Now i'm co-maintainer of krux-installer-bin package on AUR 😀
The maintainer of `krux-installer-bin` package on AUR (https://aur.archlinux.org/packages/krux-installer-bin) just updated its code
to `v0.0.1-alpha-6`.
But in it's dependencies, declares `electron 24`.
I will ask for another update to electron 26.2.1 (i cannot be irresponsible with this security issue).
I request help from users and programmers who use Mac to test krux-installer. This post be a long one, sorry.
A friend, a Mac user, tested and came across the following problem, during the `flash` stage (the stage where krux-installer use a tool the krux firmware).
The problem is with the tool, a `ktool-mac` file:
ðŸ˜ðŸ˜ðŸ˜
```bash
Error: 0:336: execution error:
[1047] Cannot open PyInstaller archive from executable (/Users/somefriend/Documents/krux-installer/krux-v23.09.0/ktool-mac)
or external archive (/Users/somefriend/Documents/krux-installer/krux-v23.09.0/ktool-mac.pkg) (255)
at Socket. (/Applications/krux-installer.app/Contents/Resources/app.asar/dist-electron/main/index.js:6:381)
at Socket.emit (node:events:513:28)
at addChunk (node:internal/streams/readable:324:12)
at readableAddChunk (node:internal/streams/readable:297:9)
at Socket.push (node:internal/streams/readable:234:10)
at Pipe.onStreamRead (node:internal/stream_base_commons:190:23)
```
ðŸ˜ðŸ˜ðŸ˜
In krux context, `ktool-mac` is a executable packaged with PyInstaller,
for the purpose of running a python script on any operating system,
without having to install python.
But that's not what's happening in our case.
I lightly investigated the problem and found this thread: https://github.com/pyinstaller/pyinstaller/issues/7243
They say that the file (in our case, `ktool-mac`):
- Can be corrupted; or
- have insufficient permissions.
The help that i request is to make the steps below, and give some feedback, as a reply on this post, to confirm a corruption or a permission problem:
- (1) download https://github.com/selfcustody/krux/releases/tag/v23.09.0 ;
- (2) extract `ktool-mac` in a separate folder;
- (3) execute, in a terminal, `sha256sum
- (4) download https://github.com/selfcustody/krux-installer/releases/tag/v0.0.1-alpha-6
- (5) Execute steps on software: (a) `select device`; (b) `select-version` (c) `v23.09.0`; (d) `verification`; (e) `flash`;
- (6) Maybe a error will appear, if you want to reproduce the error, fell free to do it;
- (7) Now, execute a `sha256sum /Users/somefriend/Documents/krux-installer/krux-v23.09.0/ktool-mac` (change `somefriend` with your current user);
- (8) save the result hash on next line of the same text file of step 3;
- (9) compare the hashes;
If hashes are the same, we can confirm a permission problem.
Made a gossip package on AUR (https://aur.archlinux.org/packages/gossip-bin).
It's a Nostr client that encrypt the private key and it's very fast.
There are 2 other options, but its very processor-intensive, because compile it's `.rs` sources.
- `gossip` (https://aur.archlinux.org/packages/gossip) - out of date;
- `gossip-git` (https://aur.archlinux.org/packages/gossip-git) - keeps updated with git repository;
`gossip-bin` simple download the latest pre-compiled `AppImage` (https://github.com/mikedilger/gossip/releases/tag/v0.8.0), extract its content and install on system.
For archlinux users, there's already an AUR package: `krux-installer-bin` (https://aur.archlinux.org/packages/krux-installer-bin)
You can install with any AUR package manager (yay, paru, aurutils...)
WARN: the krux-isntaller version isnt updated yet. I already commented to PKGBUILD author to update it.
Additionally, I will start working on some possible mac bugs and packaging for `deb` and `flatpak` formats.
This was the fastest between releases it had 🚩.
https://github.com/selfcustody/krux-installer/releases/tag/v0.0.1-alpha-6
Like
@npub1r4y9mtc2sm020d2fa25qhzept3633ad7mstegu80ur60s4qnqs5sxsuwud said, the vulnerability (see https://forum.obsidian.md/t/urgent-security-issue-please-update-to-electron-26-2-1/67357), would affect only messengers.
I hadn't thought about it and, perhaps, I was hasty in making this release. But anguish took over me and I wouldn't want anyone to end up with a broken device because of it.
@npub16s7exzaa4le983mjvnw7jfatum0jfxqtpfk2uqdel3c4q97uqznst6hyar, as you requested, it now has a pgp signature to verify authenticity.
@odudex already approved PR. Tests are beign run and as soon as it is finished, the release will be done
A friend just told me about a bug in electron
https://forum.obsidian.md/t/urgent-security-issue-please-update-to-electron-26-2-1/67357
Krux-Installer was built with v26.0.0.
I will replace the version with electron 26.2.1 and put a new krux-isntaller v0.0.01-alpha-6.
But this will take some time since krux contributors need to aprove a new PR.
Sorry and thank you (for your possible) patience.
Just already published a new release of Krux Installer: https://github.com/selfcustody/krux-installer/releases/tag/v0.0.1-alpha-5