commit aa2537b5543d587f4d9a80f327712d0ddf4ada50 · pyrox.dev/nixpkgs

+4 -5

nixos/tests/signal-desktop.nix

···

       44
       44
        
           # - https://github.com/NixOS/nixpkgs/issues/108772

     

       45
       45
        
           # - https://github.com/NixOS/nixpkgs/pull/117555

     

       46
       46
        
           print(machine.succeed("su - alice -c 'file ~/.config/Signal/sql/db.sqlite'"))

     

       47
       47
       -
           # TODO: The DB should be encrypted and the following should be machine.fail

     

       48
       48
       -
           # instead of machine.succeed but the DB is currently unencrypted and we

     

       49
       49
       -
           # want to notice if this isn't the case anymore as the transition to a

     

       50
       50
       -
           # encrypted DB can cause data loss!:

     

       51
       47
        
           machine.succeed(

     

       52
       52
       -
               "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep -i sqlite"

     

       48
       48
       +
               "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep 'db.sqlite: data'"

     

       49
       49
       +
           )

     

       50
       50
       +
           machine.fail(

     

       51
       51
       +
               "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep -e SQLite -e database"

     

       53
       52
        
           )

     

       54
       53
        
         '';

     

       55
       54
        
       })

+92

pkgs/applications/networking/instant-messengers/signal-desktop/db-reencryption-wrapper.py

···

       1
       1
       +
       #!@PYTHON@

     

       2
       2
       +
       

     

       3
       3
       +
       import json

     

       4
       4
       +
       import os

     

       5
       5
       +
       import re

     

       6
       6
       +
       import shlex

     

       7
       7
       +
       import sqlite3

     

       8
       8
       +
       import subprocess

     

       9
       9
       +
       import sys

     

       10
       10
       +
       

     

       11
       11
       +
       

     

       12
       12
       +
       DB_PATH = os.path.join(os.environ['HOME'], '.config/Signal/sql/db.sqlite')

     

       13
       13
       +
       DB_COPY = os.path.join(os.environ['HOME'], '.config/Signal/sql/db.tmp')

     

       14
       14
       +
       CONFIG_PATH = os.path.join(os.environ['HOME'], '.config/Signal/config.json')

     

       15
       15
       +
       

     

       16
       16
       +
       

     

       17
       17
       +
       def zenity_askyesno(title, text):

     

       18
       18
       +
           args = [

     

       19
       19
       +
               '@ZENITY@',

     

       20
       20
       +
               '--question',

     

       21
       21
       +
               '--title',

     

       22
       22
       +
               shlex.quote(title),

     

       23
       23
       +
               '--text',

     

       24
       24
       +
               shlex.quote(text)

     

       25
       25
       +
           ]

     

       26
       26
       +
           return subprocess.run(args).returncode == 0

     

       27
       27
       +
       

     

       28
       28
       +
       

     

       29
       29
       +
       def start_signal():

     

       30
       30
       +
           os.execvp('@SIGNAL-DESKTOP@', ['@SIGNAL-DESKTOP@'] + sys.argv[1:])

     

       31
       31
       +
       

     

       32
       32
       +
       

     

       33
       33
       +
       def copy_pragma(name):

     

       34
       34
       +
           result = subprocess.run([

     

       35
       35
       +
               '@SQLCIPHER@',

     

       36
       36
       +
               DB_PATH,

     

       37
       37
       +
               f"PRAGMA {name};"

     

       38
       38
       +
           ], check=True, capture_output=True).stdout

     

       39
       39
       +
           result = re.search(r'[0-9]+', result.decode()).group(0)

     

       40
       40
       +
           subprocess.run([

     

       41
       41
       +
               '@SQLCIPHER@',

     

       42
       42
       +
               DB_COPY,

     

       43
       43
       +
               f"PRAGMA key = \"x'{key}'\"; PRAGMA {name} = {result};"

     

       44
       44
       +
           ], check=True, capture_output=True)

     

       45
       45
       +
       

     

       46
       46
       +
       

     

       47
       47
       +
       try:

     

       48
       48
       +
           # Test if DB is encrypted:

     

       49
       49
       +
           con = sqlite3.connect(f'file:{DB_PATH}?mode=ro', uri=True)

     

       50
       50
       +
           cursor = con.cursor()

     

       51
       51
       +
           cursor.execute("SELECT name FROM sqlite_master WHERE type='table';")

     

       52
       52
       +
           con.close()

     

       53
       53
       +
       except:

     

       54
       54
       +
           # DB is encrypted, everything ok:

     

       55
       55
       +
           start_signal()

     

       56
       56
       +
       

     

       57
       57
       +
       

     

       58
       58
       +
       # DB is unencrypted!

     

       59
       59
       +
       answer = zenity_askyesno(

     

       60
       60
       +
               "Error: Signal-Desktop database is not encrypted",

     

       61
       61
       +
               "Should we try to fix this automatically?"

     

       62
       62
       +
               + "You likely want to backup ~/.config/Signal/ first."

     

       63
       63
       +
       )

     

       64
       64
       +
       if not answer:

     

       65
       65
       +
           answer = zenity_askyesno(

     

       66
       66
       +
                   "Launch Signal-Desktop",

     

       67
       67
       +
                   "DB is unencrypted, should we still launch Signal-Desktop?"

     

       68
       68
       +
                   + "Warning: This could result in data loss!"

     

       69
       69
       +
           )

     

       70
       70
       +
           if not answer:

     

       71
       71
       +
               print('Aborted')

     

       72
       72
       +
               sys.exit(0)

     

       73
       73
       +
           start_signal()

     

       74
       74
       +
       

     

       75
       75
       +
       # Re-encrypt the DB:

     

       76
       76
       +
       with open(CONFIG_PATH) as json_file:

     

       77
       77
       +
           key = json.load(json_file)['key']

     

       78
       78
       +
       result = subprocess.run([

     

       79
       79
       +
           '@SQLCIPHER@',

     

       80
       80
       +
           DB_PATH,

     

       81
       81
       +
           f" ATTACH DATABASE '{DB_COPY}' AS signal_db KEY \"x'{key}'\";"

     

       82
       82
       +
           + " SELECT sqlcipher_export('signal_db');"

     

       83
       83
       +
           + " DETACH DATABASE signal_db;"

     

       84
       84
       +
       ]).returncode

     

       85
       85
       +
       if result != 0:

     

       86
       86
       +
           print('DB encryption failed')

     

       87
       87
       +
           sys.exit(1)

     

       88
       88
       +
       # Need to copy user_version and schema_version manually:

     

       89
       89
       +
       copy_pragma('user_version')

     

       90
       90
       +
       copy_pragma('schema_version')

     

       91
       91
       +
       os.rename(DB_COPY, DB_PATH)

     

       92
       92
       +
       start_signal()

+20 -1

pkgs/applications/networking/instant-messengers/signal-desktop/default.nix

···

       10
       10
        
       , hunspellDicts, spellcheckerLanguage ? null # E.g. "de_DE"

     

       11
       11
        
       # For a full list of available languages:

     

       12
       12
        
       # $ cat pkgs/development/libraries/hunspell/dictionaries.nix | grep "dictFileName =" | awk '{ print $3 }'

     

       13
       13
       +
       , python3

     

       14
       14
       +
       , gnome

     

       15
       15
       +
       , sqlcipher

     

       13
       16
        
       }:

     

       14
       17
        
       

     

       15
       18
        
       let

     
···

       112
       115
        
       

     

       113
       116
        
           # Symlink to bin

     

       114
       117
        
           mkdir -p $out/bin

     

       115
       115
       -
           ln -s $out/lib/Signal/signal-desktop $out/bin/signal-desktop

     

       118
       118
       +
           ln -s $out/lib/Signal/signal-desktop $out/bin/signal-desktop-unwrapped

     

       116
       119
        
       

     

       117
       120
        
           runHook postInstall

     

       118
       121
        
         '';

     

       122
       122
       +
       

     

       123
       123
       +
         # Required for $SQLCIPHER_LIB which contains "/build/" inside the path:

     

       124
       124
       +
         noAuditTmpdir = true;

     

       119
       125
        
       

     

       120
       126
        
         preFixup = ''

     

       127
       127
       +
           export SQLCIPHER_LIB="$out/lib/Signal/resources/app.asar.unpacked/node_modules/better-sqlite3/build/Release/better_sqlite3.node"

     

       128
       128
       +
           test -x "$SQLCIPHER_LIB" # To ensure the location hasn't changed

     

       121
       129
        
           gappsWrapperArgs+=(

     

       122
       130
        
             --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc ] }"

     

       131
       131
       +
             --prefix LD_PRELOAD : "$SQLCIPHER_LIB"

     

       123
       132
        
             ${customLanguageWrapperArgs}

     

       124
       133
        
           )

     

       125
       134
        
       

     
···

       129
       138
        
       

     

       130
       139
        
           autoPatchelf --no-recurse -- $out/lib/Signal/

     

       131
       140
        
           patchelf --add-needed ${libpulseaudio}/lib/libpulse.so $out/lib/Signal/resources/app.asar.unpacked/node_modules/ringrtc/build/linux/libringrtc.node

     

       141
       141
       +
         '';

     

       142
       142
       +
       

     

       143
       143
       +
         postFixup = ''

     

       144
       144
       +
           # This hack is temporarily required to avoid data-loss for users:

     

       145
       145
       +
           cp ${./db-reencryption-wrapper.py} $out/bin/signal-desktop

     

       146
       146
       +
           substituteInPlace $out/bin/signal-desktop \

     

       147
       147
       +
             --replace '@PYTHON@' '${python3}/bin/python3' \

     

       148
       148
       +
             --replace '@ZENITY@' '${gnome.zenity}/bin/zenity' \

     

       149
       149
       +
             --replace '@SQLCIPHER@' '${sqlcipher}/bin/sqlcipher' \

     

       150
       150
       +
             --replace '@SIGNAL-DESKTOP@' "$out/bin/signal-desktop-unwrapped"

     

       132
       151
        
         '';

     

       133
       152
        
       

     

       134
       153
        
         # Tests if the application launches and waits for "Link your phone to Signal Desktop":