-
Notifications
You must be signed in to change notification settings - Fork 15k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add support for validating asar archives on macOS #30667
Conversation
cc81420
to
e0e6015
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API LGTM
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
implementation has changed substantially
…ntegrity was not loaded
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
API LGTM
Small note: the PR message still mentions non_asar_app_loading
when I think you've renamed it to only_load_app_from_asar
Release Notes Persisted
|
I have automatically backported this PR to "15-x-y", please check out #30900 |
* feat(mac): ElectronAsarIntegrity in electron@15 See: electron/electron#30667 Fix: #6506 Fix: #6507
* Adding INPUTxxx and OUTPUTxxx CHARSETS to makensis Fixes: #4898 #6232 #6259 * Adding additional details to error console logging * Breaking change: Removing Bintray support since it was sunset. Ref: https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/ * fix: force strip path separators for backslashes on Windows * fix: Force authentication for local Mac Squirrel update server * Breaking Change: Fail-fast for signature verification failures. Adding `-LiteralPath` to update file for injected wildcards * Adding changeset and eslint * Fix error: `-OUTPUTCHARSET is disabled for non Win32 platforms.` * feat(mac): ElectronAsarIntegrity in electron@15 (#6511) * feat(mac): ElectronAsarIntegrity in electron@15 See: electron/electron#30667 Fix: #6506 Fix: #6507 * fix(msi): MSI fails to install when deployed machine-wide via GPO (#6514) * fix(msi): MSI fails to install when deployed machine-wide via GPO * Disable advertised shortcuts, since MSIs with advertised Start Menu shortcuts that have a Shortcut Property fails to install when deployed machine-wide via GPO but works fine in all other contexts. This might be a bug in Windows or a misdiagnosis; see #6508 for more details. Closes #6508 * BREAKING CHANGE: Admins using advertisement must apply an MST to re-enable it. See #6508. * Don't set GitHub Releases draft title since it automatically pulls it from tag name. Fixes #3683 * feat(snap): add lzo to Snap compression options (also as new default) (#6201) * feat(msi): add fileAssociation support for MSI target (#6530) * fix(win): iconId sometimes containing invalid characters, and iconId config option being ignored. * fix(msi): change the fallback value for generated MSI Ids to a unique string for the product. * BREAKING CHANGE: remove MSI option `iconId` * fix: stabilizing tests by moving updater tests to its own node to explicitly segment env.___TOKEN integration tests from other standard unit tests * chore: synchronizing docs and schema plus prettier * Adding changset to set as alpha * Updating changeset documentation * feat(msi): support assisted installer for MSI target (#6550) * Add basic support for assisted installer, with UI to choose between per-user and per-machine. Supported config settings: runAfterFinish, perMachine, oneClick. Not supported: license (EULA), allowToChangeInstallationDirectory, etc. Also prevent oneClick's runAfterFinish from executing when installed silently. Co-authored-by: Fedor Indutny <79877362+indutny-signal@users.noreply.github.com> Co-authored-by: Alex Plumley <alex+git@aplum.ca> Co-authored-by: Mike Maietta <mmaietta@outlook.com> Co-authored-by: Omer Akram <om26er@gmail.com> Co-authored-by: Maximilian Federle <max.federle@gmail.com>
[ci no changelog needed] [Task link](https://www.pivotaltracker.com/story/show/181944234). It fixes the build issue on Mac OS 12.3.1 that is caused by removed `/usr/bin/python` executable. Also applied `enso-formatter` to the sources. # Important Notes We're basically updating for one major `electron-builder` release - from `v22` to `v23`. I didn't spot anything in the changelog that could affect us. See features + breaking changes excerpt: ``` Features: - feat(msi): add fileAssociation support for MSI target (electron-userland/electron-builder#6530) - feat(mac): ElectronAsarIntegrity in electron@15 - See: electron/electron#30667 (electron-userland/electron-builder#6506 electron-userland/electron-builder#6507) - feat(snap): add lzo to Snap compression options (also as new default) (electron-userland/electron-builder#6201) Upgraded app-builder-bin dependency required newer version of Go - feat(msi): support assisted installer for MSI target (electron-userland/electron-builder#6550) Breaking changes: - Removing Bintray support since it was sunset. Ref: https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/ - Fail-fast for windows signature verification failures. Adding -LiteralPath to update file path to disregard injected wildcards - Force strip path separators for backslashes on Windows during update process - Authentication for local mac squirrel update server - Disabled advertised shortcuts, since MSIs with advertised Start Menu shortcuts that have a Shortcut Property fails to install when deployed machine-wide via GPO but works fine in all other contexts. Admins using advertisement must apply an MST to re-enable it. See electron-userland/electron-builder#6508. - Removing optional NSIS icon ID from config and generating it automatically to synchronize IDs with Advertised Shortcuts and future features ```
This is a fun one, the current trust model of a code signed Electron app on macOS is as follows.
OS --> Trusts
MyApp.app
because code sign --> Loadsapp.asar
because on diskThe
app.asar
file is not actually validated when it is loaded or when the app is launched (well it's validated once when you first launch the downloaded app but future modifications are ignored). With hardened runtime in macOS 10.14 theMyApp.app
is validated every time it launches / runs but theapp.asar
file is not.In order to protect things like keychain secrets we need to be able to validate the
app.asar
file before loading it, there are a few ways to do this but the best one that works for both DDL and MAS versions of Electron and in theory can be extended to other platforms is what is described here. This PR adds two fuses to enforce this new behavior with the theory that one day both of these will become enabled by default in packaged apps.embedded_asar_integrity_validation
- Validates the ASAR using the hash chain system outlined in the doc linked above. Any ASAR inside the primary app bundle will be validated, any ASAR loaded from outside the bundle will not be validatedonly_load_app_from_asar
- Controls whether Electron searches through multiple paths (app.asar, app, default_app.asar) for your application or when this fuse is disabled Electron will only load your app fromapp.asar
. Enabled by default.Notes: Added an Electron Fuse for enforcing code signatures on the
app.asar
file your application loads. Requires the latestasar
module.