feat: @electron/fusesを使用してセキュリティを向上させる

TODO: 次の機能の有効化の判断が必要
- cookieEncryption
- embeddedAsarIntegrityValidation

Author: sabonerune

build/afterPack.ts

@@ -0,0 +1,15 @@
+import { FuseConfig, FuseV1Options, FuseVersion } from "@electron/fuses";
+import { AfterPackContext } from "electron-builder";
+
+export default async function afterPack(context: AfterPackContext) {
+  // @electron/fusesで特定の機能や制限を有効化/無効化
+  const fuses: FuseConfig = {
+    version: FuseVersion.V1,
+    [FuseV1Options.RunAsNode]: false,
+    [FuseV1Options.EnableNodeOptionsEnvironmentVariable]: false,
+    [FuseV1Options.EnableNodeCliInspectArguments]: false,
+    [FuseV1Options.OnlyLoadAppFromAsar]: true,
+    [FuseV1Options.GrantFileProtocolExtraPrivileges]: false,
+  };
+  await context.packager.addElectronFuses(context, fuses);
+}

build/electronBuilderConfig.ts

@@ -4,6 +4,7 @@ import { config } from "dotenv";
 import { Configuration as ElectronBuilderConfiguration } from "electron-builder";
 import { z } from "zod";
 import afterAllArtifactBuild from "./afterAllArtifactBuild";
+import afterPack from "./afterPack";
 import artifactBuildCompleted from "./artifactBuildCompleted";
 
 const rootDir = path.join(import.meta.dirname, "..");
@@ -110,6 +111,7 @@ const builderOptions: ElectronBuilderConfiguration = {
   appId: "jp.hiroshiba.voicevox",
   copyright: "Hiroshiba Kazuyuki",
   afterAllArtifactBuild,
+  afterPack,
   artifactBuildCompleted,
   win: {
     icon: "public/icon.png",

package.json

@@ -87,6 +87,7 @@
   },
   "devDependencies": {
     "@chromatic-com/storybook": "4.0.1",
+    "@electron/fuses": "2.0.0",
     "@eslint/eslintrc": "3.3.1",
     "@eslint/js": "9.29.0",
     "@openapitools/openapi-generator-cli": "2.20.5",