mirror of
https://github.com/BigBodyCobain/Shadowbroker.git
synced 2026-05-28 10:01:31 +02:00
Shadowbroker
a930497e14
* fix(start-scripts): find bundled privacy_core.dll next to script start.bat and start.sh only checked the source-tree DLL path (``privacy-core/target/release/privacy_core.dll``), not the bundled location where MSI/AppImage/DMG installers stage the library directly next to the script in backend-runtime/. Users running start.bat from inside an MSI install dir (a documented workaround when the desktop shell crashes) saw a scary "install Rust" warning even though the DLL was sitting right next to them. See issue #319 for the user-reported confusion. Fix: add a fallback check for the bundled location before falling through to the "build privacy-core from source" warning. Source-tree behavior unchanged — the source path is still preferred when present. Also re-stamps the v0.9.81 source archive: ``release_digests.json`` v0.9.81 zip hash updated to point at the rebuilt source archive that contains these script changes. MSI/EXE/sig hashes are unchanged (the scripts live at the repo root, not inside the desktop bundle). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix(#319): bundle start.bat + start.sh into the MSI/EXE installers Follow-up to the start-script DLL fallback fix in the prior commit. ChrisMTheMan's report on #319 made it clear the workaround flow was: 1. MSI install crashes on launch (different bug, fixed in v0.9.81) 2. User goes looking for start.bat to launch the backend manually 3. start.bat isn't in their install dir, so they go fetch it from GitHub 4. They get a working script but it doesn't know about the bundled privacy_core.dll layout, so they see a scary "install Rust" warning The prior commit fixed step 4. This commit fixes step 3 — start.bat and start.sh now ship inside the MSI/EXE installers (staged into backend-runtime/ next to the privacy_core.dll they expect to find). After the rebuild lands, an MSI user looking for these scripts finds them right inside their install dir, already pointing at the correct bundled DLL location. What changed ------------ * ``build-backend-runtime.cjs`` now has a ``stageStartScripts()`` step that copies start.bat and start.sh from the repo root into the staged backend-runtime/. Preserves the executable bit on .sh under POSIX. * ``release_digests.json`` v0.9.81 block hashes refreshed for the rebuilt MSI / EXE / source-zip (the scripts being bundled changed the MSI/EXE contents; the source zip also includes the start-script fix from the prior commit). ShadowBroker_v0.9.81.zip 6.06 MB af8c87ccdece8fbb9aadc6be63cce10d3fcba74e6d87ef83289dda6d555fd270 ShadowBroker_0.9.81_x64_en-US.msi 122.4 MB 8977c9a1c54e1f0d030436be9c4e3d81d766cc0080699eb747649095f360c7ff ShadowBroker_0.9.81_x64-setup.exe 76.5 MB 4e866fa0423c0c2470ed32f4809167a7815dc23ee7762b69e95681c1f3a28250 Post-merge plan --------------- Force-move the v0.9.81 tag to this commit and replace ALL release assets on the GitHub release: zip, msi, exe, both .sig files, latest.json, SHA256SUMS.txt, release-manifest.json. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
51 lines
2.7 KiB
JSON
51 lines
2.7 KiB
JSON
{
|
|
"_comment": [
|
|
"Baked-in SHA-256 digests for known Shadowbroker release archives.",
|
|
"",
|
|
"Issue #231: the self-updater previously skipped integrity verification",
|
|
"entirely whenever the MESH_UPDATE_SHA256 env var was unset (which is the",
|
|
"default — nothing in the install docs tells operators to set it). That",
|
|
"made the auto-update a supply-chain RCE on any compromise of the GitHub",
|
|
"release pipeline.",
|
|
"",
|
|
"The fix uses a multi-source verification chain mirroring the Tor bundle",
|
|
"digest approach in #201:",
|
|
"",
|
|
" 1. MESH_UPDATE_SHA256 env var (operator override, preserved)",
|
|
" 2. SHA256SUMS.txt asset published alongside each release (primary —",
|
|
" the maintainer's release process already publishes this)",
|
|
" 3. This baked-in digest list (second line of defense for releases",
|
|
" missing a SHA256SUMS asset, or when the asset can't be fetched)",
|
|
" 4. HTTPS-only fallback with a loud warning (preserves auto-update",
|
|
" flow during transient outages so users don't get stuck)",
|
|
"",
|
|
"Mismatch from a source that DID respond is fatal — the update is",
|
|
"refused and the existing install keeps running. Only the 'no source",
|
|
"reachable at all' case falls back to HTTPS-only.",
|
|
"",
|
|
"Format: each entry is keyed by release tag and maps asset filenames",
|
|
"to their canonical SHA-256 digest (hex, lowercase). The updater",
|
|
"compares the locally-computed digest of the downloaded asset against",
|
|
"the value here.",
|
|
"",
|
|
"When the maintainer ships a new release, add its digests here BEFORE",
|
|
"removing the old ones so operators on the old code still validate",
|
|
"against the previous entries during the transition."
|
|
],
|
|
"v0.9.79": {
|
|
"ShadowBroker_v0.9.79.zip": "f6877c1d66614525315ea82636ce9f7b41178332c4dbf90d27431a1ea1d9cd47",
|
|
"ShadowBroker_0.9.79_x64-setup.exe": "f7b676ada45cac7da05868b0a353678c9ee700e3abcf456a7c0c038c36da446f",
|
|
"ShadowBroker_0.9.79_x64_en-US.msi": "e0713c3cdda184cfbea750bfac0d62a35678fec00847e6476f2cac8e7e42046e"
|
|
},
|
|
"v0.9.8": {
|
|
"ShadowBroker_v0.9.8.zip": "183bb5cd62b9b9349d95df5ef7696cb6ca810ab4b991fa9dab6f898af4c7a175",
|
|
"ShadowBroker_0.9.8_x64-setup.exe": "94a0309862e9c81c92cdcbfea8eec9dbb97eef19ded82b26217b397defbc810c",
|
|
"ShadowBroker_0.9.8_x64_en-US.msi": "fe22f9d51e4360d74c18a7250c2fbb9ed4fa4c7a884b3ac0d04a21115466386b"
|
|
},
|
|
"v0.9.81": {
|
|
"ShadowBroker_v0.9.81.zip": "af8c87ccdece8fbb9aadc6be63cce10d3fcba74e6d87ef83289dda6d555fd270",
|
|
"ShadowBroker_0.9.81_x64-setup.exe": "4e866fa0423c0c2470ed32f4809167a7815dc23ee7762b69e95681c1f3a28250",
|
|
"ShadowBroker_0.9.81_x64_en-US.msi": "8977c9a1c54e1f0d030436be9c4e3d81d766cc0080699eb747649095f360c7ff"
|
|
}
|
|
}
|