Ensure file permissions when building for Linux and set sha length for test builds

ayumi-signal · web-flow · commit 7bb8a358394d · 2025-09-30T13:17:29.000-07:00
diff --git a/reproducible-builds/docker-entrypoint.sh b/reproducible-builds/docker-entrypoint.sh
@@ -34,9 +34,6 @@ echo "BUILD_TYPE: ${BUILD_TYPE}"
 # UNIX timestamp will be generated at the time of the build, and is non-deterministic.
 echo "SOURCE_DATE_EPOCH: ${SOURCE_DATE_EPOCH}"
 
-# Ensure consistent permissions for files copied via electron builder extraResources
-umask 0022
-
 pnpm install --frozen-lockfile
 pnpm run clean-transpile
 cd sticker-creator
diff --git a/scripts/prepare_tagged_version.js b/scripts/prepare_tagged_version.js
@@ -18,7 +18,7 @@ if (release !== 'alpha' && release !== 'axolotl' && release !== 'adhoc') {
 
 const { generateTaggedVersion } = require('../ts/util/version.js');
 
-const shortSha = execSync('git rev-parse --short HEAD')
+const shortSha = execSync('git rev-parse --short=9 HEAD')
   .toString('utf8')
   .replace(/[\n\r]/g, '');
 
diff --git a/ts/scripts/after-pack.ts b/ts/scripts/after-pack.ts
@@ -5,9 +5,11 @@ import type { AfterPackContext } from 'electron-builder';
 import { afterPack as fuseElectron } from './fuse-electron.js';
 import { afterPack as copyPacks } from './copy-language-packs.js';
 import { afterPack as pruneMacOSRelease } from './prune-macos-release.js';
+import { afterPack as ensureLinuxFilePermissions } from './ensure-linux-file-permissions.js';
 
 export async function afterPack(context: AfterPackContext): Promise<void> {
   await pruneMacOSRelease(context);
   await fuseElectron(context);
   await copyPacks(context);
+  await ensureLinuxFilePermissions(context);
 }
diff --git a/ts/scripts/ensure-linux-file-permissions.ts b/ts/scripts/ensure-linux-file-permissions.ts
@@ -0,0 +1,30 @@
+// Copyright 2025 Signal Messenger, LLC
+// SPDX-License-Identifier: AGPL-3.0-only
+
+import path from 'node:path';
+import { execSync } from 'node:child_process';
+import type { AfterPackContext } from 'electron-builder';
+
+const FILES = [
+  'resources/org.signalapp.enable-backups.policy',
+  'resources/org.signalapp.view-aep.policy',
+];
+
+export async function afterPack({
+  appOutDir,
+  electronPlatformName,
+}: AfterPackContext): Promise<void> {
+  if (electronPlatformName !== 'linux') {
+    return;
+  }
+
+  console.log('Ensuring Linux file permissions');
+
+  for (const file of FILES) {
+    const filePath = path.join(appOutDir, file);
+    // u+rw g+r o+r
+    const command = `chmod 644 "${filePath}"`;
+    console.log(`Running: ${command}`);
+    execSync(command);
+  }
+}
