1
0
mirror of https://github.com/bitwarden/browser.git synced 2024-12-29 17:38:04 +01:00
bitwarden-browser/apps/desktop/scripts/after-pack.js
2024-11-06 17:46:57 +01:00

191 lines
7.3 KiB
JavaScript

/* eslint-disable @typescript-eslint/no-var-requires, no-console */
require("dotenv").config();
const child_process = require("child_process");
const path = require("path");
const { flipFuses, FuseVersion, FuseV1Options } = require("@electron/fuses");
const builder = require("electron-builder");
const fse = require("fs-extra");
exports.default = run;
async function run(context) {
console.log("## After pack");
// console.log(context);
if (context.packager.platform.nodeName !== "darwin" || context.arch === builder.Arch.universal) {
await addElectronFuses(context);
}
if (context.electronPlatformName === "linux") {
console.log("Creating memory-protection wrapper script");
const appOutDir = context.appOutDir;
const oldBin = path.join(appOutDir, context.packager.executableName);
const newBin = path.join(appOutDir, "bitwarden-app");
fse.moveSync(oldBin, newBin);
console.log("Moved binary to bitwarden-app");
const wrapperScript = path.join(__dirname, "../resources/memory-dump-wrapper.sh");
const wrapperBin = path.join(appOutDir, context.packager.executableName);
fse.copyFileSync(wrapperScript, wrapperBin);
fse.chmodSync(wrapperBin, "755");
console.log("Copied memory-protection wrapper script");
}
if (["darwin", "mas"].includes(context.electronPlatformName)) {
const is_mas = context.electronPlatformName === "mas";
const is_mas_dev = context.targets.some((e) => e.name === "mas-dev");
let id;
// Only use the Bitwarden Identities on CI
if (process.env.GITHUB_ACTIONS === "true") {
if (is_mas) {
id = is_mas_dev
? "E7C9978F6FBCE0553429185C405E61F5380BE8EB"
: "3rd Party Mac Developer Application: Bitwarden Inc";
} else {
id = "Developer ID Application: 8bit Solutions LLC";
}
// Locally, use the first valid code signing identity, unless CSC_NAME is set
} else if (process.env.CSC_NAME) {
id = process.env.CSC_NAME;
} else {
const identities = getIdentities();
if (identities.length === 0) {
throw new Error("No valid identities found");
}
id = identities[0].id;
}
console.log(
`Signing proxy binary before the main bundle, using identity '${id}', for build ${context.electronPlatformName}`,
);
const appName = context.packager.appInfo.productFilename;
const appPath = `${context.appOutDir}/${appName}.app`;
const proxyPath = path.join(appPath, "Contents", "MacOS", "desktop_proxy");
const inheritProxyPath = path.join(appPath, "Contents", "MacOS", "desktop_proxy.inherit");
const packageId = "com.bitwarden.desktop";
if (is_mas) {
const entitlementsName = "entitlements.desktop_proxy.plist";
const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);
child_process.execSync(
`codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
);
const inheritEntitlementsName = "entitlements.desktop_proxy.inherit.plist";
const inheritEntitlementsPath = path.join(
__dirname,
"..",
"resources",
inheritEntitlementsName,
);
child_process.execSync(
`codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${inheritEntitlementsPath} ${inheritProxyPath}`,
);
} else {
// For non-Appstore builds, we don't need the inherit binary as they are not sandboxed,
// but we sign and include it anyway for consistency. It should be removed once DDG supports the proxy directly.
const entitlementsName = "entitlements.mac.plist";
const entitlementsPath = path.join(__dirname, "..", "resources", entitlementsName);
child_process.execSync(
`codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${proxyPath}`,
);
child_process.execSync(
`codesign -s '${id}' -i ${packageId} -f --timestamp --options runtime --entitlements ${entitlementsPath} ${inheritProxyPath}`,
);
}
}
}
// Partially based on electron-builder code:
// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/macPackager.ts
// https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/src/codeSign/macCodeSign.ts
const appleCertificatePrefixes = [
"Developer ID Application:",
// "Developer ID Installer:",
// "3rd Party Mac Developer Application:",
// "3rd Party Mac Developer Installer:",
"Apple Development:",
];
function getIdentities() {
const ids = child_process
.execSync("/usr/bin/security find-identity -v -p codesigning")
.toString();
return ids
.split("\n")
.filter((line) => {
for (const prefix of appleCertificatePrefixes) {
if (line.includes(prefix)) {
return true;
}
}
return false;
})
.map((line) => {
const split = line.trim().split(" ");
const id = split[1];
const name = split.slice(2).join(" ").replace(/"/g, "");
return { id, name };
});
}
/**
* @param {import("electron-builder").AfterPackContext} context
*/
async function addElectronFuses(context) {
const platform = context.packager.platform.nodeName;
const ext = {
darwin: ".app",
win32: ".exe",
linux: "",
}[platform];
const IS_LINUX = platform === "linux";
const executableName = IS_LINUX
? context.packager.appInfo.productFilename.toLowerCase().replace("-dev", "").replace(" ", "-")
: context.packager.appInfo.productFilename; // .toLowerCase() to accomodate Linux file named `name` but productFileName is `Name` -- Replaces '-dev' because on Linux the executable name is `name` even for the DEV builds
const electronBinaryPath = path.join(context.appOutDir, `${executableName}${ext}`);
console.log("## Adding fuses to the electron binary", electronBinaryPath);
await flipFuses(electronBinaryPath, {
version: FuseVersion.V1,
strictlyRequireAllFuses: true,
resetAdHocDarwinSignature: platform === "darwin" && context.arch === builder.Arch.universal,
// List of fuses and their default values is available at:
// https://www.electronjs.org/docs/latest/tutorial/fuses
[FuseV1Options.RunAsNode]: false,
[FuseV1Options.EnableCookieEncryption]: true,
[FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
[FuseV1Options.EnableNodeCliInspectArguments]: false,
// Currently, asar integrity is only implemented for macOS and Windows
// https://www.electronjs.org/docs/latest/tutorial/asar-integrity
// On macOS, it works by default, but on Windows it requires the
// asarIntegrity feature of electron-builder v25, currently in alpha
// https://github.com/electron-userland/electron-builder/releases/tag/v25.0.0-alpha.10
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: platform === "darwin",
[FuseV1Options.OnlyLoadAppFromAsar]: true,
// App refuses to open when enabled
[FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,
// To disable this, we should stop using the file:// protocol to load the app bundle
// This can be done by defining a custom app:// protocol and loading the bundle from there,
// but then any requests to the server will be blocked by CORS policy
[FuseV1Options.GrantFileProtocolExtraPrivileges]: true,
});
}