = path.join(appPath, "Contents", "MacOS", "desktop_proxy.inherit");
|
|
|
|
const packageId = "com.bitwarden.desktop";
|
|
|
|
if (is_mas) {
|
|
const entitlementsName = "entitlements.desktop_proxy.plist";
|
|
const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);
|
|
child_process.execSync(
|
|
`codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
|
|
);
|
|
|
|
const inheritEntitlementsName = "entitlements.desktop_proxy.inherit.plist";
|
|
const inheritEntitlementsPath = path.join(
|
|
__dirname,
|
|
"..",
|
|
"resources",
|
|
inheritEntitlementsName,
|
|
);
|
|
child_process.execSync(
|
|
`codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${inheritEntitlementsPath} ${inheritProxyPath}`,
|
|
);
|
|
} else {
|
|
// For non-Appstore builds, we don't need the inherit binary as they are not sandboxed,
|
|
// but we sign and include it anyway for consistency. It should be removed once DDG supports the proxy directly.
|
|
const entitlementsName = "entitlements.mac.plist";
|
|
const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);
|
|
child_process.execSync(
|
|
`codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
|
|
);
|
|
child_process.execSync(
|
|
`codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${inheritProxyPath}`,
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
// Partially based on electron-builder code:
|
|
// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts
|
|
// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/codeSign/macCodeSign.ts
|
|
|
|
const appleCertificatePrefixes = [
|
|
"Developer ID Application:",
|
|
// "Developer ID Installer:",
|
|
// "3rd Party Mac Developer Application:",
|
|
// "3rd Party Mac Developer Installer:",
|
|
"Apple Development:",
|
|
];
|
|
|
|
function getIdentities() {
|
|
const ids = child_process
|
|
.execSync("/usr/bin/security find-identity -v -p codesigning")
|
|
.toString();
|
|
|
|
return ids
|
|
.split("\n")
|
|
.filter((line) => {
|
|
for (const prefix of appleCertificatePrefixes) {
|
|
if (line.includes(prefix)) {
|
|
return true;
|
|
}
|
|
}
|
|
return false;
|
|
})
|
|
.map((line) => {
|
|
const split = line.trim().split(" ");
|
|
const id = split[1];
|
|
const name = split.slice(2).join(" ").replace(/"/g, "");
|
|
return { id, name };
|
|
});
|
|
}
|
|
|
|
/**
|
|
* @param {import("electron-builder").AfterPackContext} context
|
|
*/
|
|
async function addElectronFuses(context) {
|
|
const platform = context.packager.platform.nodeName;
|
|
|
|
const ext = {
|
|
darwin: ".app",
|
|
win32: ".exe",
|
|
linux: "",
|
|
}[platform];
|
|
|
|
const IS_LINUX = platform === "linux";
|
|
const executableName = IS_LINUX
|
|
? context.packager.appInfo.productFilename.toLowerCase().replace("-dev", "").replace(" ", "-")
|
|
: context.packager.appInfo.productFilename; // .toLowerCase() to accomodate Linux file named `name` but productFileName is `Name` -- Replaces '-dev' because on Linux the executable name is `name` even for the DEV builds
|
|
|
|
const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`);
|
|
|
|
console.log("## Adding fuses to the electron binary", electronBinaryPath);
|
|
|
|
await flipFuses(electronBinaryPath, {
|
|
version: FuseVersion.V1,
|
|
strictlyRequireAllFuses: true,
|
|
resetAdHocDarwinSignature: platform === "darwin" && context.arch === builder.Arch.universal,
|
|
|
|
// List of fuses and their default values is available at:
|
|
// https://www.electronjs.org/docs/latest/tutorial/fuses
|
|
|
|
[FuseV1Options.RunAsNode]: false,
|
|
[FuseV1Options.EnableCookieEncryption]: true,
|
|
[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
|
|
[FuseV1Options.EnableNodeCliInspectArguments]: false,
|
|
|
|
// Currently, asar integrity is only implemented for macOS and Windows
|
|
// https://www.electronjs.org/docs/latest/tutorial/asar-integrity
|
|
// On macOS, it works by default, but on Windows it requires the
|
|
// asarIntegrity feature of electron-builder v25, currently in alpha
|
|
// https://github.com/electron-userland/electron-builder/releases/tag/v25.0.0-alpha.10
|
|
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: platform === "darwin",
|
|
|
|
[FuseV1Options.OnlyLoadAppFromAsar]: true,
|
|
|
|
// App refuses to open when enabled
|
|
[FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,
|
|
|
|
// To disable this, we should stop using the file:// protocol to load the app bundle
|
|
// This can be done by defining a custom app:// protocol and loading the bundle from there,
|
|
// but then any requests to the server will be blocked by CORS policy
|
|
[FuseV1Options.GrantFileProtocolExtraPrivileges]: true,
|
|
});
|
|
}
|