build: embed binary checksums in the npm package (electron#30611)

* build: embed binary checksums in the npm package

* Update docs/tutorial/installation.md

Co-authored-by: Jeremy Rose <[email protected]>

* refactor: replace reduce with loop

Co-authored-by: Jeremy Rose <[email protected]>

Author: MarshallOfSound

.gitignore

@@ -26,6 +26,7 @@ compile_commands.json
 # npm package
 /npm/dist
 /npm/path.txt
+/npm/checksums.json
 
 .npmrc
 

docs/tutorial/installation.md

@@ -90,6 +90,11 @@ ELECTRON_CUSTOM_DIR="{{ version }}"
 The above configuration will download from URLs such as
 `https://npm.taobao.org/mirrors/electron/8.0.0/electron-v8.0.0-linux-x64.zip`.
 
+If your mirror serves artifacts with different checksums to the official
+Electron release you may have to set `ELECTRON_USE_REMOTE_CHECKSUMS=1` to
+force Electron to use the remote `SHASUMS256.txt` file to verify the checksum
+instead of the embedded checksums.
+
 #### Cache
 
 Alternatively, you can override the local cache. `@electron/get` will cache

npm/install.js

@@ -41,6 +41,7 @@ downloadArtifact({
   artifactName: 'electron',
   force: process.env.force_no_cache === 'true',
   cacheRoot: process.env.electron_config_cache,
+  checksums: process.env.electron_use_remote_checksums ? undefined : require('./checksums.json'),
   platform,
   arch
 }).then(extractFile).catch(err => {

npm/package.json

@@ -8,7 +8,7 @@
     "postinstall": "node install.js"
   },
   "dependencies": {
-    "@electron/get": "^1.0.1",
+    "@electron/get": "^1.13.0",
     "@types/node": "^14.6.2",
     "extract-zip": "^1.0.3"
   },

script/release/publish-to-npm.js

@@ -103,6 +103,27 @@ new Promise((resolve, reject) => {
 
     return release;
   })
+  .then(async (release) => {
+    const checksumsAsset = release.assets.find((asset) => asset.name === 'SHASUMS256.txt');
+    if (!checksumsAsset) {
+      throw new Error(`cannot find SHASUMS256.txt from v${rootPackageJson.version} release assets`);
+    }
+
+    const checksumsContent = await getAssetContents(
+      rootPackageJson.version.indexOf('nightly') > 0 ? 'nightlies' : 'electron',
+      checksumsAsset.id
+    );
+
+    const checksumsObject = {};
+    for (const line of checksumsContent.trim().split('\n')) {
+      const [checksum, file] = line.split(' *');
+      checksumsObject[file] = checksum;
+    }
+
+    fs.writeFileSync(path.join(tempDir, 'checksums.json'), JSON.stringify(checksumsObject, null, 2));
+
+    return release;
+  })
   .then(async (release) => {
     const currentBranch = await getCurrentBranch();
 
@@ -145,10 +166,26 @@ new Promise((resolve, reject) => {
   // test that the package can install electron prebuilt from github release
     const tarballPath = path.join(tempDir, `${rootPackageJson.name}-${rootPackageJson.version}.tgz`);
     return new Promise((resolve, reject) => {
-      childProcess.execSync(`npm install ${tarballPath} --force --silent`, {
+      const result = childProcess.spawnSync('npm', ['install', tarballPath, '--force', '--silent'], {
         env: Object.assign({}, process.env, { electron_config_cache: tempDir }),
-        cwd: tempDir
+        cwd: tempDir,
+        stdio: 'inherit'
       });
+      if (result.status !== 0) {
+        return reject(new Error(`npm install failed with status ${result.status}`));
+      }
+      try {
+        const electronPath = require(path.resolve(tempDir, 'node_modules', rootPackageJson.name));
+        if (typeof electronPath !== 'string') {
+          return reject(new Error(`path to electron binary (${electronPath}) returned by the ${rootPackageJson.name} module is not a string`));
+        }
+        if (!fs.existsSync(electronPath)) {
+          return reject(new Error(`path to electron binary (${electronPath}) returned by the ${rootPackageJson.name} module does not exist on disk`));
+        }
+      } catch (e) {
+        console.error(e);
+        return reject(new Error(`loading the generated ${rootPackageJson.name} module failed with an error`));
+      }
       resolve(tarballPath);
     });
   })
@@ -181,6 +218,6 @@ new Promise((resolve, reject) => {
     }
   })
   .catch((err) => {
-    console.error(`Error: ${err}`);
+    console.error('Error:', err);
     process.exit(1);
   });