Electron-builder: Packaging Electron v5 with sandbox (linux)

Can't the old behavior be resolved by specifying sandbox: false in the browser window constructor?

Seems like it could be a viable workaround. I've disabled our snaps for now but would be nice to have a workaround.

sandbox: false doesn't seem to fix thigns. I still get:

"Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
Trace/breakpoint trap (core dumped)
"

This might be possible if we pass --no-sandbox to the electron command line but I can't figure out how to set this in electron-builder.

To my knowledge, as of now, one can not disable the sandbox/sandbox-helper with an electron builder configuration.

@burtonator see the initial comment for the workaround I chose to use for snaps and AppImage builds, (afterPack hook/electron wrapper script).
I believe there is still a lot to do for different parties (electron, snapcraft) until the sandbox feature will be available for snaps in snapcraft.

An electron-builder build-option to disable/configure the sandbox would be better, but until the situation is resolved I'll use the workaround.

I implemented a hack where I renamed the main script to myapp.bin and then added the --no-sandbox argument manually and it worked fine. Not pretty but at least we have code pushed!

@burtonator i resolved with this solution, but the problem is now, that we get 2 icons instead of 1 and is exactly because we use the --no-sandbox , i think this flag should be in the Gnome desktop using this flag.

https://github.com/electron/electron/issues/17972#issuecomment-495893509

@p3x-robot this is probably OS related as I don't have such issue with Xfce nor with Ubuntu 19.04, you can try the app yourself https://github.com/vladimiry/ElectronMail/releases (AppImage / Snap packages).

would you mind show if works with p3x-onenote?
https://github.com/patrikx3/onenote/releases/download/untagged-5b9c2b273c4efac97a50/p3x-onenote-2019.4.42-x86_64.AppImage

@vladimiry it shows exactly because of this, if you have a bottom bar with icons, like shortcuts, it will show 2 icons, which is ugly, many distros have this shortcuts (not in the menu...) and it only happens on --no-sandbox

still an ugly hack. not 100%

https://github.com/patrikx3/redis-ui/issues/15

https://github.com/patrikx3/onenote/issues/64

@p3x-robot what is that panel at the bottom (how do I enable it)?

@vladimiry this is linux mint applet panel for the menu, for now i removed and run from the menu, but you have the same issue and everyone. it is still a proper solution, about 90%.

it is sure that if you use a shortcut instead from menu, it will appear twice any distro i think.

I got 2 electron apps, same issue.
of course with electron v4, no issue at all.

linux mint applet panel

Which edition of Linux Mint (Cinnamon, Mate, Xfce)?

@vladimiry Linux Mint 19.1 Cinnamon, the most used

I don't believe it depends on the no-sandbox option but is related to the OS/panel setup and the way bash/sh preloader-like script used. Going to reproduce the issue first.

@vladimiry well, you are right, but v4 works with 1 icon as it is supposed, with v5 it only works with the --no-sandbox and it appears the icon twice as on your app as well, if you check out distrowatch.com, Linux Mint is the one of the most liked distro.

@vladimiry weird bug

Try running the AppImage without sh/bash preloader but with --no-sandbox argument, means don't hack the AppImage package in any way. I think there will be no duplicated icon issue. So I still don't think there is a bug.

@vladimiry yeah it works passing the --no-sandbox and without the hack on the raw AppImage, but they want to not want to play with arguments, just click the menu and it works, that is my issue, but minor bug or issue whatever

@vladimiry the issue is the same with Snap ...

but they want to not want to play with arguments, just click the menu and it works

Sure they do and it's right to expect the app works flawlessly.

the issue is the same with Snap ...

Sure it's as the same preloader-like sh/bash script is used.

I think it's just a matter to tweak a little the preloader-like sh/bash script but there is a need to reproduce the issue first. So let's keep trying the different options and get here only having some progress.

i have no better solution as you provided, but I hope and some time it will be in-built solution from the electron or electron-builder.

I hope and some time it will be in-built solution from the electron or electron-builder.

First of all the working in major cases solution needs to be worked out which is not the case yet.

i revert to Electron v4, there is no big new feature in v5 and is ugly hack...
thanks for the info! at least i will have always just 1 icon, beautiful.

Good for you. But just take into the account that it's open-source stuff, so you can't expect someone will resolve your issues within the reasonable time frame, sometimes you have to contribute too.

@p3x-robot the issue you described remains unreproducible (you can see there is no icons duplication on fresh Linux Mint Cinnamon):

you have not added the icon from the menu to the panel... it is in the screenshot.

https://user-images.githubusercontent.com/28588124/58368024-297b4380-7ee7-11e9-9af8-cf934fe6e6ae.png

you just ran it from the cli, integrate to the menu, then right click -> add panel and then it is twice. :)

@vladimiry then after you see the panel without running, then run on the panel, that is how they use it, not usually from icon, most users are noob

@vladimiry see, on v4 it is proper and right - after added to the panel and click, only each 1 icon:

I missed adding it to a panel as a shortcut, could not imagine that windows-like workflow came to Linux Mint. It's, in my opinion, a narrow use case and if you intend to support it you need to learn how the taskbar panel used in Linux Mint detects if the app is already running and then apply the knowledge to tweaking the preload-like bash/sh script. There is no issue with Electron itself.

for me it is fishy, i should not have to hack to make it to work with electron and electron-builder, but actually there is no new feautre in v4 vs v5, the best is v2 as even the tray click is working, they made it wrong since like v3. just jumping from version by major versions and just getting worse and worse and no new actual big features.

There is nothing wrong here it's just open-source how it's, so you take it as given if not ready to contribute.

does anyone know where i can put this --no-sandbox flag into this pkg (both AppImage and snap in Linux)? I open to add it in, but are there any pointers?

To me, it seems like it should be either static or as a configuration in the package.json build section.

{
"build": {
     "linux": {
        "no-sandbox": true
      }
  }
}

or:
```json
{
"build": {
"linux": {
"append-switches": "--no-sandbox"
}
}
}

@p3x-robot I don't believe it's supported, see https://github.com/electron-userland/electron-builder/issues/2562

@vladimiry as i see it, most people (many programmers) have reverted to Electron v4, so it seems many people think it is buggy is not release-able, not usable right now

Of course they did as reverting is the easiest thing you can do :smile:

have you solved it as it works as with v4? the solution you provided is giving 2 icons on the panel...

the solution you provided is giving 2 icons on the panel...

Including repackaging the Snap package as written here https://github.com/electron/electron/issues/17972#issuecomment-498149481 instead of using loaded-like sh script (you just do unsquashfs, then modify the files and the then pack it back running snapcraft pack)?

as you said v4 works without issues, no new features really, just a bump version upgrade

but this discussion becomes a while(true)

I think the main issue with the double icon is, that the wrapper-script itself will be presented by the task bar.
The wrapper-script then forks another process (the electron app) which also gets the icon.

There may be a different way to fork the process in which there is only one process but the electron process is still attached to the tty.

Best solution would probably to get rid of the wrapper script, and add an option to start without sandbox.

@p3x-robot I believe it's generally reasonable to expect that bumping a major version may break something as breaking changes is a normal thing to happen for a major version update. I see no point in continuing the discussion as it goes nowhere. If you need to solve the issue I'd recommend you to tweak the preload script as written before or repackage the Snap build instead (not using the preload script at all).

anyone knows if Electron v5.0.2 working with the sandbox issue?

I am on Snapcraft Summit. Confirmed that --no-sandbox is the only viable solution, that in the same time doesn't make your app more insecure (as app is already is running in snapd sandbox). Yes, if you run some fully untrusted content, as Brave browser does, then, you need to ask Canonical to add you to trusted vendor. It is clear that not everyone can be trusted vendor.

It is not artificial restriction — problem is that snapd cannot grant allow-sandbox permission to any app, because in this case app can go out of own sandbox (imposed by snapd) and do some bad things on a user machine.

So, upcoming electron-builder release will fully support Electron 5 by default. Existing version already supports ability to specify allow-sandbox.

@develar if I'm not wrong Snap doesn't allow publishing packages that have files with SUID permiission bit set but it looks like the bit is going to be set for all the Linux packages https://github.com/develar/electron-builder/blob/a36123cb9e760b55bf79fe13b93d04306c9cd4b3/packages/app-builder-lib/src/electron/ElectronFramework.ts#L66

Yeah, I'd be curious to hear how this affects the AppImage build target.

@vladimiry This line of code is already removed (in my fork of this repo I do developing and only then push to master) ;)

but this just looks like only implemented with SNAP and missing for AppImage, is that right?

@develar does it fix it AppImage as well?

Not only AppImage and Snap, but other Linux package formats are also affected, those that need SUID bit to be set.

yeah i can see where it adds the no-sandbox flag is only in the packages/app-builder-lib/src/targets/snap.ts file. so it is not a complete solution. only snap. what a shame

why is it closed as the issue is: Packaging Electron v5 with sandbox (linux), that commit is only for SNAP

I just highlighted the issue. Let's not overreact. There are known workarounds that tackle the issue.

Do you know an appimage 100% solution like the snap one?

@p3x-robot I asked you before, did you try repackaging it? Here is the prototype if needed.

@vladimiry so i build that with tsc and just add in after pack hook and it will work? i am a js guy.

Nope, there are dependencies involved, the binary name is taken from the package.json, etc. But that should not be a problem to convert it to a raw JS code. So it's a code snippet.

it is weird that this issue is closed and the issue is named not about snap, but the whole electron builder issue (AppImage, SNAP), so weird this is closed.
this issue should be open. AppImage is not working anymore, which user want to wanna play with flags, when they install it, click it on the menu and it works.

@develar please can you reopen this issue so it can be resolved for AppImage/deb/etc or would you prefer a new issue is opened? Happy to do so if needed.

is electron 6 is fixing the sandbox error? i am still on v4 as i cannot fix this, neither 5 or 6.

@p3x-robot for the electron project this is not a bug, but a security feature.

The electron wrapper script is no longer required to ship the application via the snap-store (with a recent electron-builder version).

For other Linux distribution channels, one must simply set the suid (chmod u+s) flag and set the file owner to root. See https://github.com/electron/electron/issues/17972#issuecomment-487369441

I never tried it with AppImage builds, I am uncertain if AppImage will work (it would be very scary if no password is required to mount AppImage and AppImage could execute a script as root).

well snap works with electron 6 right now, just with the electron builder there is no solution to use the AppImage. right? (unless i hack it somehow into the electron builder)

well snap works

Because snap target got --no-sandbox argument hardcoded build time. So it doesn't depend on electron version, should work with electron v5 too. I guess one day --no-sandbox hardcoding might happen with appimage packaging process too (right now I have to unpack the prepared package, tweak it and pack back).

yes, but this is the same hack that you told me, whit created 2 icons on my menu toolbar, or is it changed?

as i would then built into my build process. i would love to use electron v6.

Not exactly the same hack, but enhanced. You could try the recent release to check it out https://github.com/vladimiry/ElectronMail/releases

@vladimiry => based on https://github.com/electron/electron/issues/19550#issuecomment-516964404 @nornagon says i should file an issue about the appimage build above electron v4.
is this valid? should i file a bug report either electron or electron builder?

@vladimiry it is enhanced, at first time it generates 2 icons, but following click it reuses the same icon, so this is a good hack, could you tell me where this code is? i have to translate to js as i only use typescript in angular the rest is js...

@p3x-robot My opinion is that it's a packaging tools issue, ie should be handled here.

could you tell me where this code is?

I simply hardcode the --no-sandbox argument in the original AppRun script rather than creating a new loader script, full script is here.

i have this code https://github.com/patrikx3/onenote/blob/master/src/build/after-pack.js, what would change? for me it is too big code to understand it quickly, could you just tell me what i would do what it would make what you solution does actually?

what you solution does actually

I simply hardcode the --no-sandbox argument in the original AppRun script rather than creating a new loader script

i see no AppRun, i have (my app) p3x-onenote, is that where i would somehot hardcode the --no-sandbox? or where is this AppRunn executable?

AppRun script is in the appimage package which needs to be unpacked first ... all that tuff is in the script I referenced.

@vladimiry so basically, i unpack the done appimage with like:

./P3X\ OneNote-2019.10.202.AppImage --appimage-extract

the i have this folder squashfs-root which has AppRun executable.
then i find this:

then i replaced it again:

then i re-pack like this:

./appimagetool-x86_64.AppImage -n --comp xz squashfs-root ./P3X\ OneNote-2019.10.202.AppImage

and that is it?

@p3x-robot you got it right.

thanks so much! i write it in JS now, thanks so much ! you are a god! :+1:

what i do not find is that is before the package. afterPack is wrong, i do not have the build AppImage, how can i catch the event when the package is built already? now i can see this:

so how i would unpack when there is no AppImage?

@p3x-robot this is why the script triggers package creating pragmatically rather than via CLI, yes afterPack doesn't work for this case. So the script builds the package first and then does repackaging. I guess you could also run the process using electron-builder --linux appimage && node ./scripts/your-repackaging-script.js scripting syntax.

the only problem is, how can i upload to github as i used to flag -p always it does not wait after my hook is done, so it starts to upload right away.
do you know how i can upload the files aftter the afterAllArtifactBuild, or is there any way to not build anymore just upload with eht electron builder? :(

I stopped publishing the packages to GitHub by electron-builder for a list of reasons. There might be some hook/event in between building the package and uploading it, but I'm not aware of it.

it works:

rm -rf dist && electron-builder --ia32 --x64 --linux  && electron-builder -p always

it builds it, it uses after-all-artifact-build.js and when i execute electron-builder -p always it does not generate, it just uploads.
so it works, just testing.
thanks for your help!

i cannot upload, what do you use to upload releases and tags in github? i see in github-api to create a release, but how can i upload the files ?

i can create a tag via github-api, my only problem is that when i it auto upload tries to itself the sha512 sum are wrong, here, as i changed the file, how can is calcaulte? it is not even sha512sum, but some base64:

i had to generate the sha512 as well, but i fixed , i am on electron 6 and all perfect!
thanks dudes!

if anyone is interested in fix the AppImage adding the --no-sandbox, the code is here and is javascript:
https://github.com/patrikx3/onenote/tree/master/src/build
(it uploads to github as well, in 2 steps, first afterAllArtifactBuild, unpack the AppImage add the --no-sandbox to the AppRun script, then re-pack (at this point the latest-linux.yml will have different sha512 signature will be), then at then end, when electron builder is done, it executes post-build.js as the new AppImage-s yaml-s have different sha512 signatures so i had to calculate by hand... (it is only for linux, had no time to fix all platforms).
(as i build for AMDx64 and i386 as well)

besides it is an AppImage so it is enough for Linux , not needed for Win... or macOs...:)

actually i moved in the builder into its own microservice, so it is like this:
https://github.com/patrikx3/corifeus-builder/tree/master/src/utils/appimage

and the package.json:
https://github.com/patrikx3/onenote/blob/master/package.json

{
    "name": "p3x-onenote",
    "version": "2019.10.281",
    "description": "📚 P3X OneNote Linux",
    "main": "src/electron/app.js",
    "corifeus": {
        "snap": true,
        "prefix": "p3x-",
        "publish": true,
        "type": "p3x",
        "code": "Linux",
        "nodejs": "v12.7.0",
        "opencollective": true,
        "reponame": "onenote",
        "build": true
    },
    "bin": {
        "p3x-onenote": "bin/p3x-onenote.js"
    },
    "scripts": {
        "test": "grunt",
        "build": "electron-builder --ia32 --x64  build/dist",
        "build-test": "electron-builder build/dist -p always",
        "postinstall": "opencollective postinstall",
        "start": "node ./node_modules/.bin/electron ./src/electron/app.js",
        "publish-electron": "rm -rf dist && electron-builder -p onTagOrDraft --ia32 --x64 --linux",
        "publish-electron-snap": "electron-builder --linux snap -p never",
        "publish-electron-yml": "node ./node_modules/corifeus-builder/src/utils/appimage/post-build.js"
    },
    "repository": {
        "type": "git",
        "url": "git+https://github.com/patrikx3/onenote.git"
    },
    "keywords": [
        "onenote",
        "linux"
    ],
    "author": "Patrik Laszlo <[email protected]>",
    "license": "MIT",
    "bugs": {
        "url": "https://github.com/patrikx3/onenote/issues"
    },
    "homepage": "https://pages.corifeus.com/onenote",
    "dependencies": {
        "@fortawesome/fontawesome-free": "^5.10.1",
        "angular": "^1.7.8",
        "angular-animate": "^1.7.8",
        "angular-aria": "^1.7.8",
        "angular-material": "^1.1.19",
        "angular-messages": "^1.7.8",
        "configstore": "^4.0.0",
        "corifeus-utils": "^2019.10.140",
        "electron-updater": "^4.1.2",
        "jquery": "^3.4.1",
        "opencollective": "^1.0.3",
        "semver": "^6.3.0",
        "typeface-roboto": "0.0.75"
    },
    "devDependencies": {
        "angular-mocks": "^1.7.8",
        "corifeus-builder": "^2019.10.223",
        "electron-builder": "^21.2.0",
        "escape-string-regexp": "^2.0.0",
        "fs-extra": "^8.1.0",
        "github-api": "^3.2.2",
        "globby": "^10.0.1",
        "jsdom": "^15.1.1",
        "yaml": "^1.6.0"
    },
    "build": {
        "afterAllArtifactBuild": "./node_modules/corifeus-builder/src/utils/appimage/after-all-artifact-build.js",
        "publish": [
            {
                "provider": "github",
                "owner": "patrikx3",
                "repo": "onenote"
            }
        ],
        "appId": "p3x.onenote",
        "copyright": "MIT",
        "productName": "P3X OneNote",
        "linux": {
            "category": "Office",
            "icon": "src/electron/images/",
            "target": [
                "AppImage"
            ]
        },
        "snap": {
            "environment": {
                "DISABLE_WAYLAND": 1
            }
        }
    }
}

a publish is like this

#!/usr/bin/env bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
TOP=$DIR/..
pushd $TOP

grunt
export GH_TOKEN=$(cat $DIR/token.txt)
npm run publish-electron
npm run publish-electron-yml

npm run publish-electron-snap

export VERSION=$($DIR/get-version.js)
SNAP_FILE=p3x-onenote_${VERSION}_amd64.snap
pushd dist

####snapcraft login
snapcraft push --release=beta $SNAP_FILE

@develar I think this issue should be re-opened. It's great that #4364 resolves this for the .deb distribution, but this problem remains unsolved on AppImage (and maybe Snap?).

(and maybe Snap?).

The Snap case was handled months ago, ref https://github.com/electron-userland/electron-builder/blame/fc311995c196f1063ceb2d0bb0af61beac6038e8/packages/app-builder-lib/src/targets/snap.ts#L188

Thanks. (Snap won't install on my machine, so I haven't been able to test.) It sounds like the problem is now just limited to AppImage installations.