Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
github.com/antmanler/go-astilectron-bundler
This package provides a way to bundle an astilectron app using the bootstrap.
Check out the demo to see a working example.
Run the following command:
$ go get -u github.com/asticode/go-astilectron-bundler/...
Run the following command:
$ go install github.com/asticode/go-astilectron-bundler/astilectron-bundler
astilectron-bundler uses a configuration file to know what it's supposed to do.
Here's the basic configuration you'll usually need:
{
"app_name": "Test",
"icon_path_darwin": "path/to/icon.icns",
"icon_path_linux": "path/to/icon.png",
"icon_path_windows": "path/to/icon.ico"
}
It will process the project located in the current directory and bundle it in the output
dir for your os/arch.
The following customization can be made to bundler.json
go-astilectron
version you're usinggo-astilectron
version you're usingYou can bundle your project for multiple environments with the environments
key:
{
"environments": [
{"arch": "amd64", "os": "darwin"},
{"arch": "amd64", "os": "linux"},
{
"arch": "amd64",
"os": "windows",
"env": {
"CC": "x86_64-w64-mingw32-gcc",
"CXX": "x86_64-w64-mingw32-g++",
"CGO_ENABLED": "1"
}
}
]
}
For each environment you can specify environment variables with the env
key.
You can execute custom actions on your resources before binding them to the binary such as uglifying the .js
files with the resources_adapters
key:
{
"resources_adapters": [
{
"args": ["myfile.js", "mynewfile.js"],
"name": "mv"
},
{
"args": ["-flag", "value", "mynewfile.js"],
"name": "myawesomebinary"
}
]
}
All paths must be relative to the resources
folder except if you provide a dir
option (a path relative to the resources
folder) in which case it will be relative to that path.
You can set the following paths:
input_path
: path to your project. defaults to the current directorygo_binary_path
: path to the go
binary. defaults to "go"output_path
: path to the dir where you'll find the bundle results. defaults to current directory/output
resources_path
: path where the resources
dir is and will be written. path must be relative to the input_path
. defaults to "resources"vendor_dir_path
: path where the vendor
dir will be written. path must be relative to the output_path
working_directory_path
: path to the dir where the bundler runs its operations such as provisioning the vendor files or binding data to the binaryYou can use the bind
attribute to alter the bind configuration like so:
{
"bind": {
"output_path": "path/to/bind/output/path",
"package": "mypkg"
}
}
You can add custom Info.plist configuration to the bundler.json:
{
"app_name": "Best App",
"icon_path_darwin": "resources/icon.icns",
"info_plist": {
"CFBundlePackageType": "APPL",
"CFBundleInfoDictionaryVersion": "6.0",
"CFBundleIconFile": "icon.icns",
"CFBundleDisplayName": "Best App",
"CFBundleExecutable": "app_binary",
"CFBundleIdentifier": "com.company.BestApp",
"LSUIElement": "NO",
"LSMinimumSystemVersion": "10.11",
"NSHighResolutionCapable": true,
"NSAppTransportSecurity": {
"NSAllowsArbitraryLoads": true
}
}
}
If astilectron-bundler has been installed properly (and the $GOPATH is in your $PATH), run the following command:
$ astilectron-bundler -c <path to your configuration file>
or if your working directory is your project directory and your bundler configuration has the proper name (bundler.json
)
$ astilectron-bundler
For each environment you specify in your configuration file, astilectron-bundler will create a folder <output path you specified in the configuration file>/<os>-<arch>
that will contain the proper files.
astilectron-bundler uses ldflags
when building the project. It means if you add one of the following variables as global exported variables in your project, they will have the following value:
AppName
: filled with the configuration app nameBuiltAt
: filled with the date the build has been done atIf you need to add more flags yourself, like for a version number, add something
like this to your astilectron-bundler
command: -ldflags X:main.Version=xyzzy
.
If you need to add multiple flags you can pass -ldflags
multiple times, with
multiple values split on commas, like this:
-ldflags X:main.Version=xyzzy,main.CommitCount=100 -ldflags race
That would set two variables and enable the race detection.
Use this command if you want to skip most of the bundling process and only bind data/generate the bind.go
file (useful when you want to test your app running go run *.go
):
$ astilectron-bundler bd -c <path to your configuration file>
The bundler stores downloaded files in a cache to avoid downloading them over and over again. That cache may be corrupted. In that case, use this command to clear the cache:
$ astilectron-bundler cc
When building for linux
you may face an error looking like this:
FATA[0009] bundling failed: bundling for environment linux/amd64 failed: building failed: # github.com/asticode/go-astilectron-demo
/usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/usr/bin/ld: i386 architecture of input file `/tmp/go-link-275377070/000000.o' is incompatible with i386:x86-64 output
collect2: error: ld returned 1 exit status
Thanks to this comment, you need to add the ldflags
key to your bundler.json
with the value {"linkmode":["internal"]}
.
FAQs
Unknown package
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.