bitwarden-desktop: 2024.9.0 -> 2024.11.1 (#355978)

pkgs/by-name/bi/bitwarden-desktop/dont-auto-setup-biometrics.patch

@@ -1,7 +1,7 @@
-diff --git a/apps/desktop/src/platform/main/biometric/biometric.unix.main.ts b/apps/desktop/src/platform/main/biometric/biometric.unix.main.ts
+diff --git a/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts b/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts
-index e2428d9d12..de4e9e1e62 100644
+index 8962e7f3ec..a7291420f2 100644
---- a/apps/desktop/src/platform/main/biometric/biometric.unix.main.ts
+--- a/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts
-+++ b/apps/desktop/src/platform/main/biometric/biometric.unix.main.ts
++++ b/apps/desktop/src/key-management/biometrics/biometric.unix.main.ts
 @@ -109,7 +109,7 @@ export default class BiometricUnixMain implements OsBiometricService {
      // The user needs to manually set up the polkit policy outside of the sandbox
      // since we allow access to polkit via dbus for the sandboxed clients, the authentication works from

pkgs/by-name/bi/bitwarden-desktop/package.nix

@@ -35,19 +35,20 @@ let
 
 in buildNpmPackage rec {
   pname = "bitwarden-desktop";
-  version = "2024.9.0";
+  version = "2024.11.1";
 
   src = fetchFromGitHub {
     owner = "bitwarden";
     repo = "clients";
     rev = "desktop-v${version}";
-    hash = "sha256-o5nRG2j73qheDOyeFfSga64D8HbTn1EUrCiN0W+Xn0w=";
+    hash = "sha256-4QTQgW8k3EMf07Xqs2B+VXQOUPzoOgaNvoC02x4zvu8=";
   };
 
   patches = [
     ./electron-builder-package-lock.patch
     ./dont-auto-setup-biometrics.patch
     ./set-exe-path.patch # ensures `app.getPath("exe")` returns our wrapper, not ${electron}/bin/electron
+    ./skip-afterpack.diff # this modifies bin/electron etc., but we wrap read-only bin/electron ourselves
   ];
 
   postPatch = ''
@@ -62,7 +63,7 @@ in buildNpmPackage rec {
   makeCacheWritable = true;
   npmFlags = [ "--engine-strict" "--legacy-peer-deps" ];
   npmWorkspace = "apps/desktop";
-  npmDepsHash = "sha256-L7/frKCNlq0xr6T+aSqyEQ44yrIXwcpdU/djrhCJNNk=";
+  npmDepsHash = "sha256-YzhCyNMvfXGmgOpl3qWj1Pqd1hY8CJ9QLwQds5ZMnqg=";
 
   cargoDeps = rustPlatform.fetchCargoTarball {
     name = "${pname}-${version}";
@@ -78,7 +79,7 @@ in buildNpmPackage rec {
       patches;
     patchFlags = [ "-p4" ];
     sourceRoot = "${src.name}/${cargoRoot}";
-    hash = "sha256-y+6vaESiOeVrFJpZoOJ75onOpldqSsT2kqkMMzTDUmM=";
+    hash = "sha256-aurjpVzWET30O+ysyE4ZzauMe8kHjOL169tfKUR1Vpg=";
   };
   cargoRoot = "apps/desktop/desktop_native";
 
@@ -103,20 +104,6 @@ in buildNpmPackage rec {
     libsecret
   ];
 
-  # node-argon2 builds with LTO, but that causes missing symbols. So disable it
-  # and rebuild. Then we need to copy it into the build output for
-  # electron-builder, as `apps/desktop/src/package.json` specifies `argon2` as
-  # a dependency and electron-builder will otherwise install a fresh (and
-  # broken) argon2. See https://github.com/ranisalt/node-argon2/pull/415
-  preConfigure = ''
-    pushd node_modules/argon2
-    substituteInPlace binding.gyp --replace-fail '"-flto", ' ""
-    "$npm_config_node_gyp" rebuild
-    popd
-    mkdir -p apps/desktop/build/node_modules
-    cp -r ./{,apps/desktop/build/}node_modules/argon2
-  '';
-
   preBuild = ''
     if [[ $(jq --raw-output '.devDependencies.electron' < package.json | grep -E --only-matching '^[0-9]+') != ${lib.escapeShellArg (lib.versions.major electron.version)} ]]; then
       echo 'ERROR: electron version mismatch'
@@ -181,7 +168,7 @@ in buildNpmPackage rec {
     # Extract the polkit policy file from the multiline string in the source code.
     # This may break in the future but its better than copy-pasting it manually.
     mkdir -p $out/share/polkit-1/actions/
-    pushd apps/desktop/src/platform/main/biometric
+    pushd apps/desktop/src/key-management/biometrics
     awk '/const polkitPolicy = `/{gsub(/^.*`/, ""); print; str=1; next} str{if (/`;/) str=0; gsub(/`;/, ""); print}' biometric.unix.main.ts > $out/share/polkit-1/actions/com.bitwarden.Bitwarden.policy
     popd
 

pkgs/by-name/bi/bitwarden-desktop/skip-afterpack.diff

@@ -0,0 +1,39 @@
+diff --git a/apps/desktop/scripts/after-pack.js b/apps/desktop/scripts/after-pack.js
+index fd16cd5ffb..05a2325ee1 100644
+--- a/apps/desktop/scripts/after-pack.js
++++ b/apps/desktop/scripts/after-pack.js
+@@ -13,25 +13,6 @@ async function run(context) {
+   console.log("## After pack");
+   // console.log(context);
+ 
+-  if (context.packager.platform.nodeName !== "darwin" || context.arch === builder.Arch.universal) {
+-    await addElectronFuses(context);
+-  }
+-
+-  if (context.electronPlatformName === "linux") {
+-    console.log("Creating memory-protection wrapper script");
+-    const appOutDir = context.appOutDir;
+-    const oldBin = path.join(appOutDir, context.packager.executableName);
+-    const newBin = path.join(appOutDir, "bitwarden-app");
+-    fse.moveSync(oldBin, newBin);
+-    console.log("Moved binary to bitwarden-app");
+-
+-    const wrapperScript = path.join(__dirname, "../resources/memory-dump-wrapper.sh");
+-    const wrapperBin = path.join(appOutDir, context.packager.executableName);
+-    fse.copyFileSync(wrapperScript, wrapperBin);
+-    fse.chmodSync(wrapperBin, "755");
+-    console.log("Copied memory-protection wrapper script");
+-  }
+-
+   if (["darwin", "mas"].includes(context.electronPlatformName)) {
+     const is_mas = context.electronPlatformName === "mas";
+     const is_mas_dev = context.targets.some((e) => e.name === "mas-dev");
+@@ -140,6 +121,8 @@ function getIdentities() {
+  * @param {import("electron-builder").AfterPackContext} context
+  */
+ async function addElectronFuses(context) {
++  return;
++
+   const platform = context.packager.platform.nodeName;
+ 
+   const ext = {