Cannot publish an electron app

rwwagner90 · May 14, 2020, 5:16pm

electron-installer-snap automatically sets the following:

    this.data.plugs['browser-sandbox'] = {
      'allow-sandbox': true,
      interface: 'browser-support'
    }

This forces all Electron apps built with electron-installer-snap to be sandboxed, which causes automatic reviews to fail and also seems to make manual reviews fail. I tried forking electron-installer-snap and making it not add that stuff, but now it seems to be stuck Processing.../ when trying to push the build.

I’m unsure exactly what is correct to do here, but they seem to think browser-sandbox should be required for Electron apps for some reason.

While I do think we should resolve this issue for the wider Electron community, I also would like to request that I be added as a vetted publisher, so I can actually publish my app in the meantime.

Thanks so much in advance and I hope we can get this resolved!

roadmr · May 14, 2020, 6:04pm

Hello!

Please wait a bit, we are diagnosing a problem with upload queue processing. I’ll holler once it’s fixed.

Daniel

rwwagner90 · May 14, 2020, 6:30pm

@roadmr ah okay. Either way, we should figure out these Electron issues and/or I would like to request that we become a vetted publisher, but please do let me know when the upload queue is fixed. Perhaps some of the previous builds actually were going to work. I’ll have to try again.

roadmr · May 14, 2020, 7:08pm

Upload queue is fixed, let me know your snap’s name (via private message if you prefer) and I’ll rerun its scan task.

For the other electron-installer-snap problem I can’t help unfortunately but someone else will soon

Daniel

rathboma · May 14, 2020, 7:18pm

If it helps - I use electron-builder which has a ‘snap store’ publisher set up out of the box. It works great! (github.com/beekeeper-studio/beekeeper-studio) - https://electron.build

jdstrand · May 14, 2020, 8:35pm

This appears to be the issue: https://github.com/electron-userland/electron-installer-snap/blob/master/src/index.d.ts#L154

I’m not familiar enough with electron-installer-snap to say how to adjust browserSandbox to false for your build, but can say that it is a bug in electron-installer-snap that it is setting this automatically since its use is restricted (see https://snapcraft.io/docs/browser-support-interface).

I can say that many people use electron-builder which defaults to not using allow-sandbox: true and they don’t face this problem. This certainly should be a fixable problem for electron-installer-snap (I suggest filing a bug with them).

In the meantime and in addition to the recommendation to set browserSandbox to false in your build, you may also need to strip the setuid bit from chrome-sandbox if electron-installer-snap is installing the setuid helper.

rwwagner90 · May 14, 2020, 8:49pm

@jdstrand I forked electron-installer-snap and added the ability to set browserSandbox: false. This seems to get around the first issue, but as you mentioned I think we still have the chrome-sandbox issue.

checksums do not match. Please ensure the snap is created with either 'snapcraft pack <DIR>' (using snapcraft >= 2.38) or 'mksquashfs <dir> <snap> -noappend -comp xz -all-root -no-xattrs -no-fragments'. If using electron-builder, please upgrade to latest stable (>= 20.14.7). See https://forum.snapcraft.io/t/automated-reviews-and-snapcraft-2-38/4982/17 for details. security-snap-v2_squashfs_repack_checksum What does this mean?
found errors in file output: unusual mode 'rwsr-xr-x' for entry './swach/chrome-sandbox' security-snap-v2_squashfs_files

Any tips on what to do to fix this?

ogra · May 14, 2020, 9:01pm

try adding something like:

app.commandLine.appendSwitch ("no-sandbox");

to your code … or make sure the --no-sandbox option is added in another way to the electron execution … i.e.:

github.com

ogra1/ubuntu-forum-client/blob/master/snap/snapcraft.yaml#L13


summary: Ubuntu Community Hub webapp
description: |
  Simple webapp showing discourse.ubuntu.com
base: core18
confinement: strict
grade: devel
compression: lzo
apps:
  forum:
    extensions: [gnome-3-34]
    command: desktop-launch $SNAP/electron/ubuntu-forum-client --disable-gpu --no-sandbox
    environment:
      TMPDIR: $XDG_RUNTIME_DIR
    plugs:
    - audio-playback
    - audio-record
    - browser-support
    - desktop
    - gsettings
    - network

rwwagner90 · May 14, 2020, 9:03pm

@ogra I had this:

if (process.platform === 'linux') {
  app.commandLine.appendSwitch('--no-sandbox');
}

Do I need to remove the -- in front of no-sandbox? Will try that now.

ogra · May 14, 2020, 9:04pm

yeah, i think it is as silly as this

rwwagner90 · May 14, 2020, 9:21pm

@ogra I tried removing the -- and I also tried adding this to my build:

unsquashfs electron-app/out/make/snap/x64/*.snap
snapcraft pack ./squashfs-root

But I am still getting the same error:

The store was unable to accept this snap.
  - found errors in file output: unusual mode 'rwsr-xr-x' for entry './swach/chrome-sandbox'
  - checksums do not match. Please ensure the snap is created with either 'snapcraft pack <DIR>' (using snapcraft >= 2.38) or 'mksquashfs <dir> <snap> -noappend -comp xz -all-root -no-xattrs -no-fragments'. If using electron-builder, please upgrade to latest stable (>= 20.14.7). See https://forum.snapcraft.io/t/automated-reviews-and-snapcraft-2-38/4982/17 for details.

jdstrand · May 14, 2020, 9:26pm

rwwagner90:

@jdstrand I forked electron-installer-snap and added the ability to set browserSandbox: false . This seems to get around the first issue, but as you mentioned I think we still have the chrome-sandbox issue.
checksums do not match. Please ensure the snap is created with either 'snapcraft pack <DIR>' (using snapcraft >= 2.38) or 'mksquashfs <dir> <snap> -noappend -comp xz -all-root -no-xattrs -no-fragments'. If using electron-builder, please upgrade to latest stable (>= 20.14.7). See https://forum.snapcraft.io/t/automated-reviews-and-snapcraft-2-38/4982/17 for details. security-snap-v2_squashfs_repack_checksum What does this mean?
found errors in file output: unusual mode 'rwsr-xr-x' for entry './swach/chrome-sandbox' security-snap-v2_squashfs_files
Any tips on what to do to fix this?

After you have your snap built, you can:

$ unsquashfs ./your.snap
$ snapcraft pack ./squashfs-root

The first command will unpack the squash onto your system, and since you are not root the setuid bit is stripped. The second reconstructs the snap using the provided directory.

jdstrand · May 14, 2020, 9:29pm

rwwagner90:

unsquashfs electron-app/out/make/snap/x64/*.snap
snapcraft pack ./squashfs-root

But I am still getting the same error:

The store was unable to accept this snap.
  - found errors in file output: unusual mode 'rwsr-xr-x' for entry './swach/chrome-sandbox'
  - checksums do not match. Please ensure the snap is created with either 'snapcraft pack <DIR>' (using snapcraft >= 2.38) or 'mksquashfs <dir> <snap> -noappend -comp xz -all-root -no-xattrs -no-fragments'. If using electron-builder, please upgrade to latest stable (>= 20.14.7). See https://forum.snapcraft.io/t/automated-reviews-and-snapcraft-2-38/4982/17 for details.

If your build is running as root, then you need to add a chmod command. Eg:

# unsquashfs electron-app/out/make/snap/x64/*.snap
# chmod 755 ./squashfs-root/swach/chrome-sandbox
# snapcraft pack ./squashfs-root

rwwagner90 · May 14, 2020, 10:24pm

@jdstrand I tried your suggestion, but the error still persists. This is my build:

mkdir .snapcraft
echo ${{ secrets.SNAPCRAFT_LOGIN_FILE }} | base64 --decode --ignore-garbage > .snapcraft/snapcraft.cfg
unsquashfs electron-app/out/make/snap/x64/*.snap
chmod 755 ./squashfs-root/swach/chrome-sandbox
snapcraft pack ./squashfs-root
snapcraft push electron-app/out/make/snap/x64/*.snap --release stable

Do the unsquashfs and snapcraft pack commands overwrite the existing .snap file or does it create a new one and there would be two that exist? I was wondering if perhaps it is modifying a new one, but the old one is still broken or something.

rwwagner90 · May 14, 2020, 10:51pm

Ah, yep, I just had to change the snapcraft push path to snapcraft push ./*.snap --release stable and it passed review now! Thanks everyone for your help.

rwwagner90 · May 14, 2020, 11:02pm

@jdstrand so now my app is in the Snap Store, but it doesn’t seem to run anymore. Perhaps it did need the sandbox? I’m unsure how to debug why the app doesn’t work. Any suggestions? It’s called Swach, if you want to try to install and run it.

ogra · May 14, 2020, 11:41pm

did you connect the browser-support interface after installing the snap ?
it does not auto-connect …

rwwagner90 · May 14, 2020, 11:48pm

@ogra I don’t know what you mean. How would I do that? I need it to start up like a normal app for people downloading it. It’s an Electron app, and it runs when I package it as .deb. I am not familiar with what I need to do to setup the correct plugs and such for Snap.

ogra · May 15, 2020, 9:37am

take a look at:

snap connections <yoursnapname>

is the browser-support plug connected to the slot ?
if not:

snap connect <yoursnapname>:browser-support

rwwagner90 · May 15, 2020, 12:14pm

@ogra this is what I see for connections:

Interface        Plug                   Slot              Notes
browser-support  swach:browser-support  :browser-support  -
desktop          swach:desktop          :desktop          -
desktop-legacy   swach:desktop-legacy   :desktop-legacy   -
gsettings        swach:gsettings        :gsettings        -
home             swach:home             :home             -
mount-observe    swach:mount-observe    -                 -
network          swach:network          :network          -
network-bind     swach:network-bind     :network-bind     -
opengl           swach:opengl           :opengl           -
pulseaudio       swach:pulseaudio       -                 -
unity7           swach:unity7           :unity7           -
x11              swach:x11              :x11              -

The app never appears to launch though. I do not know how to debug the issue. I do know it works great when I build and install a .deb so I imagine it is missing something. Any ideas how to proceed?