bitwarden-browser/apps/desktop/scripts/after-pack.js

/* eslint-disable @typescript-eslint/no-var-requires, no-console */
require("dotenv").config();
const child_process = require("child_process");
const path = require("path");

const fse = require("fs-extra");

exports.default = run;

async function run(context) {
  console.log("## After pack");
  // console.log(context);

  if (context.electronPlatformName === "linux") {
    console.log("Creating memory-protection wrapper script");
    const appOutDir = context.appOutDir;
    const oldBin = path.join(appOutDir, context.packager.executableName);
    const newBin = path.join(appOutDir, "bitwarden-app");
    fse.moveSync(oldBin, newBin);
    console.log("Moved binary to bitwarden-app");

    const wrapperScript = path.join(__dirname, "../resources/memory-dump-wrapper.sh");
    const wrapperBin = path.join(appOutDir, context.packager.executableName);
    fse.copyFileSync(wrapperScript, wrapperBin);
    fse.chmodSync(wrapperBin, "755");
    console.log("Copied memory-protection wrapper script");
  }

  if (["darwin", "mas"].includes(context.electronPlatformName)) {
    const identities = getIdentities(process.env.CSC_NAME ?? "");
    if (identities.length === 0) {
      throw new Error("No valid identities found");
    }
    const id = identities[0].id;

    console.log("Signing proxy binary before the main bundle, using identity", id);

    const appName = context.packager.appInfo.productFilename;
    const appPath = `${context.appOutDir}/${appName}.app`;
    const proxyPath = path.join(appPath, "Contents", "MacOS", "desktop_proxy");

    const packageId = "com.bitwarden.desktop";
    const entitlementsName = "entitlements.desktop_proxy.plist";
    const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);
    child_process.execSync(
      `codesign -s ${id} -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
    );
  }
}

// Partially based on electron-builder code:
// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts
// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/codeSign/macCodeSign.ts

const appleCertificatePrefixes = [
  "Developer ID Application:",
  // "Developer ID Installer:",
  // "3rd Party Mac Developer Application:",
  // "3rd Party Mac Developer Installer:",
  "Apple Development:",
];

function getIdentities(csc_name) {
  const ids = child_process
    .execSync("/usr/bin/security find-identity -v -p codesigning")
    .toString();

  return ids
    .split("\n")
    .filter((line) => {
      for (const prefix of appleCertificatePrefixes) {
        if (line.includes(prefix)) {
          return true;
        }
      }
      return false;
    })
    .filter((line) => line.includes(csc_name))
    .map((line) => {
      const split = line.trim().split(" ");
      const id = split[1];
      const name = split.slice(2).join(" ").replace(/"/g, "");
      return { id, name };
    });
}
[PM-8395] [POC] Introduce wrapper script to prevent renderer coredumps in desktop linux (#9395) * Add wrapper script to protect from coredumps and re-enable process reload * Allow args passthrough and clean up after-pack script 2024-07-24 19:17:11 +02:00			`/* eslint-disable @typescript-eslint/no-var-requires, no-console */`
			`require("dotenv").config();`
[PM-7846] Implement a rust based native messaging proxy and IPC system (#9894) * [PM-7846] Implement a rust based native messaging proxy and IPC system * Only build desktop_proxy * Bundle the desktop_proxy file * Make sys deps optional for the proxy * Restore accidentally deleted after-sign * Update native cache to contain dist folder * Add some test logging * Native module cache seems very aggressive * Fix invalid directory * Fix debug print * Remove cache force * Remove cache debug code * Only log to file in debug builds * Place the binary in the correct place for mac and make sure it's signed * Fix platform paths * Test unsigned appx * Revert "Test unsigned appx" This reverts commit e47535440afa981c7fbe0cad2e09f2a633735b2f. * Fix comment * Remove logs * Use debug builds in native code, and test private path on MacOS * Add connected message * Update IPC API comments * Update linux to also use XDG_ dir * Update main.rs comment * Improve docs and split some tasks spawned into separate functions * Update send docs and return number of elements sent * Mark `listen` as async to ensure it runs in a tokio context, handle errors better * Add log on client channel closed * Move binary to MacOS folder, and sign it manually so it gets the correct entitlements * Fix some review comments * Run prettier * Added missing zbus_polkit dep * Extract magic number and increase it to match spec * Comment fix * Use Napi object, combine nativeBinding export, always log to file * Missed one comment * Remove unnecessary generics * Correct comment * Select only codesigning identities * Filter certificates * Also add local dev cert * Remove log * Fix package ID * debug_assert won't run the pop() in release mode * Better error messages * Fix review comments * Remove unnecessary comment * Update napi generated TS file * Temporary fix for DDG 2024-09-05 12:54:24 +02:00			`const child_process = require("child_process");`
[PM-8395] [POC] Introduce wrapper script to prevent renderer coredumps in desktop linux (#9395) * Add wrapper script to protect from coredumps and re-enable process reload * Allow args passthrough and clean up after-pack script 2024-07-24 19:17:11 +02:00			`const path = require("path");`

			`const fse = require("fs-extra");`

			`exports.default = run;`

			`async function run(context) {`
			`console.log("## After pack");`
[PM-7846] Implement a rust based native messaging proxy and IPC system (#9894) * [PM-7846] Implement a rust based native messaging proxy and IPC system * Only build desktop_proxy * Bundle the desktop_proxy file * Make sys deps optional for the proxy * Restore accidentally deleted after-sign * Update native cache to contain dist folder * Add some test logging * Native module cache seems very aggressive * Fix invalid directory * Fix debug print * Remove cache force * Remove cache debug code * Only log to file in debug builds * Place the binary in the correct place for mac and make sure it's signed * Fix platform paths * Test unsigned appx * Revert "Test unsigned appx" This reverts commit e47535440afa981c7fbe0cad2e09f2a633735b2f. * Fix comment * Remove logs * Use debug builds in native code, and test private path on MacOS * Add connected message * Update IPC API comments * Update linux to also use XDG_ dir * Update main.rs comment * Improve docs and split some tasks spawned into separate functions * Update send docs and return number of elements sent * Mark `listen` as async to ensure it runs in a tokio context, handle errors better * Add log on client channel closed * Move binary to MacOS folder, and sign it manually so it gets the correct entitlements * Fix some review comments * Run prettier * Added missing zbus_polkit dep * Extract magic number and increase it to match spec * Comment fix * Use Napi object, combine nativeBinding export, always log to file * Missed one comment * Remove unnecessary generics * Correct comment * Select only codesigning identities * Filter certificates * Also add local dev cert * Remove log * Fix package ID * debug_assert won't run the pop() in release mode * Better error messages * Fix review comments * Remove unnecessary comment * Update napi generated TS file * Temporary fix for DDG 2024-09-05 12:54:24 +02:00			`// console.log(context);`

[PM-8395] [POC] Introduce wrapper script to prevent renderer coredumps in desktop linux (#9395) * Add wrapper script to protect from coredumps and re-enable process reload * Allow args passthrough and clean up after-pack script 2024-07-24 19:17:11 +02:00			`if (context.electronPlatformName === "linux") {`
			`console.log("Creating memory-protection wrapper script");`
			`const appOutDir = context.appOutDir;`
			`const oldBin = path.join(appOutDir, context.packager.executableName);`
			`const newBin = path.join(appOutDir, "bitwarden-app");`
			`fse.moveSync(oldBin, newBin);`
			`console.log("Moved binary to bitwarden-app");`

			`const wrapperScript = path.join(__dirname, "../resources/memory-dump-wrapper.sh");`
			`const wrapperBin = path.join(appOutDir, context.packager.executableName);`
			`fse.copyFileSync(wrapperScript, wrapperBin);`
			`fse.chmodSync(wrapperBin, "755");`
			`console.log("Copied memory-protection wrapper script");`
			`}`
[PM-7846] Implement a rust based native messaging proxy and IPC system (#9894) * [PM-7846] Implement a rust based native messaging proxy and IPC system * Only build desktop_proxy * Bundle the desktop_proxy file * Make sys deps optional for the proxy * Restore accidentally deleted after-sign * Update native cache to contain dist folder * Add some test logging * Native module cache seems very aggressive * Fix invalid directory * Fix debug print * Remove cache force * Remove cache debug code * Only log to file in debug builds * Place the binary in the correct place for mac and make sure it's signed * Fix platform paths * Test unsigned appx * Revert "Test unsigned appx" This reverts commit e47535440afa981c7fbe0cad2e09f2a633735b2f. * Fix comment * Remove logs * Use debug builds in native code, and test private path on MacOS * Add connected message * Update IPC API comments * Update linux to also use XDG_ dir * Update main.rs comment * Improve docs and split some tasks spawned into separate functions * Update send docs and return number of elements sent * Mark `listen` as async to ensure it runs in a tokio context, handle errors better * Add log on client channel closed * Move binary to MacOS folder, and sign it manually so it gets the correct entitlements * Fix some review comments * Run prettier * Added missing zbus_polkit dep * Extract magic number and increase it to match spec * Comment fix * Use Napi object, combine nativeBinding export, always log to file * Missed one comment * Remove unnecessary generics * Correct comment * Select only codesigning identities * Filter certificates * Also add local dev cert * Remove log * Fix package ID * debug_assert won't run the pop() in release mode * Better error messages * Fix review comments * Remove unnecessary comment * Update napi generated TS file * Temporary fix for DDG 2024-09-05 12:54:24 +02:00
			`if (["darwin", "mas"].includes(context.electronPlatformName)) {`
			`const identities = getIdentities(process.env.CSC_NAME ?? "");`
			`if (identities.length === 0) {`
			`throw new Error("No valid identities found");`
			`}`
			`const id = identities[0].id;`

			`console.log("Signing proxy binary before the main bundle, using identity", id);`

			`const appName = context.packager.appInfo.productFilename;`
			const appPath = `${context.appOutDir}/${appName}.app`;
			`const proxyPath = path.join(appPath, "Contents", "MacOS", "desktop_proxy");`

			`const packageId = "com.bitwarden.desktop";`
			`const entitlementsName = "entitlements.desktop_proxy.plist";`
			`const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);`
			`child_process.execSync(`
			`codesign -s ${id} -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
			`);`
			`}`
			`}`

			`// Partially based on electron-builder code:`
			`// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts`
			`// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/codeSign/macCodeSign.ts`

			`const appleCertificatePrefixes = [`
			`"Developer ID Application:",`
			`// "Developer ID Installer:",`
			`// "3rd Party Mac Developer Application:",`
			`// "3rd Party Mac Developer Installer:",`
			`"Apple Development:",`
			`];`

			`function getIdentities(csc_name) {`
			`const ids = child_process`
			`.execSync("/usr/bin/security find-identity -v -p codesigning")`
			`.toString();`

			`return ids`
			`.split("\n")`
			`.filter((line) => {`
			`for (const prefix of appleCertificatePrefixes) {`
			`if (line.includes(prefix)) {`
			`return true;`
			`}`
			`}`
			`return false;`
			`})`
			`.filter((line) => line.includes(csc_name))`
			`.map((line) => {`
			`const split = line.trim().split(" ");`
			`const id = split[1];`
			`const name = split.slice(2).join(" ").replace(/"/g, "");`
			`return { id, name };`
			`});`
[PM-8395] [POC] Introduce wrapper script to prevent renderer coredumps in desktop linux (#9395) * Add wrapper script to protect from coredumps and re-enable process reload * Allow args passthrough and clean up after-pack script 2024-07-24 19:17:11 +02:00			`}`