Skip to content

Update electron-builder to 26.6.0 #63232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ravicious merged 5 commits into from
Jan 28, 2026
Merged

Update electron-builder to 26.6.0 #63232

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8493c8f
Update electron-builder to 26.6.0
ravicious Jan 28, 2026
81155ce
Add special entitlements for ad-hoc signed builds
ravicious Jan 26, 2026
43c6008
Add special entitlements for main app too
gzdunek Jan 26, 2026
03b1e9a
Add commit hashes to Linux scripts
ravicious Jan 28, 2026
3499f01
Check Linux scripts with shellcheck
ravicious Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
812 changes: 350 additions & 462 deletions pnpm-lock.yaml
View file
Open in desktop

Large diffs are not rendered by default.

13 changes: 13 additions & 0 deletions web/packages/teleterm/build_resources/entitlements.mac.adhoc-signed.plist
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<!-- https://github.com/electron/electron-notarize#prerequisites -->
<key>com.apple.security.cs.allow-jit</key>
<true/>
<!-- Needed for an ad-hoc signed build to work with hardened runtime.
https://github.com/electron-userland/electron-builder/issues/5850#issuecomment-2887254139 -->
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>
13 changes: 10 additions & 3 deletions ...m/build_resources/linux/after-install.tpl → ...ild_resources/linux/after-install.sh.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,18 @@
set -eu

###
# Default after-install.tpl copied from electron-builder.
# https://github.com/electron-userland/electron-builder/blob/v24.4.0/packages/app-builder-lib/templates/linux/after-install.tpl
# Based on the default after-install.tpl copied from electron-builder.
# https://github.com/electron-userland/electron-builder/blob/e394e0c48be965bd8a02c593ecda7e57b84b4f15/packages/app-builder-lib/templates/linux/after-install.tpl
# Our copy has all the changes from upstream up to commit e1ea62b0029c4adca20196ef060948777caeac37.
###

# Check if user namespaces are supported by the kernel and working with a quick test:
if ! { [[ -L /proc/self/ns/user ]] && unshare --user true; }; then
# Use SUID chrome-sandbox only on systems without user namespaces:
# shellcheck disable=SC2016 # This is custom electron-builder macro expansion, not Bash templating.
chmod 4755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
else
# shellcheck disable=SC2016 # This is custom electron-builder macro expansion, not Bash templating.
chmod 0755 '/opt/${sanitizedProductName}/chrome-sandbox' || true
fi

Expand All @@ -35,7 +38,9 @@ fi
# Unfortunately, at the moment AppArmor doesn't have a good story for backwards compatibility.
# https://askubuntu.com/questions/1517272/writing-a-backwards-compatible-apparmor-profile
if apparmor_status --enabled > /dev/null 2>&1; then
# shellcheck disable=SC2016 # This is custom electron-builder macro expansion, not Bash templating.
APPARMOR_PROFILE_SOURCE='/opt/${sanitizedProductName}/resources/apparmor-profile'
# shellcheck disable=SC2016 # This is custom electron-builder macro expansion, not Bash templating.
APPARMOR_PROFILE_TARGET='/etc/apparmor.d/${executable}'
if apparmor_parser --skip-kernel-load --debug "$APPARMOR_PROFILE_SOURCE" > /dev/null 2>&1; then
cp -f "$APPARMOR_PROFILE_SOURCE" "$APPARMOR_PROFILE_TARGET"
Expand All @@ -58,6 +63,7 @@ fi
# Custom after-install.tpl script.
###

# shellcheck disable=SC2154 # This is custom electron-builder macro expansion, not Bash templating.
APP="/opt/${sanitizedProductName}"
BIN=/usr/local/bin
TSH_SYMLINK_SOURCE=$APP/resources/bin/tsh
Expand All @@ -69,7 +75,8 @@ TSH_SYMLINK_TARGET=$BIN/tsh
# Link to the Electron app binary.
if type update-alternatives 2>/dev/null >&1; then
# Remove previous link if it doesn't use update-alternatives
if [ -L "$BIN/${executable}" -a -e "$BIN/${executable}" -a "`readlink "$BIN/${executable}"`" != "/etc/alternatives/${executable}" ]; then
# shellcheck disable=SC2154 # This is custom electron-builder macro expansion, not Bash templating.
if [ -L "$BIN/${executable}" ] && [ -e "$BIN/${executable}" ] && [ "$(readlink "$BIN/${executable}")" != "/etc/alternatives/${executable}" ]; then
Copy link
Copy Markdown
Member Author

@ravicious ravicious Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I addressed a long standing todo item about making sure that make lint-sh checks these scripts.

This was the only change that I had to apply, shellcheck was outputting this:

In ./web/packages/teleterm/build_resources/linux/after-install.sh.tmpl line 73:
  if [ -L "$BIN/${executable}" -a -e "$BIN/${executable}" -a "`readlink "$BIN/${executable}"`" != "/etc/alternatives/${executable}" ]; then
                ^-----------^ SC2154 (warning): executable is referenced but not assigned.
                               ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.
                                                          ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined.
                                                              ^-----------------------------^ SC2006 (style): Use $(...) notation instead of legacy backticks `...`.

Did you mean:
  if [ -L "$BIN/${executable}" -a -e "$BIN/${executable}" -a "$(readlink "$BIN/${executable}")" != "/etc/alternatives/${executable}" ]; then

rm -f "$BIN/${executable}"
fi
update-alternatives --install "$BIN/${executable}" "${executable}" "$APP/${executable}" 100 || ln -sf "$APP/${executable}" "$BIN/${executable}"
Expand Down
9 changes: 9 additions & 0 deletions ...rm/build_resources/linux/after-remove.tpl → ...uild_resources/linux/after-remove.sh.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
#!/bin/bash
set -eu

###
# Based on the default after-remove.tpl copied from electron-builder.
# https://github.com/electron-userland/electron-builder/blob/e394e0c48be965bd8a02c593ecda7e57b84b4f15/packages/app-builder-lib/templates/linux/after-remove.tpl
# Our copy has all the changes from upstream up to commit 88cc0b06dba22139721fd1e04f6a1cf2d447edbd.
###

# Do not touch symlinks if the package is being upgraded.
#
# Why?
Expand All @@ -23,10 +29,12 @@ set -eu
#
# Is the first argument "upgrade" or "1"?
if [ "$1" = "upgrade" ] || [ "$1" = "1" ]; then
# shellcheck disable=SC2154 # This is custom electron-builder macro expansion, not Bash templating.
echo "${executable}: Upgrade detected, skipping symlink operations"
exit 0
fi

# shellcheck disable=SC2154 # This is custom electron-builder macro expansion, not Bash templating.
APP="/opt/${sanitizedProductName}"
BIN=/usr/local/bin
TSH_SYMLINK_TARGET=$BIN/tsh
Expand All @@ -46,6 +54,7 @@ if [ -L "$TSH_SYMLINK_TARGET" ] && [ ! -e "$TSH_SYMLINK_TARGET" ]; then
rm -f "$TSH_SYMLINK_TARGET"
fi

# shellcheck disable=SC2016 # This is custom electron-builder macro expansion, not Bash templating.
APPARMOR_PROFILE_DEST='/etc/apparmor.d/${executable}'

# Remove apparmor profile.
Expand Down
23 changes: 18 additions & 5 deletions web/packages/teleterm/electron-builder-config.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,18 @@ if (process.env.TEAMID) {
process.env.APPLE_TEAM_ID = process.env.TEAMID;
}

/**
* Describes whether there will be an attempt by electron-builder to sign the app on macOS.
*/
const shouldBeSignedOnMacOS =
process.env.APPLE_ID ||
process.env.APPLE_APP_SPECIFIC_PASSWORD ||
process.env.APPLE_TEAM_ID;

const entitlementsMacOS = shouldBeSignedOnMacOS
? 'build_resources/entitlements.mac.plist'
: 'build_resources/entitlements.mac.adhoc-signed.plist';

/**
* @type { import('electron-builder').Configuration }
*/
Expand Down Expand Up @@ -116,9 +128,10 @@ module.exports = {
notarize: true,
hardenedRuntime: true,
gatekeeperAssess: false,
entitlements: entitlementsMacOS,
// Use the same entitlements for Electron subprocesses (e.g., renderer, GPU)
// as those defined for the main app.
entitlementsInherit: 'build_resources/entitlements.mac.plist',
entitlementsInherit: entitlementsMacOS,
Comment on lines +131 to +134
Copy link
Copy Markdown
Member Author

@ravicious ravicious Jan 28, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes were discussed here: #62704 (comment)

In short, electron-builder used to not sign the app when no signing identity was present. Now it does ad-hoc signing in those cases. When an app is ad-hoc signed, it needs the com.apple.security.cs.disable-library-validation entitlement to work properly when hardened runtime is on.

This is not needed in "prod" (for both dev and prod builds) where we do provide a signing identity.

// If CONNECT_TSH_APP_PATH is provided, we assume that tsh.app is already signed.
signIgnore: env.CONNECT_TSH_APP_PATH && ['tsh.app'],
icon: 'build_resources/icon-mac.png',
Expand Down Expand Up @@ -223,17 +236,17 @@ module.exports = {
},
rpm: {
artifactName: '${name}-${version}.${arch}.${ext}',
afterInstall: 'build_resources/linux/after-install.tpl',
afterRemove: 'build_resources/linux/after-remove.tpl',
afterInstall: 'build_resources/linux/after-install.sh.tmpl',
afterRemove: 'build_resources/linux/after-remove.sh.tmpl',
// --rpm-rpmbuild-define "_build_id_links none" fixes the problem with not being able to install
// Connect's rpm next to other Electron apps.
// https://github.com/gravitational/teleport/issues/18859
fpm: ['--rpm-rpmbuild-define', '_build_id_links none'],
},
deb: {
artifactName: '${name}_${version}_${arch}.${ext}',
afterInstall: 'build_resources/linux/after-install.tpl',
afterRemove: 'build_resources/linux/after-remove.tpl',
afterInstall: 'build_resources/linux/after-install.sh.tmpl',
afterRemove: 'build_resources/linux/after-remove.sh.tmpl',
},
linux: {
target: ['tar.gz', 'rpm', 'deb'],
Expand Down
2 changes: 1 addition & 1 deletion web/packages/teleterm/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
"@xterm/addon-fit": "^0.11.0",
"@xterm/xterm": "^6.0.0",
"electron": "39.2.2",
"electron-builder": "^26.0.12",
"electron-builder": "^26.6.0",
Copy link
Copy Markdown
Member Author

@ravicious ravicious Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tag build: https://github.com/gravitational/teleport.e/actions/runs/21435392104

Copy link
Copy Markdown
Member Author

@ravicious ravicious Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

macOS, Windows, Ubuntu and Fedora versions work fine.

"electron-updater": "^6.7.0",
"electron-vite": "^4.0.1",
"events": "3.3.0",
Expand Down
Loading