feat(lld): 🔒 ASAR integrity check

.changeset/polite-boxes-cry.md

@@ -0,0 +1,6 @@
+---
+"ledger-live-desktop": minor
+"@ledgerhq/esbuild-utils": minor
+---
+
+Enable ASAR integrity check on MacOS and Windows

apps/ledger-live-desktop/electron-builder-nightly.yml

@@ -7,6 +7,7 @@ protocols:
 
 beforePack: scripts/beforePack.js
 afterSign: scripts/notarize.js
+afterPack: scripts/afterPack.js
 
 directories:
   buildResources: "build-nightly"
@@ -18,6 +19,7 @@ mac:
   entitlements: build-nightly/mac/entitlements.plist
   entitlementsInherit: build-nightly/mac/entitlements.plist
   icon: build-nightly/icon.icns
+  mergeASARs: false
   target:
     - target: dmg
       arch:

apps/ledger-live-desktop/electron-builder-nosign.yml

@@ -11,6 +11,7 @@ mac:
   artifactName: ${name}-${version}-${os}.${ext}
   category: public.app-category.wallet
   # singleArchFiles: "**/*"
+  mergeASARs: false
   target:
     - target: dmg
       arch:

apps/ledger-live-desktop/electron-builder-pre.yml

@@ -7,13 +7,15 @@ protocols:
 
 beforePack: scripts/beforePack.js
 afterSign: scripts/notarize.js
+afterPack: scripts/afterPack.js
 
 mac:
   artifactName: ${name}-${version}-${os}.${ext}
   category: public.app-category.wallet
   hardenedRuntime: true
   entitlements: build/mac/entitlements.plist
   entitlementsInherit: build/mac/entitlements.plist
+  mergeASARs: false
   target:
     - target: dmg
       arch:

apps/ledger-live-desktop/electron-builder.yml

@@ -7,13 +7,15 @@ protocols:
 
 beforePack: scripts/beforePack.js
 afterSign: scripts/notarize.js
+afterPack: scripts/afterPack.js
 
 mac:
   artifactName: ${name}-${version}-${os}.${ext}
   category: public.app-category.wallet
   hardenedRuntime: true
   entitlements: build/mac/entitlements.plist
   entitlementsInherit: build/mac/entitlements.plist
+  mergeASARs: false
   target:
     - target: dmg
       arch:

apps/ledger-live-desktop/package.json

@@ -58,6 +58,7 @@
     "@ledgerhq/coin-evm": "workspace:^",
     "@ledgerhq/coin-filecoin": "workspace:^",
     "@ledgerhq/coin-framework": "workspace:^",
+    "@ledgerhq/cryptoassets": "workspace:^",
     "@ledgerhq/devices": "workspace:*",
     "@ledgerhq/domain-service": "workspace:^",
     "@ledgerhq/errors": "workspace:^",
@@ -82,7 +83,6 @@
     "@ledgerhq/logs": "workspace:^",
     "@ledgerhq/react-ui": "workspace:^",
     "@ledgerhq/types-cryptoassets": "workspace:^",
-    "@ledgerhq/cryptoassets": "workspace:^",
     "@ledgerhq/types-devices": "workspace:^",
     "@ledgerhq/types-live": "workspace:^",
     "@sentry/electron": "5.2.0",
@@ -100,7 +100,7 @@
     "chart.js": "2.9.4",
     "color": "4.2.3",
     "dotenv": "16.4.5",
-    "electron-app-universal-protocol-client": "1.3.0",
+    "electron-app-universal-protocol-client": "2.1.1",
     "electron-context-menu": "3.6.1",
     "electron-store": "8.2.0",
     "electron-updater": "6.1.8",
@@ -160,6 +160,7 @@
     "xstate": "4.38.3"
   },
   "devDependencies": {
+    "@electron/fuses": "1.8.0",
     "@electron/notarize": "2.3.2",
     "@jest/globals": "29.7.0",
     "@ledgerhq/esbuild-utils": "workspace:*",
@@ -210,8 +211,8 @@
     "chalk": "4.1.2",
     "cross-env": "7.0.3",
     "debug": "4.3.4",
-    "electron": "32.0.2",
-    "electron-builder": "24.13.3",
+    "electron": "32.2.8",
+    "electron-builder": "25.1.8",
     "electron-devtools-installer": "3.2.1",
     "eslint-plugin-jest": "27.9.0",
     "eslint-plugin-react": "7.34.1",

apps/ledger-live-desktop/scripts/afterPack.js

@@ -0,0 +1,23 @@
+/* eslint-disable @typescript-eslint/no-var-requires */
+const path = require("path");
+const { flipFuses, FuseVersion, FuseV1Options } = require("@electron/fuses");
+
+exports.default = function (context) {
+  const { appOutDir, electronPlatformName, packager } = context;
+  const ext = { darwin: ".app", win32: ".exe" }[electronPlatformName];
+  if (!ext) return; // ASAR integrity check is only supported on mac and windows
+
+  const electronBinaryPath = path.join(appOutDir, packager.appInfo.productFilename + ext);
+
+  return flipFuses(electronBinaryPath, {
+    version: FuseVersion.V1,
+    [FuseV1Options.RunAsNode]: true,
+    [FuseV1Options.EnableCookieEncryption]: false,
+    [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: true,
+    [FuseV1Options.EnableNodeCliInspectArguments]: true,
+    [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
+    [FuseV1Options.OnlyLoadAppFromAsar]: true,
+    [FuseV1Options.LoadBrowserProcessSpecificV8Snapshot]: false,
+    [FuseV1Options.GrantFileProtocolExtraPrivileges]: true,
+  });
+};

apps/ledger-live-desktop/tools/config/common.esbuild.js

@@ -1,5 +1,5 @@
 const path = require("path");
-const { AliasPlugin } = require("@ledgerhq/esbuild-utils");
+const { AliasPlugin, NativeNodeModulesPlugin } = require("@ledgerhq/esbuild-utils");
 
 const rootFolder = path.resolve(__dirname, "..", "..");
 const srcFolder = path.resolve(rootFolder, "src");
@@ -20,6 +20,7 @@ module.exports = {
     AliasPlugin({
       "~": srcFolder,
     }),
+    NativeNodeModulesPlugin,
   ],
   loader: {
     ".woff": "file",

package.json

@@ -200,6 +200,8 @@
       "blake2"
     ],
     "overrides": {
+      "@electron/rebuild": "3.7.1",
+      "tiny-secp256k1": "1.1.7",
       "stellar-base>sodium-native": "^3.2.1",
       "remove-flow-types-loader>flow-remove-types": "^2",
       "remove-flow-types-loader>loader-utils": "*",
@@ -210,6 +212,7 @@
       "@ethersproject/providers>ws": "7.5.10"
     },
     "patchedDependencies": {
+      "[email protected]": "patches/[email protected]",
       "[email protected]": "patches/[email protected]",
       "[email protected]": "patches/[email protected]",
       "[email protected]": "patches/[email protected]",

patches/tiny-secp256k1@1.1.7.patch

@@ -0,0 +1,14 @@
+diff --git a/binding.gyp b/binding.gyp
+index a9dc5f897da27c7dd9d25f82f12cdb04272a1db6..adc5fda8909a0a18460a87a04eea00e5a7eae4d0 100644
+--- a/binding.gyp
++++ b/binding.gyp
+@@ -87,7 +87,8 @@
+             ]
+           }
+         }
+-      ]
++      ],
++      ['OS=="win"', { 'defines': ['NOMINMAX'] } ]
+     ]
+   }]
+ }