build: embed binary checksums in the npm package #30611
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nornagon
reviewed
Aug 18, 2021
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
nornagon
reviewed
Aug 18, 2021
nornagon
approved these changes
Aug 18, 2021
VerteDinde
approved these changes
Aug 19, 2021
|
No Release Notes |
|
I was unable to backport this PR to "14-x-y" cleanly; |
|
I have automatically backported this PR to "15-x-y", please check out #30647 |
BlackHole1
pushed a commit
to BlackHole1/electron
that referenced
this pull request
Aug 30, 2021
* build: embed binary checksums in the npm package * Update docs/tutorial/installation.md Co-authored-by: Jeremy Rose <jeremya@chromium.org> * refactor: replace reduce with loop Co-authored-by: Jeremy Rose <jeremya@chromium.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In theory this isn't user facing.
Currently we download
SHASUMS256.txtand the target Electron binary from GH releases and then use one to validate the other. In terms of "did the download get the right thing" it's a valid check, from a security perspective it's a little bit too close to self-validation than I'd like. The only thing protecting theSHASUMS256.txtfile is GH write access and SSL during the download.This change embeds the
SHASUMS256.txtcontent in ourelectronnpm package at publish time. This means the checksums are now (a) stored separately to the actual Electron binary and (b) protected by the integrity SHA in youryarn.lock/package-lock.jsonlockfile.Tested locally, and we can test this on tomorrows nightly.
Notes: no-notes