mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-02-19 17:39:34 +00:00
Code Issues Wiki Activity

signal-desktop: Fix the database encryption by preloading SQLCipher

Browse source 
AFAIK this is the only reliable way for us to ensure SQLCipher will be
loaded instead of SQLite. It feels like a hack/workaround but according
to the SQLCipher developers [0] "this issue can and should be handled
downstream at the application level: 1. While it may feel like a
workaround, using LD_PRELOAD is a legitimate approach here because it
will substitute the system SQLite with SQLCipher which is the intended
usage model;".

This fixes #108772 for NixOS 20.09 users who upgrade to NixOS 21.05 and
replaces #117555.

For nixos-unstable users this will unfortunately break everything again
so we should add a script to ease the transition (in a separate commit
so that we can revert it for NixOS 21.05).

[0]: https://github.com/sqlcipher/sqlcipher/issues/385#issuecomment-802874340
This commit is contained in:
Michael Weiss 2021-05-14 02:23:56 +02:00
parent 1cdf5f4436
commit 940dfa9940
No known key found for this signature in database
GPG key ID: 5BE487C4D4771D83
2 changed files with 10 additions and 5 deletions
nixos/tests
signal-desktop.nix
pkgs/applications/networking/instant-messengers/signal-desktop
default.nix

9
nixos/tests/signal-desktop.nix
View file

@ -44,12 +44,11 @@ import ./make-test-python.nix ({ pkgs, ...} :
# - https://github.com/NixOS/nixpkgs/issues/108772 # - https://github.com/NixOS/nixpkgs/issues/108772
# - https://github.com/NixOS/nixpkgs/pull/117555 # - https://github.com/NixOS/nixpkgs/pull/117555
print(machine.succeed("su - alice -c 'file ~/.config/Signal/sql/db.sqlite'")) print(machine.succeed("su - alice -c 'file ~/.config/Signal/sql/db.sqlite'"))
# TODO: The DB should be encrypted and the following should be machine.fail
# instead of machine.succeed but the DB is currently unencrypted and we
# want to notice if this isn't the case anymore as the transition to a
# encrypted DB can cause data loss!:
machine.succeed( machine.succeed(
"su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep -i sqlite" "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep 'db.sqlite: data'"
)
machine.fail(
"su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep -e SQLite -e database"
) )
''; '';
}) })

6
pkgs/applications/networking/instant-messengers/signal-desktop/default.nix
View file

@ -117,9 +117,15 @@ in stdenv.mkDerivation rec {
runHook postInstall runHook postInstall
''; '';
# Required for $SQLCIPHER_LIB which contains "/build/" inside the path:
noAuditTmpdir = true;
preFixup = '' preFixup = ''
export SQLCIPHER_LIB="$out/lib/Signal/resources/app.asar.unpacked/node_modules/better-sqlite3/build/Release/better_sqlite3.node"
test -x "$SQLCIPHER_LIB" # To ensure the location hasn't changed
gappsWrapperArgs+=( gappsWrapperArgs+=(
--prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc ] }" --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc ] }"
--prefix LD_PRELOAD : "$SQLCIPHER_LIB"
${customLanguageWrapperArgs} ${customLanguageWrapperArgs}
) )