From 9e9e5274cf6b24ded6597bb826336b1e054507da Mon Sep 17 00:00:00 2001
From: Fedor Indutny <79877362+indutny-signal@users.noreply.github.com>
Date: Fri, 17 Dec 2021 18:50:42 +0100
Subject: [PATCH] Fuse electron at build time

---
 .github/workflows/ci.yml      |  6 ++++
 package.json                  |  8 ++----
 scripts/fuse-electron.js      | 26 -----------------
 scripts/install-cross-deps.js |  2 --
 ts/scripts/after-pack.ts      | 11 +++++++
 ts/scripts/fuse-electron.ts   | 54 +++++++++++++++++++++++++++++++++++
 6 files changed, 74 insertions(+), 33 deletions(-)
 delete mode 100644 scripts/fuse-electron.js
 create mode 100644 ts/scripts/after-pack.ts
 create mode 100644 ts/scripts/fuse-electron.ts

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index dc44bc4c5..6fc3adc0f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -59,6 +59,8 @@ jobs:
     - run: yarn generate
     - run: yarn prepare-beta-build
     - run: yarn build
+      env:
+        DISABLE_INSPECT_FUSE: on
     - name: Rebuild native modules for x64
       run: yarn electron:install-app-deps
     - run: yarn test-node
@@ -94,6 +96,8 @@ jobs:
     - run: yarn generate
     - run: yarn prepare-beta-build
     - run: yarn build
+      env:
+        DISABLE_INSPECT_FUSE: on
     - run: xvfb-run --auto-servernum yarn test-node
     - run: xvfb-run --auto-servernum yarn test-electron
       env:
@@ -134,6 +138,8 @@ jobs:
     - run: type temp.json | findstr /v certificateSubjectName | findstr /v certificateSha1 > package.json
     - run: yarn prepare-beta-build
     - run: yarn build
+      env:
+        DISABLE_INSPECT_FUSE: on
     - run: yarn test-electron
     - run: yarn test-release
       env:
diff --git a/package.json b/package.json
index 85630150e..292794fd8 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,7 @@
   },
   "main": "app/main.js",
   "scripts": {
-    "postinstall": "yarn build:acknowledgments && yarn build:fuses && patch-package && yarn electron:install-app-deps && rimraf node_modules/dtrace-provider",
+    "postinstall": "yarn build:acknowledgments && patch-package && yarn electron:install-app-deps && rimraf node_modules/dtrace-provider",
     "postuninstall": "yarn build:acknowledgments",
     "start": "electron .",
     "generate": "npm-run-all build-protobuf transpile sass get-expire-time copy-and-concat",
@@ -58,7 +58,7 @@
     "dev:sass": "npm run sass-manifest -- --watch",
     "dev:sass-bridge": "npm run sass-manifest-bridge -- --watch",
     "storybook:axe": "build-storybook && axe-storybook",
-    "build": "run-s --print-label generate build:typed-scss build:webpack build:fuses:release build:release build:fuses build:zip",
+    "build": "run-s --print-label generate build:typed-scss build:webpack build:release build:zip",
     "build:acknowledgments": "node scripts/generate-acknowledgments.js",
     "build:dev": "run-s --print-label generate build:typed-scss build:webpack",
     "build:typed-scss": "tsm sticker-creator",
@@ -69,8 +69,6 @@
     "build:webpack:heic-worker": "cross-env NODE_ENV=production webpack -c webpack-heic-worker.config.ts",
     "build:electron": "electron-builder --config.extraMetadata.environment=$SIGNAL_ENV",
     "build:release": "cross-env SIGNAL_ENV=production yarn build:electron -- --config.directories.output=release",
-    "build:fuses": "node scripts/fuse-electron.js",
-    "build:fuses:release": "node scripts/fuse-electron.js --release",
     "build:zip": "node ts/scripts/zip-macos-release.js",
     "preverify:ts": "yarn build:typed-scss",
     "verify": "run-p --print-label verify:*",
@@ -402,7 +400,7 @@
       ]
     },
     "beforeBuild": "scripts/install-cross-deps.js",
-    "afterPack": "ts/scripts/merge-macos-asars.js",
+    "afterPack": "ts/scripts/after-pack.js",
     "asarUnpack": [
       "ts/workers/heicConverter.bundle.js",
       "ts/sql/mainWorker.bundle.js",
diff --git a/scripts/fuse-electron.js b/scripts/fuse-electron.js
deleted file mode 100644
index 4ea893d5b..000000000
--- a/scripts/fuse-electron.js
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright 2021 Signal Messenger, LLC
-// SPDX-License-Identifier: AGPL-3.0-only
-
-const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses');
-
-const IS_RELEASE_BUILD = process.argv.some(argv => argv === '--release');
-
-flipFuses(require('electron'), {
-  version: FuseVersion.V1,
-  // Disables ELECTRON_RUN_AS_NODE
-  [FuseV1Options.RunAsNode]: false,
-  // Enables cookie encryption
-  [FuseV1Options.EnableCookieEncryption]: true,
-  // Disables the NODE_OPTIONS environment variable
-  [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: !IS_RELEASE_BUILD,
-  // Disables the --inspect and --inspect-brk family of CLI options
-  [FuseV1Options.EnableNodeCliInspectArguments]: !IS_RELEASE_BUILD,
-  // Enables validation of the app.asar archive on macOS
-  [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
-  // Enforces that Electron will only load your app from "app.asar" instead of
-  // it's normall search paths
-  [FuseV1Options.OnlyLoadAppFromAsar]: IS_RELEASE_BUILD,
-}).catch(error => {
-  console.error(error.stack);
-  process.exit(1);
-});
diff --git a/scripts/install-cross-deps.js b/scripts/install-cross-deps.js
index 33ff2fc60..7cf1167b8 100644
--- a/scripts/install-cross-deps.js
+++ b/scripts/install-cross-deps.js
@@ -25,5 +25,3 @@ exports.beforeBuild = async () => {
   // Let electron-builder handle dependencies
   return true;
 };
-
-exports.beforeBuild();
diff --git a/ts/scripts/after-pack.ts b/ts/scripts/after-pack.ts
new file mode 100644
index 000000000..aeede9979
--- /dev/null
+++ b/ts/scripts/after-pack.ts
@@ -0,0 +1,11 @@
+// Copyright 2021 Signal Messenger, LLC
+// SPDX-License-Identifier: AGPL-3.0-only
+
+import type { AfterPackContext } from 'electron-builder';
+import { afterPack as fuseElectron } from './fuse-electron';
+import { afterPack as mergeASARs } from './merge-macos-asars';
+
+export async function afterPack(context: AfterPackContext): Promise<void> {
+  await mergeASARs(context);
+  await fuseElectron(context);
+}
diff --git a/ts/scripts/fuse-electron.ts b/ts/scripts/fuse-electron.ts
new file mode 100644
index 000000000..6f4c34ce7
--- /dev/null
+++ b/ts/scripts/fuse-electron.ts
@@ -0,0 +1,54 @@
+// Copyright 2021 Signal Messenger, LLC
+// SPDX-License-Identifier: AGPL-3.0-only
+
+import path from 'path';
+import { flipFuses, FuseVersion, FuseV1Options } from '@electron/fuses';
+import type { AfterPackContext } from 'electron-builder';
+
+export async function afterPack({
+  appOutDir,
+  packager,
+  electronPlatformName,
+}: AfterPackContext): Promise<void> {
+  const { productFilename } = packager.appInfo;
+
+  let target;
+  if (electronPlatformName === 'darwin') {
+    target = `${productFilename}.app`;
+  } else if (electronPlatformName === 'win32') {
+    target = `${productFilename}.exe`;
+  } else if (electronPlatformName === 'linux') {
+    // Sadly, `LinuxPackager` type is not exported by electron-builder so we
+    // have to improvise
+    target = (packager as unknown as { executableName: string }).executableName;
+  } else {
+    throw new Error(`Unsupported platform: ${electronPlatformName}`);
+  }
+
+  const electron = path.join(appOutDir, target);
+
+  const enableInspectArguments = Boolean(process.env.DISABLE_INSPECT_FUSE);
+
+  console.log(
+    `Fusing electron at ${electron} ` +
+      `inspect-arguments=${enableInspectArguments}`
+  );
+  await flipFuses(electron, {
+    version: FuseVersion.V1,
+    // Disables ELECTRON_RUN_AS_NODE
+    [FuseV1Options.RunAsNode]: false,
+    // Enables cookie encryption
+    [FuseV1Options.EnableCookieEncryption]: true,
+    // Disables the NODE_OPTIONS environment variable
+    [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
+    // Disables the --inspect and --inspect-brk family of CLI options
+    [FuseV1Options.EnableNodeCliInspectArguments]: enableInspectArguments,
+    // Enables validation of the app.asar archive on macOS
+    // See https://github.com/electron-userland/electron-builder/issues/6507
+    // See https://github.com/electron-userland/electron-builder/issues/6506
+    [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: false,
+    // Enforces that Electron will only load your app from "app.asar" instead of
+    // it's normall search paths
+    [FuseV1Options.OnlyLoadAppFromAsar]: true,
+  });
+}