Remove temporary awscli s3-r2 workaround

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

.gitea/workflows/build_linux_docker.yml

@@ -1,23 +0,0 @@
-on: [push, workflow_dispatch]
-
-jobs:
-  build-element:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        
-      - name: Download Cringe Studios configuration
-        run: "mkdir cringe && wget -O cringe/config.json https://chat.cringe-studios.com/config.json"
-        
-      - name: Docker setup
-        run: "docker build --platform linux/amd64 -t element-desktop-dockerbuild -f dockerbuild/Dockerfile ."
-        
-      - name: Docker build
-        run: >
-          ls -la && PWD=$(pwd) scripts/in-docker.sh bash -c 'ls -la &&
-          yarn add matrix-seshat &&
-          yarn &&
-          yarn run fetch --noverify --cfgdir cringe &&
-          SQLCIPHER_BUNDLED=1 yarn run docker:build:native &&
-          yarn run docker:build --linux rpm --linux deb --linux tar.xz --linux AppImage --win squirrel'

.github/workflows/build_and_deploy.yaml

@@ -92,6 +92,7 @@ jobs:
         uses: ./.github/workflows/build_linux.yaml
         with:
             arch: ${{ matrix.arch }}
+            config: ${{ needs.prepare.outputs.config }}
             sqlcipher: ${{ matrix.sqlcipher }}
             version: ${{ needs.prepare.outputs.nightly-version }}
 
@@ -202,19 +203,11 @@ jobs:
                   name: packages.element.io
                   path: packages.element.io
 
-            # Workaround for https://www.cloudflarestatus.com/incidents/t5nrjmpxc1cj
-            - uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367 # v1
-              if: needs.prepare.outputs.deploy == 'true'
-              with:
-                  version: 2.22.35
-                  verbose: false
-                  arch: amd64
-
             - name: Deploy artifacts
               if: needs.prepare.outputs.deploy == 'true'
               run: |
                   set -x
-                  aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto
+                  aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto --checksum-algorithm CRC32
               env:
                   AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}

.github/workflows/build_and_test.yaml

@@ -35,6 +35,7 @@ jobs:
                 sqlcipher: [system, static]
                 arch: [amd64, arm64]
         with:
+            config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }}
             sqlcipher: ${{ matrix.sqlcipher }}
             arch: ${{ matrix.arch }}
 
@@ -96,7 +97,7 @@ jobs:
 
             - uses: actions/setup-node@v4
               with:
-                  node-version-file: .node-version
+                  node-version-file: package.json
                   cache: "yarn"
 
             - name: Install Deps

.github/workflows/build_linux.yaml

@@ -8,6 +8,10 @@ on:
                 type: string
                 required: true
                 description: "The architecture to build for, one of 'amd64' | 'arm64'"
+            config:
+                type: string
+                required: true
+                description: "The config directory to use"
             version:
                 type: string
                 required: false
@@ -72,7 +76,7 @@ jobs:
 
             - uses: actions/setup-node@v4
               with:
-                  node-version-file: .node-version
+                  node-version-file: package.json
                   cache: "yarn"
               env:
                   # Workaround for https://github.com/actions/setup-node/issues/317
@@ -91,10 +95,10 @@ jobs:
 
             # This allows contributors to test changes to the dockerbuild image within a pull request
             - name: Build docker image
-              uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6
+              uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
               if: steps.changed_files.outputs.any_modified == 'true'
               with:
-                  file: dockerbuild/Dockerfile
+                  context: dockerbuild
                   load: true
                   platforms: linux/${{ inputs.arch }}
                   tags: ${{ env.HAK_DOCKER_IMAGE }}

.github/workflows/build_macos.yaml

@@ -62,19 +62,18 @@ jobs:
 
             - uses: actions/setup-node@v4
               with:
-                  node-version-file: .node-version
+                  node-version-file: package.json
                   cache: "yarn"
 
             - name: Install Deps
               run: "yarn install --frozen-lockfile"
 
-            # Python 3.12 drops distutils which keytar relies on
-            - name: Install setuptools
-              run: pip3 install setuptools
-
             - name: Build Natives
               if: steps.cache.outputs.cache-hit != 'true'
-              run: yarn build:native:universal
+              run: |
+                  # Python 3.12 drops distutils which keytar relies on
+                  pip3 install setuptools
+                  yarn build:native:universal
 
             # We split these because electron-builder gets upset if we set CSC_LINK even to an empty string
             - name: "[Signed] Build App"

.github/workflows/build_prepare.yaml

@@ -34,9 +34,12 @@ on:
             packages-dir:
                 description: "The directory non-deb packages for this run should live in within packages.element.io"
                 value: ${{ inputs.nightly && 'nightly' || 'desktop' }}
-            # This is just a simple pass-through of the input to simplify reuse of complex inline conditions
+            # These are just simple pass-throughs of the input to simplify reuse of complex inline conditions
+            config:
+                description: "The relative path to the config file for this run"
+                value: ${{ inputs.config }}
             deploy:
-                description: "Whether the build should be deployed to production"
+                description: "The relative path to the config file for this run"
                 value: ${{ inputs.deploy }}
 permissions: {}
 jobs:
@@ -53,7 +56,7 @@ jobs:
 
             - uses: actions/setup-node@v4
               with:
-                  node-version-file: .node-version
+                  node-version-file: package.json
                   cache: "yarn"
 
             - name: Install Deps
@@ -90,8 +93,6 @@ jobs:
               env:
                   AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
-                  # Workaround for https://www.cloudflarestatus.com/incidents/t5nrjmpxc1cj
-                  AWS_REQUEST_CHECKSUM_CALCULATION: when_required
                   R2_BUCKET: ${{ vars.R2_BUCKET }}
                   R2_URL: ${{ vars.CF_R2_S3_API }}
 

.github/workflows/build_windows.yaml

@@ -56,8 +56,7 @@ jobs:
                         "ia32": {
                           "target": "i686-pc-windows-msvc",
                           "build-args": "--ia32",
-                          "arch": "x86",
-                          "extra_config": "{\"user_notice\": {\"title\": \"Your desktop support ends soon\",\"description\": \"Support for 32-bit Windows installations will end soon, this impacts you. Transition to the web or mobile app for continued access.\"}}"
+                          "arch": "x86"
                         }
                       }
 
@@ -100,26 +99,12 @@ jobs:
 
             - uses: actions/setup-node@v4
               with:
-                  node-version-file: .node-version
+                  node-version-file: package.json
                   cache: "yarn"
 
             - name: Install Deps
               run: "yarn install --frozen-lockfile"
 
-            - name: Insert config snippet
-              if: steps.config.outputs.extra_config != ''
-              shell: bash
-              run: |
-                  mkdir config-edit
-                  yarn asar extract webapp.asar config-edit
-                  cd config-edit
-                  mv config.json old-config.json
-                  echo '${{ steps.config.outputs.extra_config }}' | jq -s '.[0] * .[1]' old-config.json - > config.json
-                  rm old-config.json
-                  cd ..
-                  rm webapp.asar
-                  yarn asar pack config-edit/ webapp.asar
-
             - name: Set up sqlcipher macros
               if: steps.cache.outputs.cache-hit != 'true' && contains(inputs.arch, 'arm')
               shell: pwsh

.github/workflows/dockerbuild.yaml

@@ -22,17 +22,17 @@ jobs:
             - uses: actions/checkout@v4
 
             - name: Set up QEMU
-              uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
+              uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
+              uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3
               with:
                   install: true
 
             - name: Build test image
-              uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6
+              uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
               with:
-                  file: dockerbuild/Dockerfile
+                  context: dockerbuild
                   push: false
                   load: true
                   tags: element-desktop-dockerbuild
@@ -52,7 +52,7 @@ jobs:
             - name: Extract metadata for Docker
               id: meta
               if: github.event_name != 'pull_request'
-              uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
+              uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
               with:
                   images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
                   tags: |
@@ -61,9 +61,9 @@ jobs:
 
             - name: Build and push Docker image
               if: github.event_name != 'pull_request'
-              uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6
+              uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
               with:
-                  file: dockerbuild/Dockerfile
+                  context: dockerbuild
                   push: true
                   tags: ${{ steps.meta.outputs.tags }}
                   labels: ${{ steps.meta.outputs.labels }}

.node-version

@@ -1 +0,0 @@
-v22.14.0

CHANGELOG.md

@@ -1,13 +1,3 @@
-Changes in [1.11.94](https://github.com/element-hq/element-desktop/releases/tag/v1.11.94) (2025-02-27)
-======================================================================================================
-* No changes
-
-## 🐛 Bug Fixes
-
-* [Backport staging] fix: /tmp/element-web-config may already exist preventing the container from booting up ([#29377](https://github.com/element-hq/element-web/pull/29377)). Contributed by @RiotRobot.
-
-
-
 Changes in [1.11.93](https://github.com/element-hq/element-desktop/releases/tag/v1.11.93) (2025-02-25)
 ======================================================================================================
 ## ✨ Features

dockerbuild/Dockerfile

@@ -2,7 +2,7 @@
 # with broader compatibility, down to Debian bullseye & Ubuntu focal.
 FROM rust:bullseye
 
-ENV DEBIAN_FRONTEND=noninteractive
+ENV DEBIAN_FRONTEND noninteractive
 
 RUN curl --proto "=https" -L https://yarnpkg.com/latest.tar.gz | tar xvz && mv yarn-* /yarn && ln -s /yarn/bin/yarn /usr/bin/yarn
 RUN apt-get -qq update && apt-get -y -qq dist-upgrade && \
@@ -14,15 +14,15 @@ RUN apt-get -qq update && apt-get -y -qq dist-upgrade && \
   # Used by seshat (when not SQLCIPHER_STATIC) \
   libsqlcipher-dev && \
   apt-get purge -y --auto-remove && rm -rf /var/lib/apt/lists/*
-RUN dpkg --add-architecture i386 && apt-get update && apt-get install -y wine mono-devel rpm
 RUN ln -s /usr/bin/python3 /usr/bin/python & ln -s /usr/bin/pip3 /usr/bin/pip
 
-ENV DEBUG_COLORS=true
-ENV FORCE_COLOR=true
+ENV DEBUG_COLORS true
+ENV FORCE_COLOR true
 
 WORKDIR /project
 
+ENV NODE_VERSION 20.18.2
 ARG TARGETOS
 ARG TARGETARCH
-COPY .node-version dockerbuild/setup.sh /
+COPY setup.sh /setup.sh
 RUN /setup.sh

dockerbuild/setup.sh

@@ -3,6 +3,5 @@
 set -x
 declare -A archMap=(["amd64"]="x64" ["arm64"]="arm64")
 ARCH="${archMap["$TARGETARCH"]}"
-NODE_VERSION=$(cat /.node-version)
-curl --proto "=https" -L "https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$TARGETOS-$ARCH.tar.gz" | tar xz -C /usr/local --strip-components=1 && \
+curl --proto "=https" -L "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-$TARGETOS-$ARCH.tar.gz" | tar xz -C /usr/local --strip-components=1 && \
   unlink /usr/local/CHANGELOG.md && unlink /usr/local/LICENSE && unlink /usr/local/README.md

electron-builder.ts

@@ -174,9 +174,6 @@ const config: Omit<Writable<Configuration>, "electronFuses"> & {
             schemes: ["io.element.desktop", "element"],
         },
     ],
-    nativeRebuilder: "sequential",
-    nodeGypRebuild: false,
-    npmRebuild: true,
 };
 
 /**

hak/keytar/build.ts

@@ -0,0 +1,26 @@
+/*
+Copyright 2024 New Vector Ltd.
+Copyright 2020 The Matrix.org Foundation C.I.C.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+import path from "node:path";
+
+import type HakEnv from "../../scripts/hak/hakEnv.js";
+import type { DependencyInfo } from "../../scripts/hak/dep.js";
+
+export default async function buildKeytar(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
+    const env = hakEnv.makeGypEnv();
+
+    console.log("Running yarn with env", env);
+    await hakEnv.spawn(
+        path.join(moduleInfo.nodeModuleBinDir, "node-gyp"),
+        ["rebuild", "--arch", hakEnv.getTargetArch()],
+        {
+            cwd: moduleInfo.moduleBuildDir,
+            env,
+        },
+    );
+}

hak/keytar/check.ts

@@ -0,0 +1,15 @@
+/*
+Copyright 2024 New Vector Ltd.
+Copyright 2020 The Matrix.org Foundation C.I.C.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+import type HakEnv from "../../scripts/hak/hakEnv.js";
+import type { DependencyInfo } from "../../scripts/hak/dep.js";
+
+export default async function (hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
+    // node-gyp uses python for reasons beyond comprehension
+    await hakEnv.checkTools([["python", "--version"]]);
+}

hak/keytar/hak.json

@@ -0,0 +1,10 @@
+{
+    "scripts": {
+        "check": "check.ts",
+        "build": "build.ts"
+    },
+    "copy": "build/Release/keytar.node",
+    "dependencies": {
+        "libsecret": "0.20.3"
+    }
+}

knip.ts

@@ -5,6 +5,7 @@ export default {
     project: ["**/*.{js,ts}"],
     ignoreDependencies: [
         // Brought in via hak scripts
+        "keytar",
         "matrix-seshat",
         // Required for `action-validator`
         "@action-validator/*",

package.json

@@ -3,7 +3,7 @@
     "productName": "Element",
     "main": "lib/electron-main.js",
     "exports": "./lib/electron-main.js",
-    "version": "1.11.94",
+    "version": "1.11.93",
     "description": "Element: the future of secure communication",
     "author": "Element",
     "homepage": "https://element.io",
@@ -44,7 +44,7 @@
         "build": "yarn run build:ts && yarn run build:res && electron-builder",
         "build:ts": "tsc",
         "build:res": "tsx scripts/copy-res.ts",
-        "docker:setup": "docker build --platform linux/amd64 -t element-desktop-dockerbuild -f dockerbuild/Dockerfile .",
+        "docker:setup": "docker build --platform linux/amd64 -t element-desktop-dockerbuild dockerbuild",
         "docker:build:native": "scripts/in-docker.sh yarn run hak",
         "docker:build": "scripts/in-docker.sh yarn run build",
         "docker:install": "scripts/in-docker.sh yarn install",
@@ -53,17 +53,15 @@
         "test": "playwright test",
         "test:open": "yarn test --ui",
         "test:screenshots:build": "docker build playwright -t element-desktop-playwright --platform linux/amd64",
-        "test:screenshots:run": "docker run --rm --network host -v $(pwd):/work/element-desktop -v /var/run/docker.sock:/var/run/docker.sock --platform linux/amd64 -it element-desktop-playwright",
-        "postinstall": "electron-builder install-app-deps"
+        "test:screenshots:run": "docker run --rm --network host -v $(pwd):/work/element-desktop -v /var/run/docker.sock:/var/run/docker.sock --platform linux/amd64 -it element-desktop-playwright"
     },
     "dependencies": {
-        "@sentry/electron": "^6.0.0",
+        "@sentry/electron": "^5.0.0",
         "@standardnotes/electron-clear-data": "^1.0.5",
         "auto-launch": "^5.0.5",
         "counterpart": "^0.18.6",
         "electron-store": "^10.0.0",
         "electron-window-state": "^5.0.3",
-        "keytar-forked": "7.10.0",
         "minimist": "^1.2.6",
         "png-to-ico": "^2.1.1",
         "uuid": "^11.0.0"
@@ -80,16 +78,16 @@
         "@types/auto-launch": "^5.0.1",
         "@types/counterpart": "^0.18.1",
         "@types/minimist": "^1.2.1",
-        "@types/node": "18.19.79",
+        "@types/node": "18.19.76",
         "@types/pacote": "^11.1.1",
         "@typescript-eslint/eslint-plugin": "^8.0.0",
         "@typescript-eslint/parser": "^8.0.0",
-        "app-builder-lib": "26.0.10",
+        "app-builder-lib": "26.0.7",
         "chokidar": "^4.0.0",
         "detect-libc": "^2.0.0",
-        "electron": "34.3.0",
-        "electron-builder": "26.0.10",
-        "electron-builder-squirrel-windows": "26.0.10",
+        "electron": "34.2.0",
+        "electron-builder": "26.0.7",
+        "electron-builder-squirrel-windows": "26.0.7",
         "electron-devtools-installer": "^4.0.0",
         "eslint": "^8.26.0",
         "eslint-config-google": "^0.14.0",
@@ -110,13 +108,14 @@
         "rimraf": "^6.0.0",
         "tar": "^7.0.0",
         "tsx": "^4.19.2",
-        "typescript": "5.8.2"
+        "typescript": "5.7.3"
     },
     "hakDependencies": {
-        "matrix-seshat": "^4.0.1"
+        "matrix-seshat": "^4.0.1",
+        "keytar": "^7.9.0"
     },
     "resolutions": {
-        "@types/node": "18.19.79",
+        "@types/node": "18.19.76",
         "config-file-ts": "0.2.8-rc1"
     }
 }

scripts/hak/README.md

@@ -67,14 +67,14 @@ Hak is divided into lifecycle stages, in order:
 
 # hak.json
 
-The scripts section contains scripts used for lifecycle stages that need them (fetch, build).
+The scripts section contains scripts used for lifecycle stages that need them (fetch, fetchDeps, build).
 It also contains 'prune' and 'copy' which are globs of files to delete from the output module directory
 and copy over from the module build directory to the output module directory, respectively.
 
 # Shortcomings
 
 Hak doesn't know about dependencies between lifecycle stages, ie. it doesn't know that you need to
-'fetch' before you can 'build', etc. You get to run each individually, and remember
+'fetch' and 'fetchDeps' before you can 'build', etc. You get to run each individually, and remember
 the right order.
 
 There is also a _lot_ of duplication in the command execution: we should abstract away

scripts/hak/check.ts

@@ -10,5 +10,7 @@ import type { DependencyInfo } from "./dep.js";
 import type HakEnv from "./hakEnv.js";
 
 export default async function check(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    await moduleInfo.scripts.check?.(hakEnv, moduleInfo);
+    if (moduleInfo.scripts.check) {
+        await moduleInfo.scripts.check(hakEnv, moduleInfo);
+    }
 }

scripts/hak/copy.ts

@@ -9,6 +9,7 @@ Please see LICENSE files in the repository root for full details.
 import path from "node:path";
 import fsProm from "node:fs/promises";
 import childProcess from "node:child_process";
+import { rimraf } from "rimraf";
 import { glob } from "glob";
 import { mkdirp } from "mkdirp";
 
@@ -16,6 +17,20 @@ import type HakEnv from "./hakEnv.js";
 import type { DependencyInfo } from "./dep.js";
 
 export default async function copy(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
+    if (moduleInfo.cfg.prune) {
+        console.log("Removing " + moduleInfo.cfg.prune + " from " + moduleInfo.moduleOutDir);
+        // rimraf doesn't have a 'cwd' option: it always uses process.cwd()
+        // (and if you set glob.cwd it just breaks because it can't find the files)
+        const oldCwd = process.cwd();
+        try {
+            await mkdirp(moduleInfo.moduleOutDir);
+            process.chdir(moduleInfo.moduleOutDir);
+            await rimraf(moduleInfo.cfg.prune);
+        } finally {
+            process.chdir(oldCwd);
+        }
+    }
+
     if (moduleInfo.cfg.copy) {
         // If there are multiple moduleBuildDirs, singular moduleBuildDir
         // is the same as moduleBuildDirs[0], so we're just listing the contents

scripts/hak/fetchDeps.ts

@@ -0,0 +1,19 @@
+/*
+Copyright 2024 New Vector Ltd.
+Copyright 2020 The Matrix.org Foundation C.I.C.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+import { mkdirp } from "mkdirp";
+
+import type { DependencyInfo } from "./dep.js";
+import type HakEnv from "./hakEnv.js";
+
+export default async function fetchDeps(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
+    await mkdirp(moduleInfo.moduleDotHakDir);
+    if (moduleInfo.scripts.fetchDeps) {
+        await moduleInfo.scripts.fetchDeps(hakEnv, moduleInfo);
+    }
+}

scripts/hak/index.ts

@@ -19,7 +19,7 @@ import packageJson from "../../package.json";
 const MODULECOMMANDS = ["check", "fetch", "link", "build", "copy", "clean"];
 
 // Shortcuts for multiple commands at once (useful for building universal binaries
-// because you can run the fetch/build for each arch and then copy/link once)
+// because you can run the fetch/fetchDeps/build for each arch and then copy/link once)
 const METACOMMANDS: Record<string, string[]> = {
     fetchandbuild: ["check", "fetch", "build"],
     copyandlink: ["copy", "link"],

scripts/in-docker.sh

@@ -8,12 +8,9 @@ if [ $? != 0 ]; then
     exit 1
 fi
 
-echo "${PWD}"
-echo $(ls "${PWD}")
-
 # Taken from https://www.electron.build/multi-platform-build#docker
 # Pass through any vars prefixed with INDOCKER_, removing the prefix
-docker run --rm \
+docker run --rm -ti \
  --platform linux/amd64 \
  --env-file <(env | grep -E '^INDOCKER_' | sed -e 's/^INDOCKER_//') \
  --env ELECTRON_CACHE="/root/.cache/electron" \
@@ -24,5 +21,4 @@ docker run --rm \
  -v ${PWD}/docker/.gnupg:/root/.gnupg \
  -v ~/.cache/electron:/root/.cache/electron \
  -v ~/.cache/electron-builder:/root/.cache/electron-builder \
- --workdir "/project" \
  "$IMAGE" "$@"

src/@types/keytar.d.ts

@@ -0,0 +1,54 @@
+// Based on https://github.com/atom/node-keytar/blob/master/keytar.d.ts because keytar is a hak-dependency and not a normal one
+// Definitions by: Milan Burda <https://github.com/miniak>, Brendan Forster <https://github.com/shiftkey>, Hari Juturu <https://github.com/juturu>
+// Adapted from DefinitelyTyped: https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/keytar/index.d.ts
+
+declare module "keytar" {
+    /**
+     * Get the stored password for the service and account.
+     *
+     * @param service The string service name.
+     * @param account The string account name.
+     *
+     * @returns A promise for the password string.
+     */
+    export function getPassword(service: string, account: string): Promise<string | null>;
+
+    /**
+     * Add the password for the service and account to the keychain.
+     *
+     * @param service The string service name.
+     * @param account The string account name.
+     * @param password The string password.
+     *
+     * @returns A promise for the set password completion.
+     */
+    export function setPassword(service: string, account: string, password: string): Promise<void>;
+
+    /**
+     * Delete the stored password for the service and account.
+     *
+     * @param service The string service name.
+     * @param account The string account name.
+     *
+     * @returns A promise for the deletion status. True on success.
+     */
+    export function deletePassword(service: string, account: string): Promise<boolean>;
+
+    /**
+     * Find a password for the service in the keychain.
+     *
+     * @param service The string service name.
+     *
+     * @returns A promise for the password string.
+     */
+    export function findPassword(service: string): Promise<string | null>;
+
+    /**
+     * Find all accounts and passwords for `service` in the keychain.
+     *
+     * @param service The string service name.
+     *
+     * @returns A promise for the array of found credentials.
+     */
+    export function findCredentials(service: string): Promise<Array<{ account: string; password: string }>>;
+}

src/electron-main.ts

@@ -22,6 +22,7 @@ import { URL, fileURLToPath } from "node:url";
 import minimist from "minimist";
 
 import "./ipc.js";
+import "./keytar.js";
 import "./seshat.js";
 import "./settings.js";
 import * as tray from "./tray.js";

src/ipc.ts

@@ -7,12 +7,12 @@ Please see LICENSE files in the repository root for full details.
 
 import { app, autoUpdater, desktopCapturer, ipcMain, powerSaveBlocker, TouchBar, nativeImage } from "electron";
 import { relaunchApp } from "@standardnotes/electron-clear-data";
-import keytar from "keytar-forked";
 
 import IpcMainEvent = Electron.IpcMainEvent;
 import { recordSSOSession } from "./protocol.js";
 import { randomArray } from "./utils.js";
 import { Settings } from "./settings.js";
+import { keytar } from "./keytar.js";
 import { getDisplayMediaCallback, setDisplayMediaCallback } from "./displayMediaCallback.js";
 
 ipcMain.on("setBadgeCount", function (_ev: IpcMainEvent, count: number): void {
@@ -141,11 +141,11 @@ ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
 
         case "getPickleKey":
             try {
-                ret = await keytar.getPassword("element.io", `${args[0]}|${args[1]}`);
+                ret = await keytar?.getPassword("element.io", `${args[0]}|${args[1]}`);
                 // migrate from riot.im (remove once we think there will no longer be
                 // logins from the time of riot.im)
                 if (ret === null) {
-                    ret = await keytar.getPassword("riot.im", `${args[0]}|${args[1]}`);
+                    ret = await keytar?.getPassword("riot.im", `${args[0]}|${args[1]}`);
                 }
             } catch {
                 // if an error is thrown (e.g. keytar can't connect to the keychain),
@@ -161,18 +161,17 @@ ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
                 // rather than sending them a pickle key we did not store on their behalf.
                 await keytar!.setPassword("element.io", `${args[0]}|${args[1]}`, pickleKey);
                 ret = pickleKey;
-            } catch (e) {
-                console.error("Failed to create pickle key", e);
+            } catch {
                 ret = null;
             }
             break;
 
         case "destroyPickleKey":
             try {
-                await keytar.deletePassword("element.io", `${args[0]}|${args[1]}`);
+                await keytar?.deletePassword("element.io", `${args[0]}|${args[1]}`);
                 // migrate from riot.im (remove once we think there will no longer be
                 // logins from the time of riot.im)
-                await keytar.deletePassword("riot.im", `${args[0]}|${args[1]}`);
+                await keytar?.deletePassword("riot.im", `${args[0]}|${args[1]}`);
             } catch {}
             break;
         case "getDesktopCapturerSources":

src/keytar.ts

@@ -0,0 +1,21 @@
+/*
+Copyright 2022-2024 New Vector Ltd.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+import type * as Keytar from "keytar"; // Hak dependency type
+
+let keytar: typeof Keytar | undefined;
+try {
+    ({ default: keytar } = await import("keytar"));
+} catch (e) {
+    if ((<NodeJS.ErrnoException>e).code === "MODULE_NOT_FOUND") {
+        console.log("Keytar isn't installed; secure key storage is disabled.");
+    } else {
+        console.warn("Keytar unexpected error:", e);
+    }
+}
+
+export { keytar };

src/seshat.ts

@@ -8,7 +8,6 @@ Please see LICENSE files in the repository root for full details.
 import { app, ipcMain } from "electron";
 import { promises as afs } from "node:fs";
 import path from "node:path";
-import keytar from "keytar-forked";
 
 import type {
     Seshat as SeshatType,
@@ -17,6 +16,7 @@ import type {
 } from "matrix-seshat"; // Hak dependency type
 import IpcMainEvent = Electron.IpcMainEvent;
 import { randomArray } from "./utils.js";
+import { keytar } from "./keytar.js";
 
 let seshatSupported = false;
 let Seshat: typeof SeshatType;