From 38ccd77b81c215d930baba4013c04ee4e0232101 Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Tue, 28 Mar 2023 16:08:51 +0100
Subject: [PATCH 1/6] Backport packaging scripts to master

---
 .github/workflows/build_and_deploy.yaml       |  13 ++-
 .github/workflows/build_and_test.yaml         |   3 +-
 .github/workflows/build_keyring.yaml          |  53 ++++++++++
 .github/workflows/build_linux.yaml            |  23 ++++-
 .github/workflows/build_macos.yaml            |   8 +-
 .github/workflows/build_prepare.yaml          |  78 +++++++++-----
 .github/workflows/build_windows.yaml          |  19 ++--
 .github/workflows/packages_index.yaml         |   2 +-
 .github/workflows/reprepro.yaml               |   7 +-
 element-io-archive-keyring/DEBIAN/control     |   7 ++
 hak/matrix-seshat/build.ts                    |  22 +++-
 .../debian/element-io-archive-keyring.asc     |  96 ++++++++++++------
 .../debian/element-io-archive-keyring.gpg     | Bin 2577 -> 2577 bytes
 scripts/hak/target.ts                         |   9 ++
 14 files changed, 254 insertions(+), 86 deletions(-)
 create mode 100644 .github/workflows/build_keyring.yaml
 create mode 100644 element-io-archive-keyring/DEBIAN/control

diff --git a/.github/workflows/build_and_deploy.yaml b/.github/workflows/build_and_deploy.yaml
index 7744910..0adc19c 100644
--- a/.github/workflows/build_and_deploy.yaml
+++ b/.github/workflows/build_and_deploy.yaml
@@ -41,15 +41,14 @@ on:
                 default: true
 concurrency: ${{ github.workflow }}
 env:
-    # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
-    R2_BUCKET: "packages-element-io-test"
+    R2_BUCKET: "packages-element-io"
 jobs:
     prepare:
         uses: ./.github/workflows/build_prepare.yaml
         with:
             config: element.io/${{ inputs.mode || 'nightly' }}
             version: ${{ inputs.mode == 'release' && '' || 'develop' }}
-            calculate-nightly-versions: ${{ inputs.mode != 'release' }}
+            nightly: ${{ inputs.mode != 'release' }}
         secrets:
             CF_R2_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
             CF_R2_TOKEN: ${{ secrets.CF_R2_TOKEN }}
@@ -88,8 +87,7 @@ jobs:
         with:
             sign: true
             deploy-mode: true
-            # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
-            base-url: https://packages-element-io-test.element.io/${{ inputs.mode == 'release' && 'desktop' || 'nightly' }}
+            base-url: https://packages.element.io/${{ inputs.mode == 'release' && 'desktop' || 'nightly' }}
             version: ${{ needs.prepare.outputs.macos-version }}
 
     linux:
@@ -98,6 +96,7 @@ jobs:
         name: Linux
         uses: ./.github/workflows/build_linux.yaml
         with:
+            config: element.io/${{ inputs.mode || 'nightly' }}
             sqlcipher: system
             version: ${{ needs.prepare.outputs.linux-version }}
 
@@ -111,7 +110,7 @@ jobs:
             - windows_64bit
         runs-on: ubuntu-latest
         name: Deploy
-        if: github.event != 'workflow_dispatch' || (inputs.deploy && (inputs.macos || inputs.windows_32bit || inputs.windows_64bit))
+        if: github.event_name != 'workflow_dispatch' || (inputs.deploy && (inputs.macos || inputs.windows_32bit || inputs.windows_64bit))
         environment: packages.element.io
         steps:
             - name: Download artifacts
@@ -135,7 +134,7 @@ jobs:
             # We queue this after the other deploy stage as we want to abort if that fails
             - deploy
         name: Run reprepro
-        if: github.event != 'workflow_dispatch' || (inputs.deploy && inputs.linux)
+        if: github.event_name != 'workflow_dispatch' || (inputs.deploy && inputs.linux)
         uses: ./.github/workflows/reprepro.yaml
         secrets: inherit
         with:
diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml
index 451fc5a..429be35 100644
--- a/.github/workflows/build_and_test.yaml
+++ b/.github/workflows/build_and_test.yaml
@@ -31,6 +31,7 @@ jobs:
             matrix:
                 sqlcipher: [system, static]
         with:
+            config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }}
             sqlcipher: ${{ matrix.sqlcipher }}
 
     macos:
@@ -91,7 +92,7 @@ jobs:
               if: matrix.prepare_cmd
 
             - name: Run tests
-              uses: GabrielBB/xvfb-action@v1
+              uses: coactions/setup-xvfb@b6b4fcfb9f5a895edadc3bc76318fae0ac17c8b3 # v1
               timeout-minutes: 5
               with:
                   run: "yarn test"
diff --git a/.github/workflows/build_keyring.yaml b/.github/workflows/build_keyring.yaml
new file mode 100644
index 0000000..5eb6abd
--- /dev/null
+++ b/.github/workflows/build_keyring.yaml
@@ -0,0 +1,53 @@
+name: Build Keyring package
+on:
+    workflow_dispatch:
+        inputs:
+            deploy:
+                description: Deploy artifacts
+                required: true
+                type: boolean
+                default: true
+            fingerprint:
+                description: The expected gpg fingerprint
+                required: true
+                type: string
+concurrency: ${{ github.workflow }}
+jobs:
+    build:
+        name: Build Keyring package
+        runs-on: ubuntu-latest
+        steps:
+            - uses: actions/checkout@v3
+
+            - name: Prepare
+              run: |
+                  mkdir -p element-io-archive-keyring/usr/share/keyrings/
+                  cp packages.element.io/debian/element-io-archive-keyring.gpg element-io-archive-keyring/usr/share/keyrings/element-io-archive-keyring.gpg
+
+            - name: Check fingerprint
+              run: |
+                  gpg --import element-io-archive-keyring/usr/share/keyrings/element-io-archive-keyring.gpg
+                  gpg --fingerprint "$FINGERPRINT"
+              env:
+                  FINGERPRINT: ${{ inputs.fingerprint }}
+
+            - name: Build deb package
+              run: |
+                  chmod u=rw,go=r element-io-archive-keyring/usr/share/keyrings/element-io-archive-keyring.gpg
+                  dpkg-deb -Zxz --root-owner-group --build element-io-archive-keyring element-io-archive-keyring.deb
+
+            - name: Upload Artifact
+              uses: actions/upload-artifact@v3
+              with:
+                  name: element-io-archive-keyring
+                  path: "*.deb"
+                  retention-days: 1
+
+    reprepro:
+        needs: build
+        name: Run reprepro
+        if: inputs.deploy
+        uses: ./.github/workflows/reprepro.yaml
+        secrets: inherit
+        with:
+            artifact-name: element-io-archive-keyring
diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml
index 5d58924..b0c245b 100644
--- a/.github/workflows/build_linux.yaml
+++ b/.github/workflows/build_linux.yaml
@@ -4,6 +4,10 @@
 on:
     workflow_call:
         inputs:
+            config:
+                type: string
+                required: true
+                description: "The config directory to use"
             version:
                 type: string
                 required: false
@@ -34,6 +38,7 @@ jobs:
               if: steps.cache.outputs.cache-hit != 'true'
               uses: actions-rs/toolchain@v1
               with:
+                  default: true
                   toolchain: stable
 
             - name: Install libsqlcipher-dev
@@ -60,16 +65,26 @@ jobs:
               run: |
                   echo "config-args=--nightly '${{ inputs.version }}'" >> $GITHUB_OUTPUT
 
-            - name: Generate debian control file
+            - name: Generate debian files and arguments
+              id: debian
               run: |
-                  cp element.io/${{ inputs.version && 'nightly' || 'release' }}/control.template debcontrol
-                  INPUT_VERSION="${{ inputs.version }}"
+                  if [ -f changelog.Debian ]; then
+                      echo "config-args=--deb-changelog changelog.Debian" >> $GITHUB_OUTPUT
+                  fi
+                  
+                  cp "$DIR/control.template" debcontrol
                   VERSION=${INPUT_VERSION:-$(cat package.json | jq -r .version)}
                   echo "Version: $VERSION" >> debcontrol
+              env:
+                  DIR: ${{ inputs.config }}
+                  INPUT_VERSION: ${{ inputs.version }}
 
             - name: Build App
               run: |
-                  scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --deb-custom-control=debcontrol
+                  scripts/generate-builder-config.ts \
+                      ${{ steps.nightly.outputs.config-args }} \
+                      ${{ steps.debian.outputs.config-args }} \
+                      --deb-custom-control=debcontrol
                   yarn build --publish never -l --config electron-builder.json
 
             - name: Upload Artifacts
diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml
index 31ddf4b..e032f12 100644
--- a/.github/workflows/build_macos.yaml
+++ b/.github/workflows/build_macos.yaml
@@ -54,6 +54,7 @@ jobs:
               if: steps.cache.outputs.cache-hit != 'true'
               uses: actions-rs/toolchain@v1
               with:
+                  default: true
                   toolchain: stable
                   target: aarch64-apple-darwin
 
@@ -79,12 +80,11 @@ jobs:
             - name: "[Signed] Build App"
               if: inputs.sign != ''
               run: |
-                  scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }}
+                  scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --notarytool-team-id='${{ secrets.APPLE_TEAM_ID }}'
                   yarn build:universal --publish never --config electron-builder.json
               env:
-                  NOTARIZE_APPLE_ID: ${{ secrets.APPLE_ID }}
-                  NOTARIZE_APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-                  NOTARIZE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+                  APPLE_ID: ${{ secrets.APPLE_ID }}
+                  APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
                   CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
                   CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}
 
diff --git a/.github/workflows/build_prepare.yaml b/.github/workflows/build_prepare.yaml
index a0c2430..65fec26 100644
--- a/.github/workflows/build_prepare.yaml
+++ b/.github/workflows/build_prepare.yaml
@@ -10,37 +10,38 @@ on:
                 type: string
                 required: false
                 description: "The version tag to fetch, or 'develop', will pick automatically if not passed"
-            calculate-nightly-versions:
-                type: string
+            nightly:
+                type: boolean
                 required: false
-                description: "Whether to calculate the version strings new Nightly builds should use"
+                default: false
+                description: "Whether the build is a Nightly and to calculate the version strings new builds should use"
         secrets:
-            # Required if `calculate-nightly-versions` is set
+            # Required if `nightly` is set
             CF_R2_ACCESS_KEY_ID:
                 required: false
-            # Required if `calculate-nightly-versions` is set
+            # Required if `nightly` is set
             CF_R2_TOKEN:
                 required: false
-            # Required if `calculate-nightly-versions` is set
+            # Required if `nightly` is set
             CF_R2_S3_API:
                 required: false
         outputs:
             macos-version:
-                description: "The version string the next macOS Nightly should use, only output for calculate-nightly-versions"
+                description: "The version string the next macOS Nightly should use, only output for nightly"
                 value: ${{ jobs.prepare.outputs.macos-version }}
             linux-version:
-                description: "The version string the next Linux Nightly should use, only output for calculate-nightly-versions"
+                description: "The version string the next Linux Nightly should use, only output for nightly"
                 value: ${{ jobs.prepare.outputs.linux-version }}
             win32-x64-version:
-                description: "The version string the next Windows x64 Nightly should use, only output for calculate-nightly-versions"
+                description: "The version string the next Windows x64 Nightly should use, only output for nightly"
                 value: ${{ jobs.prepare.outputs.win32-x64-version }}
             win32-x86-version:
-                description: "The version string the next Windows x86 Nightly should use, only output for calculate-nightly-versions"
+                description: "The version string the next Windows x86 Nightly should use, only output for nightly"
                 value: ${{ jobs.prepare.outputs.win32-x86-version }}
 jobs:
     prepare:
         name: Prepare
-        environment: ${{ inputs.calculate-nightly-versions && 'packages.element.io' || '' }}
+        environment: ${{ inputs.nightly && 'packages.element.io' || '' }}
         runs-on: ubuntu-latest
         outputs:
             macos-version: ${{ steps.versions.outputs.macos }}
@@ -66,19 +67,9 @@ jobs:
                   yarn run --silent electron --version > electronVersion
                   cat package.json | jq -c .hakDependencies > hakDependencies.json
 
-            - uses: actions/upload-artifact@v3
-              with:
-                  name: webapp
-                  retention-days: 1
-                  path: |
-                      webapp.asar
-                      package.json
-                      electronVersion
-                      hakDependencies.json
-
-            - name: Calculate Nightly versions
+            - name: "[Nightly] Calculate versions"
               id: versions
-              if: inputs.calculate-nightly-versions
+              if: inputs.nightly
               run: |
                   MACOS=$(aws s3 cp s3://$R2_BUCKET/nightly/update/macos/releases.json - --endpoint-url $R2_URL --region auto | jq -r .currentRelease)
                   echo "macos=$(scripts/generate-nightly-version.ts --latest $MACOS)" >> $GITHUB_OUTPUT
@@ -93,6 +84,43 @@ jobs:
               env:
                   AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
-                  # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
-                  R2_BUCKET: "packages-element-io-test"
+                  R2_BUCKET: "packages-element-io"
                   R2_URL: ${{ secrets.CF_R2_S3_API }}
+
+            - name: Check version
+              id: package
+              run: |
+                  echo "version=$(cat package.json | jq -r .version)" >> $GITHUB_OUTPUT
+
+            - name: "[Release] Fetch release"
+              id: release
+              if: ${{ !inputs.nightly && inputs.version != 'develop' }}
+              uses: cardinalby/git-get-release-action@cedef2faf69cb7c55b285bad07688d04430b7ada # v1
+              env:
+                  GITHUB_TOKEN: ${{ github.token }}
+              with:
+                  tag: v${{ steps.package.outputs.version }}
+
+            - name: "[Release] Write changelog"
+              if: ${{ !inputs.nightly && inputs.version != 'develop' }}
+              run: |
+                  TIME=$(date -d "$PUBLISHED_AT" -R)
+                  echo "element-desktop ($VERSION) default; urgency=medium" >> changelog.Debian
+                  echo "$BODY" | sed 's/^##/\n  */g;s/^\*/  */g' | perl -pe 's/\[.+?]\((.+?)\)/\1/g' >> changelog.Debian
+                  echo "" >> changelog.Debian
+                  echo " -- ${{ github.actor }} <support@element.io>  $TIME" >> changelog.Debian
+              env:
+                  VERSION: v${{ steps.package.outputs.version }}
+                  BODY: ${{ steps.release.outputs.body }}
+                  PUBLISHED_AT: ${{ steps.release.outputs.published_at }}
+
+            - uses: actions/upload-artifact@v3
+              with:
+                  name: webapp
+                  retention-days: 1
+                  path: |
+                      webapp.asar
+                      package.json
+                      electronVersion
+                      hakDependencies.json
+                      changelog.Debian
diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml
index 4afbf93..6acee52 100644
--- a/.github/workflows/build_windows.yaml
+++ b/.github/workflows/build_windows.yaml
@@ -14,7 +14,7 @@ on:
             arch:
                 type: string
                 required: true
-                description: "The architecture to build for, one of 'x64' | 'x86'"
+                description: "The architecture to build for, one of 'x64' | 'x86' | 'arm64'"
             version:
                 type: string
                 required: false
@@ -45,6 +45,12 @@ jobs:
                           "target": "x86_64-pc-windows-msvc",
                           "dir": "x64"
                         },
+                        "arm64": {
+                          "target": "aarch64-pc-windows-msvc",
+                          "build-args": "--arm64",
+                          "arch": "amd64_arm64",
+                          "dir": "arm64"
+                        },
                         "x86": {
                           "target": "i686-pc-windows-msvc",
                           "build-args": "--ia32",
@@ -62,14 +68,14 @@ jobs:
               id: cache
               uses: actions/cache@v3
               with:
-                  key: ${{ runner.os }}-${{ hashFiles('hakDependencies.json', 'electronVersion') }}
+                  key: ${{ runner.os }}-${{ inputs.arch }}-${{ hashFiles('hakDependencies.json', 'electronVersion') }}
                   path: |
                       ./.hak
 
             - name: Set up build tools
               uses: ilammy/msvc-dev-cmd@v1
               with:
-                  arch: ${{ inputs.arch }}
+                  arch: ${{ steps.config.outputs.arch || inputs.arch }}
 
             # ActiveTCL package on choco is from 2015,
             # this one is newer but includes more than we need
@@ -91,6 +97,7 @@ jobs:
               if: steps.cache.outputs.cache-hit != 'true'
               uses: actions-rs/toolchain@v1
               with:
+                  default: true
                   toolchain: stable
                   target: ${{ steps.config.outputs.target }}
 
@@ -127,7 +134,7 @@ jobs:
                   $LogConfig | Set-Content -Path ${{ env.INSTALL_DIR }}/log4net.config
 
                   # Configure
-                  ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode "${{ env.MODE }}" -user "${{ secrets.ESIGNER_USER_NAME }}" -pass "${{ secrets.ESIGNER_USER_PASSWORD }}" -totp "${{ secrets.ESIGNER_USER_TOTP }}" -key "${{ env.MASTER_KEY_FILE }}" -r
+                  ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode product -user "${{ secrets.ESIGNER_USER_NAME }}" -pass "${{ secrets.ESIGNER_USER_PASSWORD }}" -totp "${{ secrets.ESIGNER_USER_TOTP }}" -key "${{ env.MASTER_KEY_FILE }}" -r
                   ${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload
                   ${{ env.INSTALL_DIR }}/eSignerCKATool.exe load
 
@@ -140,8 +147,6 @@ jobs:
                   $SubjectName = ($CodeSigningCert.Subject -replace ", ?", "`n" | ConvertFrom-StringData).CN
                   echo "config-args=--signtool-thumbprint '$Thumbprint' --signtool-subject-name '$SubjectName'" >> $env:GITHUB_OUTPUT
               env:
-                  # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
-                  MODE: sandbox
                   INSTALL_DIR: C:\Users\runneradmin\eSignerCKA
                   MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key
 
@@ -159,8 +164,6 @@ jobs:
 
             - name: Check app was signed successfully
               if: inputs.sign != ''
-              # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
-              continue-on-error: true
               run: |
                   . "$env:SIGNTOOL_PATH" verify /pa (get-item ./dist/squirrel-windows*/*.exe)
 
diff --git a/.github/workflows/packages_index.yaml b/.github/workflows/packages_index.yaml
index bd3ecb4..ec0f091 100644
--- a/.github/workflows/packages_index.yaml
+++ b/.github/workflows/packages_index.yaml
@@ -18,7 +18,7 @@ on:
 jobs:
     deploy:
         name: "Deploy"
-        if: github.event != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
+        if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
         runs-on: ubuntu-latest
         environment: packages.element.io
         env:
diff --git a/.github/workflows/reprepro.yaml b/.github/workflows/reprepro.yaml
index a929c54..12765b4 100644
--- a/.github/workflows/reprepro.yaml
+++ b/.github/workflows/reprepro.yaml
@@ -24,8 +24,7 @@ jobs:
         environment: packages.element.io
         runs-on: ubuntu-latest
         env:
-            # XXX: UPDATE THIS BEFORE WHEN GOING LIVE
-            R2_BUCKET: "packages-element-io-test"
+            R2_BUCKET: "packages-element-io"
             R2_DB_BUCKET: packages-element-io-db
             R2_URL: ${{ secrets.CF_R2_S3_API }}
         steps:
@@ -64,10 +63,10 @@ jobs:
                   # Download signing keyring
                   sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg
                   # Point apt at local apt repo
-                  echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] http://localhost:8000/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list
+                  echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] http://127.0.0.1:8000/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list
 
                   # Start http server and fetch from it via apt
-                  python3 -m http.server 8000 &
+                  python3 -m http.server 8000 --bind 127.0.0.1 &
                   sudo apt-get update --allow-insecure-repositories
                   killall python3
 
diff --git a/element-io-archive-keyring/DEBIAN/control b/element-io-archive-keyring/DEBIAN/control
new file mode 100644
index 0000000..d75b438
--- /dev/null
+++ b/element-io-archive-keyring/DEBIAN/control
@@ -0,0 +1,7 @@
+Package: element-io-archive-keyring
+Architecture: all
+Section: contrib/meta
+Maintainer: support@element.io
+Priority: optional
+Version: 1.1
+Description: The packages.element.io repository keyring
diff --git a/hak/matrix-seshat/build.ts b/hak/matrix-seshat/build.ts
index 422b1dc..5a41d89 100644
--- a/hak/matrix-seshat/build.ts
+++ b/hak/matrix-seshat/build.ts
@@ -22,6 +22,15 @@ import fsExtra from "fs-extra";
 import HakEnv from "../../scripts/hak/hakEnv";
 import { DependencyInfo } from "../../scripts/hak/dep";
 
+type WinConfiguration =
+    | "VC-WIN32"
+    | "VC-WIN64A"
+    | "VC-WIN64-ARM"
+    | "VC-WIN64-CLANGASM-ARM"
+    | "VC-CLANG-WIN64-CLANGASM-ARM"
+    | "VC-WIN32-HYBRIDCRT"
+    | "VC-WIN64A-HYBRIDCRT";
+
 export default async function (hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
     if (hakEnv.isWin()) {
         await buildOpenSslWin(hakEnv, moduleInfo);
@@ -36,7 +45,18 @@ async function buildOpenSslWin(hakEnv: HakEnv, moduleInfo: DependencyInfo): Prom
     const version = moduleInfo.cfg.dependencies.openssl;
     const openSslDir = path.join(moduleInfo.moduleTargetDotHakDir, `openssl-${version}`);
 
-    const openSslArch = hakEnv.getTargetArch() === "x64" ? "VC-WIN64A" : "VC-WIN32";
+    let openSslArch: WinConfiguration;
+    switch (hakEnv.getTargetArch()) {
+        case "x64":
+            openSslArch = "VC-WIN64A";
+            break;
+        case "ia32":
+            openSslArch = "VC-WIN32";
+            break;
+        case "arm64":
+            openSslArch = "VC-WIN64-ARM";
+            break;
+    }
 
     console.log("Building openssl in " + openSslDir);
     await new Promise<void>((resolve, reject) => {
diff --git a/packages.element.io/debian/element-io-archive-keyring.asc b/packages.element.io/debian/element-io-archive-keyring.asc
index 36e73b6..923760c 100644
--- a/packages.element.io/debian/element-io-archive-keyring.asc
+++ b/packages.element.io/debian/element-io-archive-keyring.asc
@@ -24,35 +24,69 @@ zj97Y0WRPkAagJzeesIx/M4pjYg9zDIZ22NWT9d7KAZemLVtREwWM4zKYEI0Hpid
 GxR8jQ1rCc9RMVdO6xuhnVwUD/JyNEgtRKbBJX9qIH2Z30rvIg7ev9MJG6g52cDy
 +inNdxh4u4vpqQjjLTBraRalUe/4S4I8EaUFya91RWDLrEcmgdYfrqXbLMAEcPWS
 cYQdjW3ADEy47rGQ2SeaZweLuHGVx68hCcJx5E0X7eE32R8uaRjmEzgvU+wZKo0y
-HFbLsQok8v7NqoqtuQGNBFy1FtQBDADPalE7/hP0kt7afhFoY/sGyO/464BA4Ozo
-MaQC28d4JJCd07upnyj1aLGHfYyO6TXC1cqOQ2tThENyTfJOhVDQ9YCjqDzm4S5V
-R91tNzvYNZOEIwRRPND2jpnmsCzwrnIRHNIiojHBZRnPdC01zcx4oC1m13qDiFSU
-NOi/uDlAXtOf8p0zVnPypaGTG7MUBU8RmkyygvG+Z6AqNDOsDL/nIC5mf2zmLJqK
-VkEeXnWhWBEVgIdr840vi/ejblmVRxanlyGVFY/5CWgylmGxxB0Oh5vz7SjpK5H5
-pONBo43K2tEjnU1jmWTX7tkHYo8wyQS04uO33qh01FLnYl1I0qebfwBys88i/yhr
-9afxcXae5xTLUPzPp+6WYICxRdJ41/3zwlyKbNLvyNQzv43kiRYNR3Yc44F1tHMq
-1Ty3kca7Qe0zGXXeISY3fUA4zKjg0S8bi3yfO5Z/FxpMhjJ+tAcDoiVrXZwsXCsd
-MnQR0KVjzIAmCuJI7OUnujuAB9aMYSEAEQEAAYkD8gQYAQoAJgIbAhYhBBLUzWAM
-IkCp9KggcdewtmlB0BU4BQJgd9oUBQkHhSpAAcDA9CAEGQEKAB0WIQR1dBiQBj5e
-mkYTXQHChQsmWsCFvQUCXLUW1AAKCRDChQsmWsCFvaDYDADPVBNm75uZtEPOM2Ct
-oxASarbPDLz8Ucy6FCtOoSpNdgAZFTISFASWfBO6h/9w5czT3owQD431V950QBHG
-t763VFILckZ0Ul4roGGesmncRUIZLrc+UABigirHmCdnvo9s5UszTxid0muMbDeL
-b1RmI0tkRDzlk/TrkHDf7rIUrcqhPqhtR0b75MfosEaowVN+kS9PqyFtXsrKB/iM
-/gjvVnEEfIVDaK+lc6EBbqfJLMCa5z63CSEqMUhWP0qXGoA7ZM6AzaplzCTr5aB9
-dQBNU53SUo35OzblQSqR0gyuCYrvOHtisjTdrrUNsIbyjkUOc5Umpxzs9XmY94D5
-FfdxeALvYcs2hMEQWPoINVx87p1tWjwnmPzXGm2q095gL+ysOS5OeKOaPEPWfUe7
-NUd/WJ3GqvtPiF++PMEDBiPBm5gwrfg8Nd9xNoRntRZoOKJDcJ2/hhH5+4zPW54O
-8Z4xBaOGjbWYTMxKw/M9sRmHIvXVcQmWdPhCOIP1XQndJoAJENewtmlB0BU4lpQQ
-AK4hX6My0ehfuXoEl9BZE0T+HCFvwgH6xUoAjocZEw7l3ud6M4OouIaoODE/Fqgm
-g/kFXjwyl/VQRDalMzi6ajPM6T3AOhv+d2oeNNJCSoilQUsJwAzMHDncbt7rGAb5
-SoeFEKdwu07lXRIVPhjmC+CgWT24Osv8dmOCj60jBaGdKEnmmdQ8Kq+h2k21oI2I
-TYhjQBPcpxj0RSIJQHVHBYF3hgIZSWOeEg6ocx+3BLR2InEFwEK/GM9iXkwTadr5
-3AyaPAcOTaOeSQYKya3onQDI1LFhU5XnLg6YX1PKpKQMtouyM77RxqXk7QMsY0S9
-y8rveH5AK5Iou5IFcpXslVNyw63UFGiUQWKnYUMEm14Kzz/4EOVCDPjMY4Uj9rkh
-rNR2Oc1fqtFNDMfbQKpxP6JlIHnTFRRYkbW98/oHAvVekysYq29CVg5MjVqPw6ek
-//nOPuiFXa1dR3sMntsP+atG5imBINmRRzQ0Ha5CnX4a0PE4ZnTwLPPDDz0Hp2Rf
-+X5AgKbCRA6s+O0juqKBcwdp/lWaMfm2KSBjLKalf654NeoKCHh1x5896NM5xVpl
-UeI+G/FygG4XwKBuw408ZLlSgF7Dd02BMKptjLkIrnAEG8abvcRIgf2q+QwX3H8E
-jxIwng3BGYCBP1LW3ulIrcfJ96/PkZG8MYuSCCIHzNkB
-=JVma
+HFbLsQok8v7NqoqtiQJUBBMBCgA+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
+FiEEEtTNYAwiQKn0qCBx17C2aUHQFTgFAmQTZtMFCRoqUzwACgkQ17C2aUHQFTje
+kRAAl0NkH0roj3qvjvAdZUU3vN+5ju68MddDaThuMEhrIO4OZKEVoD0iEiQT1p5n
+PS06NkISzXOXRJ4TSlZ/r0U8o5HSfGwYmczyVpwiQYdbGdjMYPt0E/WTnPV59iKv
+BmYeN/cUyo3WuPGRP0suA86XkMO73buHEx8/srQE1EFeDsBGruyIqRTGq9lLCi0P
+ozyal+vjwrWd7D8MwQRu4YGnk7eCaHek+pSI3DZDxoRs2NqPPx8wT5O3manTBLjQ
+HX24+VjOof6EhsOr6uGXIRpK7gK6olJj8gyEWpuz3R3Y2usWPK+n/nHFc+/YBS7w
+y6uy+2aur4sjSqgCzNnI+o2GlDX+a1cB+urz1apQAOCRSZycGKuVXRYDFbIGi71V
+sTq2x7qM0cbCu4bAU/rWxJaYrVo2xtBywiM2bjTrYty8Dyi59WqnsWuWxCbN5mB7
+6sGuomL13yZF3eHhzKQjJiK7xpPJXHu2iizFems9JlH0e5MtyXp9vcPBEJyyuYR5
+Q3HatbnkGccRe+W08CR3k3nzdStCXIxDb47Eo62I3D/q/SgXlFEDaiLtR+PAkNvX
+i4NXnGGE/+yH9ISGYax/jRTjRVpMUfSbgUbAP/5X2X54qShVtz0hDOIiCWX+DXMV
+d9LYXoBs0isS7bKvZ0qu775knyaLGZKkxHcYFtseF4SmAvC5AY0EXLUW1AEMAM9q
+UTv+E/SS3tp+EWhj+wbI7/jrgEDg7OgxpALbx3gkkJ3Tu6mfKPVosYd9jI7pNcLV
+yo5Da1OEQ3JN8k6FUND1gKOoPObhLlVH3W03O9g1k4QjBFE80PaOmeawLPCuchEc
+0iKiMcFlGc90LTXNzHigLWbXeoOIVJQ06L+4OUBe05/ynTNWc/KloZMbsxQFTxGa
+TLKC8b5noCo0M6wMv+cgLmZ/bOYsmopWQR5edaFYERWAh2vzjS+L96NuWZVHFqeX
+IZUVj/kJaDKWYbHEHQ6Hm/PtKOkrkfmk40Gjjcra0SOdTWOZZNfu2QdijzDJBLTi
+47feqHTUUudiXUjSp5t/AHKzzyL/KGv1p/Fxdp7nFMtQ/M+n7pZggLFF0njX/fPC
+XIps0u/I1DO/jeSJFg1HdhzjgXW0cyrVPLeRxrtB7TMZdd4hJjd9QDjMqODRLxuL
+fJ87ln8XGkyGMn60BwOiJWtdnCxcKx0ydBHQpWPMgCYK4kjs5Se6O4AH1oxhIQAR
+AQABiQPyBBgBCgAmAhsCFiEEEtTNYAwiQKn0qCBx17C2aUHQFTgFAmB32hQFCQeF
+KkABwMD0IAQZAQoAHRYhBHV0GJAGPl6aRhNdAcKFCyZawIW9BQJctRbUAAoJEMKF
+CyZawIW9oNgMAM9UE2bvm5m0Q84zYK2jEBJqts8MvPxRzLoUK06hKk12ABkVMhIU
+BJZ8E7qH/3DlzNPejBAPjfVX3nRAEca3vrdUUgtyRnRSXiugYZ6yadxFQhkutz5Q
+AGKCKseYJ2e+j2zlSzNPGJ3Sa4xsN4tvVGYjS2REPOWT9OuQcN/ushStyqE+qG1H
+Rvvkx+iwRqjBU36RL0+rIW1eysoH+Iz+CO9WcQR8hUNor6VzoQFup8kswJrnPrcJ
+ISoxSFY/SpcagDtkzoDNqmXMJOvloH11AE1TndJSjfk7NuVBKpHSDK4Jiu84e2Ky
+NN2utQ2whvKORQ5zlSanHOz1eZj3gPkV93F4Au9hyzaEwRBY+gg1XHzunW1aPCeY
+/NcabarT3mAv7Kw5Lk54o5o8Q9Z9R7s1R39Yncaq+0+IX748wQMGI8GbmDCt+Dw1
+33E2hGe1Fmg4okNwnb+GEfn7jM9bng7xnjEFo4aNtZhMzErD8z2xGYci9dVxCZZ0
++EI4g/VdCd0mgAkQ17C2aUHQFTiWlBAAriFfozLR6F+5egSX0FkTRP4cIW/CAfrF
+SgCOhxkTDuXe53ozg6i4hqg4MT8WqCaD+QVePDKX9VBENqUzOLpqM8zpPcA6G/53
+ah400kJKiKVBSwnADMwcOdxu3usYBvlKh4UQp3C7TuVdEhU+GOYL4KBZPbg6y/x2
+Y4KPrSMFoZ0oSeaZ1Dwqr6HaTbWgjYhNiGNAE9ynGPRFIglAdUcFgXeGAhlJY54S
+DqhzH7cEtHYicQXAQr8Yz2JeTBNp2vncDJo8Bw5No55JBgrJreidAMjUsWFTlecu
+DphfU8qkpAy2i7IzvtHGpeTtAyxjRL3Lyu94fkArkii7kgVyleyVU3LDrdQUaJRB
+YqdhQwSbXgrPP/gQ5UIM+MxjhSP2uSGs1HY5zV+q0U0Mx9tAqnE/omUgedMVFFiR
+tb3z+gcC9V6TKxirb0JWDkyNWo/Dp6T/+c4+6IVdrV1Hewye2w/5q0bmKYEg2ZFH
+NDQdrkKdfhrQ8ThmdPAs88MPPQenZF/5fkCApsJEDqz47SO6ooFzB2n+VZox+bYp
+IGMspqV/rng16goIeHXHnz3o0znFWmVR4j4b8XKAbhfAoG7DjTxkuVKAXsN3TYEw
+qm2MuQiucAQbxpu9xEiB/ar5DBfcfwSPEjCeDcEZgIE/Utbe6Uitx8n3r8+Rkbwx
+i5IIIgfM2QGJA/IEGAEKACYCGwIWIQQS1M1gDCJAqfSoIHHXsLZpQdAVOAUCZBNm
++gUJCyC3JgHAwPQgBBkBCgAdFiEEdXQYkAY+XppGE10BwoULJlrAhb0FAly1FtQA
+CgkQwoULJlrAhb2g2AwAz1QTZu+bmbRDzjNgraMQEmq2zwy8/FHMuhQrTqEqTXYA
+GRUyEhQElnwTuof/cOXM096MEA+N9VfedEARxre+t1RSC3JGdFJeK6BhnrJp3EVC
+GS63PlAAYoIqx5gnZ76PbOVLM08YndJrjGw3i29UZiNLZEQ85ZP065Bw3+6yFK3K
+oT6obUdG++TH6LBGqMFTfpEvT6shbV7Kygf4jP4I71ZxBHyFQ2ivpXOhAW6nySzA
+muc+twkhKjFIVj9KlxqAO2TOgM2qZcwk6+WgfXUATVOd0lKN+Ts25UEqkdIMrgmK
+7zh7YrI03a61DbCG8o5FDnOVJqcc7PV5mPeA+RX3cXgC72HLNoTBEFj6CDVcfO6d
+bVo8J5j81xptqtPeYC/srDkuTnijmjxD1n1HuzVHf1idxqr7T4hfvjzBAwYjwZuY
+MK34PDXfcTaEZ7UWaDiiQ3Cdv4YR+fuMz1ueDvGeMQWjho21mEzMSsPzPbEZhyL1
+1XEJlnT4QjiD9V0J3SaACRDXsLZpQdAVOLR+EACQWO84JbUqSVkInAPJ+dsWXq9Z
+cm1GwwipsoaDkZSDWZMX2Yj2TKVbeqEDNuBC5/KFSwyBKB3edBUy8onrYqRdLx0q
+qQj2PFRFo4Iz3si+6iBEGQtK5OZXjBkuDuzxcNRlp9Sooquf5n9dLaXQWj6IfH5u
+Vlpkf/EoCKEuWqRHpn/NpN4Goc+m4ZPU6eJiJr5RMnv4lHgJyn03IZRbltqEL0gB
+OEOxUEhVJvkknw5aTTZrr8OHnh614Duq1asrrU5jaowGWMnfeOPyT0oDgmnUzg0k
+PrNkhro/SbSWxzVpC+dapVIg4udGyU03XgXP6C1psKfdBMoZoMzSX1E5aItS5yr9
+KGyUUwQh0m0kzzUD1tVJU0QmLpTow/O2IaV+c1iPOB5AZ4fXyBq8X/NuWDmN42Jh
+zgtjQyb97wy9/ABqQn5fy1KNAjN4yOIHri/UY+y0OuU27g4mSfJCBEA+H9mt8Cgv
+CB0xdYaDfjc1uq9UoEAteuY4bso9KpB84UtJetEOxQWYJe7LVRiha037wTOpxgD2
+JhHPU8f//FocQXkZNxOeNSWQLM/U5d2X9ISjOZGRyctk3VHKWv45v0bOs6NnT4tU
+SaV+98JeB1eVCmOrKvgmxoNGK+n9kdtbrGb9kLfMarAvx1/GTHC6b9oQ50bQ6Igk
+KOQ1/miIFEhO+ksiqQ==
+=OOgy
 -----END PGP PUBLIC KEY BLOCK-----
diff --git a/packages.element.io/debian/element-io-archive-keyring.gpg b/packages.element.io/debian/element-io-archive-keyring.gpg
index fe7e26b545494fee91417cf9c6175d8d3fa940cb..6fbeecc63f411824f62d29d8b3e48c3a43f8e333 100644
GIT binary patch
delta 1124
zcmV-q1e^Pj6p<9LJ^~v88v_Lk2?z%Q1{Dek2nzxP76JnS0v-VZ7l4yK0vUf~6K2x|
z2^uO>JOBy_5ZAD_X+h8xINp&E0GC5#A4=$tdasV~9c4u~yx+Nw?z}PALuoi}Fi2}4
z?ha(36`(yL5+oDWo@YHRIyOQQ&2yJTo)bz|f3HP6qmj~lY#5o$@>ZN8L5Euz*vw%2
zbQATHob`G3BCiH!9yj+C%8h^4xbcxcOD+S>mypA|-MfbqA3w6R1k^!Z4!}mP?1-rp
z#;e&&3M~(#Jers5<HEI_>^}^_1a9Ghr<1pWXm_Ogl!)9mL&k(`*xHXjA23gox0$Ka
z1h~*0eYp8p&Y}K<hQq7s;g=yAO6~%>qEch>41`*nv)vuo+UpiPucv?ham91**aa@|
z%d4{cX0ES`BTA?O%-P8LjfRvp{%cnO`s(x5s!#ynkx87K7^{_C76TQs28+E_u{yTL
zx{T4r!n=mRQ~K7#mYA(tHpb9$!Xq|rH0xsAybmb3^=hZFYnH?&&E{Zx>cOs}V)fr9
zMcv`y%%meGBD=<u$y|SXwu&spdTTu<QS^J0Ey;R)y~Du}oU*xuc|&p9wYlUO#}Rww
zwD2T%lX>%XD?(h1LvN16qpgVCKkEG`7nD&0Y9j4N<G_&H*NcN!oMD9j?1%J(hGDFK
zjTGZWT1-*&n}J5aKmJ$Qet4-URkuAM4B{dQW&RCw6?f9uUVt8K(kl|}vae@KuJ68N
zpC*eLlBC3U7#7<e7lft)@Ux5rwE+rb6K47a2@4>%CbLTh!U2D@eh>hVSnoI`wJJ$j
z2%H1S`P&v=uUT?!M#BiHvWA0^l!IB57uksROr=|Tp#wJHLg(^@OALW19o}>mGV+P*
zVx(O!9V)2^_B>QYqk=Qu$iC_zL>UW8<mOk587>a&@o>~-r_`vTtDok7T`i^1T0V$;
zer{G;WPkA}2%&#2TBJv&f6b)c2BFWU;gi(q;$kMgQ8Ih@lz0iseK#SLTb9~{FGvA6
zL$OduRVMi)pAK40HfyiLhn^m_;5(|-t1GQeV`_{BSjpdb<MK~R1A=MP&J83!vt)+4
zKS{Kf$2DmS=USywAmZmn$xSz21<&X$X|Si=1j-qp%+h~fQ8{RfQs*lDC~TBd1R>IG
zB+oSi*40T<L?$kj=)?22A*FtESdTa!Kxc>7$Qry~^KMu<jpJfr&I@BhCjIXWz5D=b
zLVjP%QjG#Lc*x=ht}oPM?6f-NHtr54N%BGjKt3PYt?(!>2putXhJ$`LHM*}<pg=8p
z<~VN3Jt}{YeBnz;deIKW1(+r7%T*YmYfbyXGpWV^_9hX}Q^)`OS{y-n88;K2H6@TN
z&(!7Jm-K|AIgydc%VgbA%3A(8zedipqi0WxR7s_N_rhKWSCtB5t19>=#)C#H>HU%0
qTdZdNkhjcgurJ47#!PU!Z`u&&M$qVpBq-!H{%8n@6i80`OCqUccN>-f

delta 1125
zcmV-r1e*Ji6p<9LJ_05dAp{cC&0q{7K&kYoAaU2QwrN4o6*vU~T(uUL0viJb2?=Ha
zfRjN27=Hi?2@uz?wrN4o6*%=95C3c`J~=p4I6!}0C_iD=$WMHo@uo_+nH2~g!MotW
zY}YZ;BpQ;2#Oo#LAxMEx3p`^){LotpIsEt8cGI;CsGD@kR(17;V4$oC!H`W10guIK
zDhWyPWSkk=AWlB6BV#H5!W_NSetAzv$O|EKWPddYQau81llhbco-~$##|Mz=x`2gL
z1xP-)w_K6`dki5YM_yi|*J&v01SVz%U-49QHoDK?L45PwziyP9Gt{hQ(2_>{qC{Jd
z0X+K8&!a$vCst`kAhXB)=kCHr&xeBmu>@eom2*n~h`PFV&Cb!@%{L4kis0;g##XSh
z_J0sjQ``~`1UW*uFfAFEFP%A6CRaJP&Odu&MUg&08i1VMdcraM&MA$EJ<Kv0+hbNw
z*Lx@iUYNCQL`)VljLKj_G#;3p=PoX2rjCcWLN?4NqO+*H)IY*-#?gN8h>w1WB!8Lu
zJmBn@V=<@Cc8?M|%DC%H8x(wv4QmO{QGYR4PU{<?om><T@^UmtEkvflC4XuleVN}%
z?;;M~ztagDs5#ld^7<*wcNloPi|MHd<1H|2X%?kX@AylCJQ1Y@$**-qV9TsWCV|!;
zuBF>7zyxshl5vC`jcvdTOt|i`kl81iX9tV8ah1ofAqm29<V_dt;WybIE@>F%6BIZv
zQ|uWkjWQfo%drY1^8U@LimkJZ1hoMQV0YRS1qla*DnPSK2EqY<mXr_xt|4EeGSTQ?
zxq1Yb&{-2i{v081!U6ilN&t?B850iW-sgHVgQ&QMs5mh{7N{nJ`2}7)GMDvGL^h=}
zIJ#;x%;`PAIvf6XY92JwLQ06GK}!k149pxk+-~0M7zX)DhlLQQaJx?BT@n>O80HJ$
zpjkb*I?McaV}g%=ts@1YohV7>nbbTguc6vawV;iNO^9Pa6Wpg5^hF{GKy^n2fp>-i
z8A)TF5)P<yAGZXwb|P^Fz(T(m&thIo6KUG{+zgsL2M$f6o=FA@$*t&}0Lav_VN;do
zE)JMqQ_7^I47Q81GrrNrrR41cEMr8y%gXO~en2adD7%t>1#*?_l~Z!Vt<)4~ltE&r
zVM7F)UJB1Y_z>kn4EW4rg(LR4A*|GPIn7_H(M=4;+d!&uKcZzIdD9gXSdq28^ZEw@
z^<I-J7^`nWRt`*!T93o0r2qNOKInyAtzAcZ44&H$`Kw0eDS;r_kw-K%9j-#1ej3p6
zIA(P4Ec3&E4?PE`WMBDyK!B#gL=LR@?IXIPfpZ6G{#BYW`L-z_V=Shnf3A2n>Iw*W
zb;qAQ=+imHT4hn<J{$3JfNmGSpl-vBJY>02fL_CQO@T0~ZH&1Hu5bh!#+$vwNP+#T
r`3x7_e*}*bFrE#;8GwO5Qr6z-NUg`o_pi^9k-RYoi;@T;2h7<4acu>q

diff --git a/scripts/hak/target.ts b/scripts/hak/target.ts
index 2d0fa71..4b0f992 100644
--- a/scripts/hak/target.ts
+++ b/scripts/hak/target.ts
@@ -25,6 +25,7 @@ export type TargetId =
     | "universal-apple-darwin"
     | "i686-pc-windows-msvc"
     | "x86_64-pc-windows-msvc"
+    | "aarch64-pc-windows-msvc"
     | "i686-unknown-linux-musl"
     | "i686-unknown-linux-gnu"
     | "x86_64-unknown-linux-musl"
@@ -98,6 +99,13 @@ const x8664PcWindowsMsvc: WindowsTarget = {
     vcVarsArch: "amd64",
 };
 
+const aarch64WindowsMsvc: WindowsTarget = {
+    id: "aarch64-pc-windows-msvc",
+    platform: "win32",
+    arch: "arm64",
+    vcVarsArch: "arm64",
+};
+
 const x8664UnknownLinuxGnu: LinuxTarget = {
     id: "x86_64-unknown-linux-gnu",
     platform: "linux",
@@ -162,6 +170,7 @@ export const TARGETS: Record<TargetId, Target> = {
     // Windows
     "i686-pc-windows-msvc": i686PcWindowsMsvc,
     "x86_64-pc-windows-msvc": x8664PcWindowsMsvc,
+    "aarch64-pc-windows-msvc": aarch64WindowsMsvc,
     // Linux
     "i686-unknown-linux-musl": i686UnknownLinuxMusl,
     "i686-unknown-linux-gnu": i686UnknownLinuxGnu,

From 201000da3977c17e13033de1d14e5d9e07547506 Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Tue, 28 Mar 2023 16:38:57 +0100
Subject: [PATCH 2/6] Backport more build config to master

---
 scripts/generate-builder-config.ts | 85 ++++++++++++------------------
 1 file changed, 35 insertions(+), 50 deletions(-)

diff --git a/scripts/generate-builder-config.ts b/scripts/generate-builder-config.ts
index eb98b7f..1ba707b 100755
--- a/scripts/generate-builder-config.ts
+++ b/scripts/generate-builder-config.ts
@@ -7,6 +7,9 @@
  * On Windows:
  *  Prefixes the nightly version with `0.0.1-nightly.` as it breaks if it is not semver
  *
+ * On macOS:
+ *   Passes --notarytool-team-id to build.mac.notarize.notarize if specified and removes build.mac.afterSign
+ *
  * On Linux:
  *  Replaces spaces in the product name with dashes as spaces in paths can cause issues
  *  Passes --deb-custom-control to build.deb.fpm if specified
@@ -15,6 +18,7 @@
 import parseArgs from "minimist";
 import fsProm from "fs/promises";
 import * as os from "os";
+import { Configuration } from "app-builder-lib";
 
 const ELECTRON_BUILDER_CFG_FILE = "electron-builder.json";
 
@@ -25,54 +29,23 @@ const argv = parseArgs<{
     "nightly"?: string;
     "signtool-thumbprint"?: string;
     "signtool-subject-name"?: string;
+    "notarytool-team-id"?: string;
     "deb-custom-control"?: string;
+    "deb-changelog"?: string;
 }>(process.argv.slice(2), {
-    string: ["nightly", "deb-custom-control", "signtool-thumbprint", "signtool-subject-name"],
+    string: [
+        "nightly",
+        "deb-custom-control",
+        "deb-changelog",
+        "signtool-thumbprint",
+        "signtool-subject-name",
+        "notarytool-team-id",
+    ],
 });
 
-interface File {
-    from: string;
-    to: string;
-}
+type DeepWriteable<T> = { -readonly [P in keyof T]: DeepWriteable<T[P]> };
 
-interface PackageBuild {
-    appId: string;
-    asarUnpack: string;
-    files: Array<string | File>;
-    extraResources: Array<string | File>;
-    linux: {
-        target: string;
-        category: string;
-        maintainer: string;
-        desktop: {
-            StartupWMClass: string;
-        };
-    };
-    mac: {
-        category: string;
-        darkModeSupport: boolean;
-    };
-    win: {
-        target: {
-            target: string;
-        };
-        sign?: string;
-        signingHashAlgorithms?: string[];
-        certificateSubjectName?: string;
-        certificateSha1?: string;
-    };
-    deb?: {
-        fpm?: string[];
-    };
-    directories: {
-        output: string;
-    };
-    afterPack: string;
-    afterSign: string;
-    protocols: Array<{
-        name: string;
-        schemes: string[];
-    }>;
+interface PackageBuild extends DeepWriteable<Omit<Configuration, "extraMetadata">> {
     extraMetadata?: {
         productName?: string;
         name?: string;
@@ -114,10 +87,17 @@ async function main(): Promise<number | void> {
     }
 
     if (argv["signtool-thumbprint"] && argv["signtool-subject-name"]) {
-        delete cfg.win.sign;
-        cfg.win.signingHashAlgorithms = ["sha256"];
-        cfg.win.certificateSubjectName = argv["signtool-subject-name"];
-        cfg.win.certificateSha1 = argv["signtool-thumbprint"];
+        delete cfg.win!.sign;
+        cfg.win!.signingHashAlgorithms = ["sha256"];
+        cfg.win!.certificateSubjectName = argv["signtool-subject-name"];
+        cfg.win!.certificateSha1 = argv["signtool-thumbprint"];
+    }
+
+    if (argv["notarytool-team-id"]) {
+        delete cfg.afterSign;
+        cfg.mac!.notarize = {
+            teamId: argv["notarytool-team-id"],
+        };
     }
 
     if (os.platform() === "linux") {
@@ -125,10 +105,15 @@ async function main(): Promise<number | void> {
         // https://github.com/vector-im/element-web/issues/13171
         cfg.extraMetadata!.productName = cfg.extraMetadata!.productName!.replace(/ /g, "-");
 
+        cfg.deb = {
+            fpm: [],
+        };
+
         if (argv["deb-custom-control"]) {
-            cfg.deb = {
-                fpm: [`--deb-custom-control=${argv["deb-custom-control"]}`],
-            };
+            cfg.deb.fpm!.push(`--deb-custom-control=${argv["deb-custom-control"]}`);
+        }
+        if (argv["deb-changelog"]) {
+            cfg.deb.fpm!.push(`--deb-changelog=${argv["deb-changelog"]}`);
         }
     }
 

From 62e6851250309b7586776d9c59c8f13e9df8a68e Mon Sep 17 00:00:00 2001
From: Andy Balaam <andy.balaam@matrix.org>
Date: Tue, 28 Mar 2023 17:32:29 +0100
Subject: [PATCH 3/6] Backport package.json changes from develop

---
 package.json | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index 612005a..e015d8b 100644
--- a/package.json
+++ b/package.json
@@ -11,6 +11,9 @@
   },
   "license": "Apache-2.0",
   "files": [],
+  "engines": {
+    "node": ">=16.0.0"
+  },
   "scripts": {
     "i18n": "matrix-gen-i18n",
     "prunei18n": "matrix-prune-i18n",
@@ -52,8 +55,10 @@
     "test": "jest"
   },
   "dependencies": {
+    "@sentry/electron": "^4.3.0",
     "auto-launch": "^5.0.5",
     "counterpart": "^0.18.6",
+    "electron-clear-data": "^1.0.5",
     "electron-store": "^8.0.2",
     "electron-window-state": "^5.0.3",
     "minimist": "^1.2.6",
@@ -80,20 +85,21 @@
     "@typescript-eslint/eslint-plugin": "^5.42.0",
     "@typescript-eslint/parser": "^5.42.0",
     "allchange": "^1.0.6",
-    "app-builder-lib": "^22.14.10",
+    "app-builder-lib": "24.0.0",
+    "asar": "^3.2.0",
     "babel-jest": "^29.0.0",
     "chokidar": "^3.5.2",
     "detect-libc": "^1.0.3",
     "electron": "^23.0.0",
-    "electron-builder": "^23.6.0",
-    "electron-builder-squirrel-windows": "^23.6.0",
-    "electron-devtools-installer": "^3.1.1",
+    "electron-builder": "24.0.0",
+    "electron-builder-squirrel-windows": "24.0.0",
+    "electron-devtools-installer": "^3.2.0",
     "eslint": "^8.26.0",
     "eslint-config-google": "^0.14.0",
     "eslint-config-prettier": "^8.5.0",
     "eslint-plugin-import": "^2.25.4",
     "eslint-plugin-matrix-org": "^1.0.0",
-    "eslint-plugin-unicorn": "^45.0.0",
+    "eslint-plugin-unicorn": "^46.0.0",
     "expect-playwright": "^0.8.0",
     "find-npm-prefix": "^1.0.2",
     "fs-extra": "^11.0.0",

From ba45d847719ed0858e242e2ade9416c1fe51beca Mon Sep 17 00:00:00 2001
From: Michael Telatynski <7t3chguy@gmail.com>
Date: Thu, 30 Mar 2023 14:22:58 +0100
Subject: [PATCH 4/6] Run build_linux in docker using an older glibc (#599)

(cherry picked from commit 718d5a803770d6695d651523a61917640907e674)
---
 .github/workflows/build_linux.yaml | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml
index 5d58924..536230d 100644
--- a/.github/workflows/build_linux.yaml
+++ b/.github/workflows/build_linux.yaml
@@ -15,6 +15,11 @@ on:
 jobs:
     build:
         runs-on: ubuntu-latest
+        container:
+            image: ghcr.io/vector-im/element-desktop-dockerbuild:t3chguy-dockerbuild
+        defaults:
+            run:
+                shell: bash
         steps:
             - uses: actions/checkout@v3
 
@@ -30,19 +35,12 @@ jobs:
                   path: |
                       ./.hak
 
-            - name: Install Rust
-              if: steps.cache.outputs.cache-hit != 'true'
-              uses: actions-rs/toolchain@v1
-              with:
-                  toolchain: stable
-
-            - name: Install libsqlcipher-dev
-              if: steps.cache.outputs.cache-hit != 'true' && inputs.sqlcipher == 'system'
-              run: sudo apt-get install -y libsqlcipher-dev
-
             - uses: actions/setup-node@v3
               with:
                   cache: "yarn"
+              env:
+                  # Workaround for https://github.com/actions/setup-node/issues/317
+                  FORCE_COLOR: 0
 
             # Does not need branch matching as only analyses this layer
             - name: Install Deps
@@ -69,7 +67,7 @@ jobs:
 
             - name: Build App
               run: |
-                  scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --deb-custom-control=debcontrol
+                  npx ts-node scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} --deb-custom-control=debcontrol
                   yarn build --publish never -l --config electron-builder.json
 
             - name: Upload Artifacts

From 09923b3fe4633d9a086f2d37145f4f22ba9bdf20 Mon Sep 17 00:00:00 2001
From: RiotRobot <releases@riot.im>
Date: Fri, 31 Mar 2023 11:24:12 +0100
Subject: [PATCH 5/6] Prepare changelog for v1.11.27

---
 CHANGELOG.md | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9a496b7..1dea71f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,16 @@
-Changes in [1.11.26](https://github.com/vector-im/element-desktop/releases/tag/v1.11.26) (2023-03-28)
+Changes in [1.11.27](https://github.com/vector-im/element-desktop/releases/tag/v1.11.27) (2023-03-31)
 =====================================================================================================
 
 ## 🐛 Bug Fixes
- * Changes for matrix-js-sdk v24.0.0
- * Changes for matrix-react-sdk v3.69.0
+ * Run build_linux in docker using an older glibc ([\#599](https://github.com/vector-im/element-desktop/pull/599)). Fixes vector-im/element-web#24981.
+ * Fix detection of encryption for all users in a room ([\#10487](https://github.com/matrix-org/matrix-react-sdk/pull/10487)). Fixes vector-im/element-web#24995.
+
+Changes in [1.11.26](https://github.com/vector-im/element-desktop/releases/tag/v1.11.26) (2023-03-28)
+=====================================================================================================
+
+## 🔒 Security
+ * Fixes for [CVE-2023-28427](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2023-28427) / GHSA-mwq8-fjpf-c2gr
+ * Fixes for [CVE-2023-28103](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2023-28103) / GHSA-6g43-88cp-w5gv
 
 Changes in [1.11.25](https://github.com/vector-im/element-desktop/releases/tag/v1.11.25) (2023-03-15)
 =====================================================================================================

From 349b5e0081d5ffc0ee627a11c81c664ba27507ba Mon Sep 17 00:00:00 2001
From: RiotRobot <releases@riot.im>
Date: Fri, 31 Mar 2023 11:24:13 +0100
Subject: [PATCH 6/6] v1.11.27

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index e015d8b..96522d8 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "name": "element-desktop",
   "productName": "Element",
   "main": "lib/electron-main.js",
-  "version": "1.11.26",
+  "version": "1.11.27",
   "description": "A feature-rich client for Matrix.org",
   "author": "Element",
   "repository": {