From bd6ee4b16d3341ec490d1ab0186b48d2ebe71f1f Mon Sep 17 00:00:00 2001
From: Fedor Indutny <79877362+indutny-signal@users.noreply.github.com>
Date: Tue, 23 Nov 2021 23:00:44 +0100
Subject: [PATCH] Use strict @electron/fuses

---
 .github/workflows/benchmark.yml |  2 +-
 .github/workflows/ci.yml        |  8 ++++----
 package.json                    |  5 +++--
 scripts/fuse-electron.js        | 16 +++++++++++++++-
 yarn.lock                       |  8 ++++----
 5 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index effad0645..5527a11e1 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -43,7 +43,7 @@ jobs:
       uses: actions/cache@v2
       with:
         path: node_modules
-        key: ${{ runner.os }}-${{ hashFiles('yarn.lock', 'patches/**') }}
+        key: ${{ runner.os }}-${{ hashFiles('package.json', 'yarn.lock', 'patches/**') }}
 
     - name: Install Desktop node_modules
       if: steps.cache-desktop-modules.outputs.cache-hit != 'true'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f1e61c2ff..7087d2e1d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,7 +22,7 @@ jobs:
       uses: actions/cache@v2
       with:
         path: node_modules
-        key: ${{ runner.os }}-${{ hashFiles('yarn.lock', 'patches/**') }}
+        key: ${{ runner.os }}-${{ hashFiles('package.json', 'yarn.lock', 'patches/**') }}
     - name: Install Desktop node_modules
       if: steps.cache-desktop-modules.outputs.cache-hit != 'true'
       run: yarn install --frozen-lockfile
@@ -51,7 +51,7 @@ jobs:
       uses: actions/cache@v2
       with:
         path: node_modules
-        key: ${{ runner.os }}-${{ hashFiles('yarn.lock', 'patches/**') }}
+        key: ${{ runner.os }}-${{ hashFiles('package.json', 'yarn.lock', 'patches/**') }}
     - name: Install Desktop node_modules
       if: steps.cache-desktop-modules.outputs.cache-hit != 'true'
       run: yarn install --frozen-lockfile
@@ -84,7 +84,7 @@ jobs:
       uses: actions/cache@v2
       with:
         path: node_modules
-        key: ${{ runner.os }}-${{ hashFiles('yarn.lock', 'patches/**') }}
+        key: ${{ runner.os }}-${{ hashFiles('package.json', 'yarn.lock', 'patches/**') }}
     - name: Install Desktop node_modules
       if: steps.cache-desktop-modules.outputs.cache-hit != 'true'
       run: yarn install --frozen-lockfile
@@ -120,7 +120,7 @@ jobs:
       uses: actions/cache@v2
       with:
         path: node_modules
-        key: ${{ runner.os }}-${{ hashFiles('yarn.lock') }}-${{ hashFiles('patches/**') }}
+        key: ${{ runner.os }}-${{ hashFiles('package.json', 'yarn.lock', 'patches/**') }}
     - name: Install Desktop node_modules
       if: steps.cache-desktop-modules.outputs.cache-hit != 'true'
       run: yarn install --frozen-lockfile
diff --git a/package.json b/package.json
index de3ec2c47..b3900dd1c 100644
--- a/package.json
+++ b/package.json
@@ -50,7 +50,7 @@
     "dev:typed-scss": "yarn build:typed-scss -w",
     "dev:storybook": "cross-env SIGNAL_ENV=storybook start-storybook -p 6006 -s ./",
     "storybook:axe": "build-storybook && axe-storybook",
-    "build": "run-s --print-label build:grunt build:typed-scss build:webpack build:release build:zip",
+    "build": "run-s --print-label build:grunt build:typed-scss build:webpack build:fuses:release build:release build:fuses build:zip",
     "build:acknowledgments": "node scripts/generate-acknowledgments.js",
     "build:dev": "run-s --print-label build:grunt build:typed-scss build:webpack",
     "build:grunt": "yarn grunt",
@@ -63,6 +63,7 @@
     "build:electron": "electron-builder --config.extraMetadata.environment=$SIGNAL_ENV",
     "build:release": "cross-env SIGNAL_ENV=production yarn build:electron -- --config.directories.output=release",
     "build:fuses": "node scripts/fuse-electron.js",
+    "build:fuses:release": "node scripts/fuse-electron.js --release",
     "build:zip": "node scripts/zip-macos-release.js",
     "preverify:ts": "yarn build:typed-scss",
     "verify": "run-p --print-label verify:*",
@@ -176,7 +177,7 @@
     "@babel/preset-react": "7.7.4",
     "@babel/preset-typescript": "7.16.0",
     "@chanzuckerberg/axe-storybook-testing": "3.0.2",
-    "@electron/fuses": "1.2.1",
+    "@electron/fuses": "1.5.0",
     "@storybook/addon-actions": "5.1.11",
     "@storybook/addon-knobs": "5.1.11",
     "@storybook/addons": "5.1.11",
diff --git a/scripts/fuse-electron.js b/scripts/fuse-electron.js
index e0339866f..530440222 100644
--- a/scripts/fuse-electron.js
+++ b/scripts/fuse-electron.js
@@ -4,9 +4,23 @@
 
 const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses');
 
+const IS_RELEASE_BUILD = process.argv.some(argv => argv === '--release');
+
 flipFuses(require('electron'), {
   version: FuseVersion.V1,
-  [FuseV1Options.RunAsNode]: false, // Disables ELECTRON_RUN_AS_NODE
+  // Disables ELECTRON_RUN_AS_NODE
+  [FuseV1Options.RunAsNode]: false,
+  // Enables cookie encryption
+  [FuseV1Options.EnableCookieEncryption]: true,
+  // Disables the NODE_OPTIONS environment variable
+  [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: !IS_RELEASE_BUILD,
+  // Disables the --inspect and --inspect-brk family of CLI options
+  [FuseV1Options.EnableNodeCliInspectArguments]: !IS_RELEASE_BUILD,
+  // Enables validation of the app.asar archive on macOS
+  [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
+  // Enforces that Electron will only load your app from "app.asar" instead of
+  // it's normall search paths
+  [FuseV1Options.OnlyLoadAppFromAsar]: IS_RELEASE_BUILD,
 }).catch(error => {
   console.error(error.stack);
   process.exit(1);
diff --git a/yarn.lock b/yarn.lock
index 53d5a713e..f4652641c 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1498,10 +1498,10 @@
   resolved "https://registry.yarnpkg.com/@discoveryjs/json-ext/-/json-ext-0.5.2.tgz#8f03a22a04de437254e8ce8cc84ba39689288752"
   integrity sha512-HyYEUDeIj5rRQU2Hk5HTB2uHsbRQpF70nvMhVzi+VJR0X+xNEhjPui4/kBf3VeH/wqD28PT4sVOm8qqLjBrSZg==
 
-"@electron/fuses@1.2.1":
-  version "1.2.1"
-  resolved "https://registry.yarnpkg.com/@electron/fuses/-/fuses-1.2.1.tgz#9417ae4edfa75ff133ae81bdadd5b969ebf7d07b"
-  integrity sha512-FQWAjmLMpo06X4QNEA7ijZ5BeI53BIJGlTiD7Ula7I86hRLABGvswl36QAOlOiM1jETbymQ93h2p9/7/A/bCEQ==
+"@electron/fuses@1.5.0":
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/@electron/fuses/-/fuses-1.5.0.tgz#e477acd34ba13e93d5c11465b63597d967de6fda"
+  integrity sha512-2NPJdQTPoERxcIWsTAG9ZKay0KsORfs973dbkdksNEeBAfjdyPBNaUrh/DAlpUdAnFmPl+Cs9gIZibRYiOrvqQ==
   dependencies:
     chalk "^4.1.1"
     fs-extra "^9.0.1"