Merge branch 'develop' into t3chguy/dynamic-protocol

Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>

.github/SSLcom-sandbox.crt

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGBzCCA++gAwIBAgIIaI6ivggL++4wDQYJKoZIhvcNAQELBQAwgZAxCzAJBgNV
+BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczEQMA4GA1UEBwwHSG91c3RvbjEYMBYGA1UE
+CgwPU1NMIENvcnBvcmF0aW9uMUUwQwYDVQQDDDxTU0wuY29tIEVWIFJvb3QgQ2Vy
+dGlmaWNhdGlvbiBBdXRob3JpdHkgUlNBIFIyIC0gRGV2ZWxvcG1lbnQwHhcNMTgw
+MTE2MTIxNjM2WhcNNDMwMTE1MTIxNjM2WjCBkDELMAkGA1UEBhMCVVMxDjAMBgNV
+BAgMBVRleGFzMRAwDgYDVQQHDAdIb3VzdG9uMRgwFgYDVQQKDA9TU0wgQ29ycG9y
+YXRpb24xRTBDBgNVBAMMPFNTTC5jb20gRVYgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1
+dGhvcml0eSBSU0EgUjIgLSBEZXZlbG9wbWVudDCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAK/qcD65JCkueKp0+KXG2kAw8euDHuraLR3lJoUFz4ilGK1M
+t+RjSuY6dHQw8ku7TnW9ejWoSFjCBSDx7tP/fzOwOxmBW6+F1NDuV/IaUtn3G2lk
+CZglVk9z3n1HuWDN10xNiLoo5nzeIlvNAoDbXDGhI4Y6Z0qouAIS607JpJMWHOqZ
+OUiiOuM11gI5Kz9GtVttXCjRmwlkU8WiJVIUuVedQAQt2FChrzNQewGFFi0uIau/
+wFRclx6hd4JRIImC6VMJd9lcitWsqMcM94pD3fX2ozNgWX+MVlmcDYFSN9Sv8tG4
+yCj4ONS8HZGzbxeyQXJhEJSi2FnBi0j6MD/d4DNFj0hCg9wz3fgVLDGCO0pNMO0Y
+oXdrzfoj1/zEv0Ibgh7zKG2JHkPfapn3ExFI5d6xi66u5tPVI8cvLxqrgybRPs7Z
+y1dQA7ew3LyTPAHoGtbTMvewtx1TkTtRxxhRRm0l58owqSVbSYrixFtosNobCERo
+uiknaQqoY1ZDsdKsaqFoZDbntNRYhN3Ea4OPWVqDUU5ZPz9MTIRAi3MIq854yyQo
+BjX9nv+kYa+Esr19pxUW0z7BWFhbXsMVpt0QMVyhwgzXvEreaZHFwHHaGb9d5x5P
+VBDhsigMmtzBk9NlbCsy+uGXWHgZA/DVefueEq0sv38VoU30uYa5Tj0FLm09AgMB
+AAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUI9PCucv3G9fRoTDu
+ZQ4Hw6g4PkIwHQYDVR0OBBYEFCPTwrnL9xvX0aEw7mUOB8OoOD5CMA4GA1UdDwEB
+/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAk43CCrC0Zbvi7YUsSePKi+KzvyQ9
+mjKa5NBU/A5/sLeZS3R+wqCX7l5euYVDsUuNgNVD/QL9jNIonuHBrvKaxkmqxE1r
+IcDEaUdjy2lQ0uqD7UDoS3ctrjGkPpUahrTdr3gaKcQBtUhn9v4Y2OBm6J1hDVwI
+CIKcxIzRv6AUpApOtk+++m5tzDU48t8+GzrVl1hkspSYcumA+zuHllbPDL1ADdo5
+kK/bBQtZrGqzPqKzeqaB1A5Wm0Igwf++7nyzdKNdjxtv907D9vg8EB4Swavuv/Ne
+5/jbpI32pz0NIzzSl5ARAHuFhILsO/cEAlloDoTHzibHqFDIeU9/59HMUsJYMOtD
+Ii0/LmQ6dBE4TeukCCLJwtkFYZ2eBgDjF/LHBB+z/UBs4milRgwx+Pe5UDUEjtGe
+G/XMVnTSKZTy9jMaXJD5EmfP+Cfh8EEgFgjg4AmLUbEo9gXzPxyXSLgd8JGSsjg8
+EV/Ri4Mmmt4XUwlSVvEOezxxDGd17gwbottCIC+rqPHonHkGmKpLMH80Bk0uOOCs
+ui1oVwSifMyIcudgCcOfRLUf/f2j2NW7N7E7Vw/Zqfn+pqp/EG0KCqOM2vfJAc0s
+u3rSrOJZGtB6txgtmTjoadxApWf4U/FCi3uArt6gS5MJqZjuiRNXs/K3SlSAqLGl
+5UiG52ew+VdBHzE=
+-----END CERTIFICATE-----

.github/workflows/build_and_deploy.yaml

@@ -62,7 +62,7 @@ jobs:
         name: Windows ${{ matrix.arch }}
         strategy:
             matrix:
-                arch: [ia32, x64]
+                arch: [x64, arm64]
         uses: ./.github/workflows/build_windows.yaml
         secrets: inherit
         with:
@@ -92,7 +92,6 @@ jobs:
         uses: ./.github/workflows/build_linux.yaml
         with:
             arch: ${{ matrix.arch }}
-            config: ${{ needs.prepare.outputs.config }}
             sqlcipher: ${{ matrix.sqlcipher }}
             version: ${{ needs.prepare.outputs.nightly-version }}
 
@@ -108,12 +107,14 @@ jobs:
         environment: ${{ needs.prepare.outputs.deploy == 'true' && 'packages.element.io' || '' }}
         steps:
             - name: Download artifacts
-              uses: actions/download-artifact@v4
+              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
 
             - name: Prepare artifacts for deployment
               run: |
+                  set -x
+
                   # Windows
-                  for arch in x64 ia32 arm64
+                  for arch in x64 arm64
                   do
                       if [ -d "win-$arch" ]; then
                           mkdir -p packages.element.io/{install,update}/win32/$arch
@@ -145,8 +146,10 @@ jobs:
             - name: "[Nightly] Strip version from installer file"
               if: needs.prepare.outputs.nightly-version != ''
               run: |
+                  set -x
+
                   # Windows
-                  for arch in x64 ia32 arm64
+                  for arch in x64 arm64
                   do
                       [ -d "win-$arch" ] && mv packages.element.io/install/win32/$arch/{*,"Element Nightly Setup"}.exe
                   done
@@ -161,8 +164,10 @@ jobs:
             - name: "[Release] Prepare release latest symlink"
               if: needs.prepare.outputs.nightly-version == ''
               run: |
+                  set -x
+
                   # Windows
-                  for arch in x64 ia32 arm64
+                  for arch in x64 arm64
                   do
                       if [ -d "win-$arch" ]; then
                           pushd packages.element.io/install/win32/$arch
@@ -192,23 +197,17 @@ jobs:
 
             - name: Stash packages.element.io
               if: needs.prepare.outputs.deploy == 'false'
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: packages.element.io
                   path: packages.element.io
 
-            # Workaround for https://www.cloudflarestatus.com/incidents/t5nrjmpxc1cj
-            - uses: unfor19/install-aws-cli-action@e8b481e524a99f37fbd39fdc1dcb3341ab091367 # v1
-              if: needs.prepare.outputs.deploy == 'true'
-              with:
-                  version: 2.22.35
-                  verbose: false
-                  arch: amd64
-
+            # Checksum algorithm specified as per https://developers.cloudflare.com/r2/examples/aws/aws-cli/
             - name: Deploy artifacts
               if: needs.prepare.outputs.deploy == 'true'
               run: |
-                  aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto
+                  set -x
+                  aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto --checksum-algorithm CRC32
               env:
                   AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
@@ -227,6 +226,8 @@ jobs:
               id: deb
               if: needs.linux.result == 'success'
               run: |
+                  set -x
+
                   for arch in amd64 arm64
                   do
                       echo "$arch=$(ls linux-$arch-sqlcipher-static/*.deb | tail -n1)" >> $GITHUB_OUTPUT
@@ -234,7 +235,7 @@ jobs:
 
             - name: Stash debs
               if: needs.prepare.outputs.deploy == 'false' && needs.linux.result == 'success'
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: debs
                   path: |
@@ -273,19 +274,21 @@ jobs:
             id-token: write # This is required for requesting the JWT
         steps:
             - name: Configure AWS credentials
-              uses: aws-actions/configure-aws-credentials@v4
+              uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
               with:
                   role-to-assume: arn:aws:iam::264135176173:role/Push-ElementDesktop-MSI
                   role-session-name: githubaction-run-${{ github.run_id }}
                   aws-region: ${{ env.AWS_REGION }}
 
             - name: Download artifacts
-              uses: actions/download-artifact@v4
+              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
                   pattern: win-*
 
             - name: Copy files to S3
               run: |
+                  set -x
+
                   PREFIX="${VERSION%.*}"
                   for file in win-*/*.msi; do
                       filename=$(basename "$file")

.github/workflows/build_and_test.yaml

@@ -13,8 +13,9 @@ jobs:
         permissions:
             contents: read
         with:
-            config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }}
-            version: ${{ github.event.pull_request.base.ref == 'develop' && 'develop' || '' }}
+            config: ${{ (github.event.pull_request.base.ref || github.ref_name) == 'develop' && 'element.io/nightly' || 'element.io/release' }}
+            version: ${{ (github.event.pull_request.base.ref || github.ref_name) == 'develop' && 'develop' || '' }}
+            branch-matching: true
 
     windows:
         needs: fetch
@@ -22,9 +23,10 @@ jobs:
         uses: ./.github/workflows/build_windows.yaml
         strategy:
             matrix:
-                arch: [x64, ia32]
+                arch: [x64, ia32, arm64]
         with:
             arch: ${{ matrix.arch }}
+            blob_report: true
 
     linux:
         needs: fetch
@@ -35,110 +37,49 @@ jobs:
                 sqlcipher: [system, static]
                 arch: [amd64, arm64]
         with:
-            config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }}
             sqlcipher: ${{ matrix.sqlcipher }}
             arch: ${{ matrix.arch }}
+            blob_report: true
 
     macos:
         needs: fetch
         name: macOS
         uses: ./.github/workflows/build_macos.yaml
+        with:
+            blob_report: true
 
-    test:
-        needs:
-            - macos
-            - linux
-            - windows
-        strategy:
-            matrix:
-                include:
-                    - name: macOS Universal
-                      os: macos-14
-                      artifact: macos
-                      executable: "/Users/runner/Applications/Element.app/Contents/MacOS/Element"
-                      # We need to mount the DMG and copy the app to the Applications folder as a mounted DMG is
-                      # read-only and thus would not allow us to override the fuses as is required for Playwright.
-                      prepare_cmd: |
-                          hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element &&
-                          rsync -a /Volumes/Element/Element.app ~/Applications/ &&
-                          hdiutil detach /Volumes/Element
-                    - name: "Linux (amd64) (sqlcipher: system)"
-                      os: ubuntu-22.04
-                      artifact: linux-amd64-sqlcipher-system
-                      executable: "/opt/Element/element-desktop"
-                      prepare_cmd: "sudo apt-get -qq update && sudo apt install ./dist/*.deb"
-                    - name: "Linux (amd64) (sqlcipher: static)"
-                      os: ubuntu-22.04
-                      artifact: linux-amd64-sqlcipher-static
-                      executable: "/opt/Element/element-desktop"
-                      prepare_cmd: "sudo apt-get -qq update && sudo apt install ./dist/*.deb"
-                    - name: "Linux (arm64) (sqlcipher: system)"
-                      os: ubuntu-22.04-arm
-                      artifact: linux-arm64-sqlcipher-system
-                      executable: "/opt/Element/element-desktop"
-                      prepare_cmd: "sudo apt-get -qq update && sudo apt install -y ./dist/*.deb"
-                    - name: "Linux (arm64) (sqlcipher: static)"
-                      os: ubuntu-22.04-arm
-                      artifact: linux-arm64-sqlcipher-static
-                      executable: "/opt/Element/element-desktop"
-                      prepare_cmd: "sudo apt-get -qq update && sudo apt install -y ./dist/*.deb"
-                    - name: Windows (x86)
-                      os: windows-2022
-                      artifact: win-ia32
-                      executable: "./dist/win-ia32-unpacked/Element.exe"
-                    - name: Windows (x64)
-                      os: windows-2022
-                      artifact: win-x64
-                      executable: "./dist/win-unpacked/Element.exe"
-        name: Test ${{ matrix.name }}
-        runs-on: ${{ matrix.os }}
+    tests-done:
+        needs: [windows, linux, macos]
+        runs-on: ubuntu-24.04
+        if: always()
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
-                  node-version-file: package.json
                   cache: "yarn"
+                  node-version: "lts/*"
 
-            - name: Install Deps
-              run: "yarn install --frozen-lockfile"
+            - name: Install dependencies
+              run: yarn install --frozen-lockfile
 
-            - uses: actions/download-artifact@v4
+            - name: Download blob reports from GitHub Actions Artifacts
+              uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
-                  name: ${{ matrix.artifact }}
-                  path: dist
+                  pattern: blob-report-*
+                  path: all-blob-reports
+                  merge-multiple: true
 
-            - name: Prepare for tests
-              run: ${{ matrix.prepare_cmd }}
-              if: matrix.prepare_cmd
-
-            # We previously disabled the `EnableNodeCliInspectArguments` fuse, but Playwright requires
-            # it to be enabled to test Electron apps, so turn it back on.
-            - name: Set EnableNodeCliInspectArguments fuse enabled
-              run: $RUN_AS npx @electron/fuses write --app ${{ matrix.executable }} EnableNodeCliInspectArguments=on
-              shell: bash
-              env:
-                  # We need sudo on Linux as it is installed in /opt/
-                  RUN_AS: ${{ runner.os == 'Linux' && 'sudo' || '' }}
-
-            - name: Workaround macOS GHA permission issues
-              if: runner.os == 'macOS'
-              run: |
-                  sqlite3 $HOME/Library/Application\ Support/com.apple.TCC/TCC.db "INSERT OR IGNORE INTO access VALUES ('kTCCServiceMicrophone','/usr/local/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159,NULL,NULL,'UNUSED',1687786159);"
-                  sqlite3 $HOME/Library/Application\ Support/com.apple.TCC/TCC.db "INSERT OR IGNORE INTO access VALUES ('kTCCServiceMicrophone','/opt/off/opt/runner/provisioner/provisioner',1,2,4,1,NULL,NULL,0,'UNUSED',NULL,0,1687786159,NULL,NULL,'UNUSED',1687786159);"
-
-            - name: Run tests
-              uses: coactions/setup-xvfb@6b00cf1889f4e1d5a48635647013c0508128ee1a
-              timeout-minutes: 5
-              with:
-                  run: "yarn test ${{ runner.os != 'Linux' && '--ignore-snapshots' || '' }}"
-              env:
-                  ELEMENT_DESKTOP_EXECUTABLE: ${{ matrix.executable }}
+            - name: Merge into HTML Report
+              run: yarn playwright merge-reports -c ./playwright.config.ts --reporter=html ./all-blob-reports
 
             - name: Upload HTML report
               if: always()
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
-                  name: ${{ matrix.artifact }}-test
-                  path: playwright/html-report
+                  name: html-report
+                  path: playwright-report
                   retention-days: 14
+
+            - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')
+              run: exit 1

.github/workflows/build_linux.yaml

@@ -8,10 +8,6 @@ on:
                 type: string
                 required: true
                 description: "The architecture to build for, one of 'amd64' | 'arm64'"
-            config:
-                type: string
-                required: true
-                description: "The config directory to use"
             version:
                 type: string
                 required: false
@@ -20,6 +16,10 @@ on:
                 type: string
                 required: true
                 description: "How to link sqlcipher, one of 'system' | 'static'"
+            blob_report:
+                type: boolean
+                required: false
+                description: "Whether to run the blob report"
 env:
     SQLCIPHER_BUNDLED: ${{ inputs.sqlcipher == 'static' && '1' || '' }}
     MAX_GLIBC: 2.31 # bullseye-era glibc, used by glibc-check.sh
@@ -60,23 +60,23 @@ jobs:
                         }
                       }
 
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/download-artifact@v4
+            - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
                   name: webapp
 
             - name: Cache .hak
               id: cache
-              uses: actions/cache@v4
+              uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
               with:
                   key: ${{ runner.os }}-${{ github.ref_name }}-${{ inputs.sqlcipher }}-${{ inputs.arch }}-${{ hashFiles('hakHash', 'electronVersion', 'dockerbuild/*') }}
                   path: |
                       ./.hak
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
-                  node-version-file: package.json
+                  node-version-file: .node-version
                   cache: "yarn"
               env:
                   # Workaround for https://github.com/actions/setup-node/issues/317
@@ -88,17 +88,17 @@ jobs:
             - name: "Get modified files"
               id: changed_files
               if: steps.cache.outputs.cache-hit != 'true' && github.event_name == 'pull_request'
-              uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45
+              uses: tj-actions/changed-files@823fcebdb31bb35fdf2229d9f769b400309430d0 # v46
               with:
                   files: |
                       dockerbuild/**
 
             # This allows contributors to test changes to the dockerbuild image within a pull request
             - name: Build docker image
-              uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
+              uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
               if: steps.changed_files.outputs.any_modified == 'true'
               with:
-                  context: dockerbuild
+                  file: dockerbuild/Dockerfile
                   load: true
                   platforms: linux/${{ inputs.arch }}
                   tags: ${{ env.HAK_DOCKER_IMAGE }}
@@ -123,11 +123,6 @@ jobs:
                       ./scripts/glibc-check.sh $filename
                   done
 
-            - name: "[Nightly] Resolve version"
-              if: inputs.version != ''
-              run: |
-                  echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV
-
             - name: Generate debian files and arguments
               run: |
                   if [ -f changelog.Debian ]; then
@@ -144,6 +139,9 @@ jobs:
 
             - name: Build App
               run: yarn build --publish never -l ${{ steps.config.outputs.build-args }}
+              env:
+                  # Only set for Nightly builds
+                  ED_NIGHTLY: ${{ inputs.version }}
 
             - name: Check native libraries
               run: |
@@ -175,10 +173,29 @@ jobs:
 
             # We exclude *-unpacked as it loses permissions and the tarball contains it with correct permissions
             - name: Upload Artifacts
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: linux-${{ inputs.arch }}-sqlcipher-${{ inputs.sqlcipher }}
                   path: |
                       dist
                       !dist/*-unpacked/**
                   retention-days: 1
+
+            - name: Assert all required files are present
+              run: |
+                  test -f ./dist/element-desktop*$ARCH.deb
+                  test -f ./dist/element-desktop*.tar.gz
+              env:
+                  ARCH: ${{ inputs.arch }}
+
+    test:
+        needs: build
+        uses: ./.github/workflows/build_test.yaml
+        with:
+            artifact: linux-${{ inputs.arch }}-sqlcipher-${{ inputs.sqlcipher }}
+            runs-on: ${{ inputs.arch == 'arm64' && 'ubuntu-22.04-arm' || 'ubuntu-22.04' }}
+            executable: /opt/Element*/element-desktop*
+            prepare_cmd: |
+                sudo apt-get -qq update
+                sudo apt install ./dist/*.deb
+            blob_report: ${{ inputs.blob_report }}

.github/workflows/build_macos.yaml

@@ -27,21 +27,25 @@ on:
                 type: string
                 required: false
                 description: "The URL to which the output will be deployed."
+            blob_report:
+                type: boolean
+                required: false
+                description: "Whether to run the blob report"
 permissions: {} # No permissions required
 jobs:
     build:
         runs-on: macos-14 # M1
         environment: ${{ inputs.sign && 'packages.element.io' || '' }}
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/download-artifact@v4
+            - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
                   name: webapp
 
             - name: Cache .hak
               id: cache
-              uses: actions/cache@v4
+              uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
               with:
                   key: ${{ runner.os }}-${{ hashFiles('hakHash', 'electronVersion') }}
                   path: |
@@ -56,30 +60,25 @@ jobs:
                   rustup target add x86_64-apple-darwin
 
             # M1 macos-14 comes without Python preinstalled
-            - uses: actions/setup-python@v5
+            - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
               with:
-                  python-version: "3.12"
+                  python-version: "3.13"
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
-                  node-version-file: package.json
+                  node-version-file: .node-version
                   cache: "yarn"
 
-            # Does not need branch matching as only analyses this layer
             - name: Install Deps
               run: "yarn install --frozen-lockfile"
 
+            # Python 3.12 drops distutils which keytar relies on
+            - name: Install setuptools
+              run: pip3 install setuptools
+
             - name: Build Natives
               if: steps.cache.outputs.cache-hit != 'true'
-              run: |
-                  # Python 3.12 drops distutils which keytar relies on
-                  pip3 install setuptools
-                  yarn build:native:universal
-
-            - name: "[Nightly] Resolve version"
-              if: inputs.version != ''
-              run: |
-                  echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV
+              run: yarn build:native:universal
 
             # We split these because electron-builder gets upset if we set CSC_LINK even to an empty string
             - name: "[Signed] Build App"
@@ -92,6 +91,8 @@ jobs:
                   APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
                   CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
                   CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}
+                  # Only set for Nightly builds
+                  ED_NIGHTLY: ${{ inputs.version }}
 
             - name: Check app was signed & notarised successfully
               if: inputs.sign != ''
@@ -136,10 +137,30 @@ jobs:
 
             # We exclude mac-universal as the unpacked app takes forever to upload and zip and dmg already contains it
             - name: Upload Artifacts
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: macos
                   path: |
                       dist
                       !dist/mac-universal/**
                   retention-days: 1
+
+            - name: Assert all required files are present
+              run: |
+                  test -f ./dist/Element*.dmg
+                  test -f ./dist/Element*-mac.zip
+
+    test:
+        needs: build
+        uses: ./.github/workflows/build_test.yaml
+        with:
+            artifact: macos
+            runs-on: macos-14
+            executable: /Users/runner/Applications/Element*.app/Contents/MacOS/Element*
+            # We need to mount the DMG and copy the app to the Applications folder as a mounted DMG is
+            # read-only and thus would not allow us to override the fuses as is required for Playwright.
+            prepare_cmd: |
+                hdiutil attach ./dist/*.dmg -mountpoint /Volumes/Element &&
+                rsync -a /Volumes/Element/Element*.app ~/Applications/ &&
+                hdiutil detach /Volumes/Element
+            blob_report: ${{ inputs.blob_report }}

.github/workflows/build_prepare.yaml

@@ -20,6 +20,11 @@ on:
                 required: false
                 default: false
                 description: "Whether the build should be deployed to production"
+            branch-matching:
+                type: boolean
+                required: false
+                default: false
+                description: "Whether the branch name should be matched to find the element-web commit"
         secrets:
             # Required if `nightly` is set
             CF_R2_ACCESS_KEY_ID:
@@ -34,12 +39,9 @@ on:
             packages-dir:
                 description: "The directory non-deb packages for this run should live in within packages.element.io"
                 value: ${{ inputs.nightly && 'nightly' || 'desktop' }}
-            # These are just simple pass-throughs of the input to simplify reuse of complex inline conditions
-            config:
-                description: "The relative path to the config file for this run"
-                value: ${{ inputs.config }}
+            # This is just a simple pass-through of the input to simplify reuse of complex inline conditions
             deploy:
-                description: "The relative path to the config file for this run"
+                description: "Whether the build should be deployed to production"
                 value: ${{ inputs.deploy }}
 permissions: {}
 jobs:
@@ -52,17 +54,35 @@ jobs:
         outputs:
             nightly-version: ${{ steps.versions.outputs.nightly }}
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
-                  node-version-file: package.json
+                  node-version-file: .node-version
                   cache: "yarn"
 
             - name: Install Deps
               run: "yarn install --frozen-lockfile"
 
-            - name: Fetch Element Web
+            - name: Fetch Element Web (matching branch)
+              id: branch-matching
+              if: inputs.branch-matching
+              continue-on-error: true
+              run: |
+                  scripts/branch-match.sh
+                  cp "$CONFIG_DIR/config.json" element-web/
+                  yarn --cwd element-web install --frozen-lockfile
+                  yarn --cwd element-web run build
+                  mv element-web/webapp .
+                  yarn asar-webapp
+              env:
+                  # These must be set for branch-match.sh to get the right branch
+                  REPOSITORY: ${{ github.repository }}
+                  PR_NUMBER: ${{ github.event.pull_request.number }}
+                  CONFIG_DIR: ${{ inputs.config }}
+
+            - name: Fetch Element Web (${{ inputs.version }})
+              if: steps.branch-matching.outcome == 'failure' || steps.branch-matching.outcome == 'skipped'
               run: yarn run fetch --noverify -d ${{ inputs.config }} ${{ inputs.version }}
 
             # We split this out to save the build_* scripts having to do it to make use of `hashFiles` in the cache action
@@ -83,7 +103,7 @@ jobs:
                   aws s3 cp s3://$R2_BUCKET/debian/dists/default/main/binary-amd64/Packages - --endpoint-url $R2_URL --region auto | grep "Package: element-nightly" -A 50 | grep Version -m1 | sed -n 's/Version: //p' >> VERSIONS
                   aws s3 cp s3://$R2_BUCKET/debian/dists/default/main/binary-arm64/Packages - --endpoint-url $R2_URL --region auto | grep "Package: element-nightly" -A 50 | grep Version -m1 | sed -n 's/Version: //p' >> VERSIONS
                   aws s3 cp s3://$R2_BUCKET/nightly/update/win32/x64/RELEASES - --endpoint-url $R2_URL --region auto | awk '{print $2}' | cut -d "-" -f 5 | cut -c 8- >> VERSIONS
-                  aws s3 cp s3://$R2_BUCKET/nightly/update/win32/ia32/RELEASES - --endpoint-url $R2_URL --region auto | awk '{print $2}' | cut -d "-" -f 5 | cut -c 8- >> VERSIONS
+                  aws s3 cp s3://$R2_BUCKET/nightly/update/win32/arm64/RELEASES - --endpoint-url $R2_URL --region auto | awk '{print $2}' | cut -d "-" -f 5 | cut -c 8- >> VERSIONS
 
                   # Pick the greatest one
                   VERSION=$(cat VERSIONS | sort -uf | tail -n1)
@@ -93,8 +113,6 @@ jobs:
               env:
                   AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }}
                   AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }}
-                  # Workaround for https://www.cloudflarestatus.com/incidents/t5nrjmpxc1cj
-                  AWS_REQUEST_CHECKSUM_CALCULATION: when_required
                   R2_BUCKET: ${{ vars.R2_BUCKET }}
                   R2_URL: ${{ vars.CF_R2_S3_API }}
 
@@ -142,7 +160,7 @@ jobs:
                   echo "| Element Web | [$WEB_VERSION](https://github.com/element-hq/element-web/commit/$WEB_VERSION) |" >> $GITHUB_STEP_SUMMARY
                   echo "| JS SDK      | [$JS_VERSION](https://github.com/matrix-org/matrix-js-sdk/commit/$JS_VERSION) |" >> $GITHUB_STEP_SUMMARY
 
-            - uses: actions/upload-artifact@v4
+            - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: webapp
                   retention-days: 1

.github/workflows/build_test.yaml

@@ -0,0 +1,90 @@
+# This action helps run Playwright tests within one of the build_* stages.
+on:
+    workflow_call:
+        inputs:
+            runs-on:
+                type: string
+                required: true
+                description: "The runner image to use"
+            artifact:
+                type: string
+                required: true
+                description: "The name of the artifact to download"
+            executable:
+                type: string
+                required: true
+                description: "Path to the executable to test"
+            prepare_cmd:
+                type: string
+                required: false
+                description: "Command to run to prepare the executable or environment for testing"
+            blob_report:
+                type: boolean
+                default: false
+                description: "Whether to upload a blob report instead of the HTML report"
+permissions: {}
+jobs:
+    test:
+        runs-on: ${{ inputs.runs-on }}
+        steps:
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+              with:
+                  node-version-file: .node-version
+                  cache: "yarn"
+
+            - name: Install Deps
+              run: "yarn install --frozen-lockfile"
+
+            - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+              with:
+                  name: ${{ inputs.artifact }}
+                  path: dist
+
+            - name: Prepare for tests
+              run: ${{ inputs.prepare_cmd }}
+              if: inputs.prepare_cmd
+
+            - name: Expand executable path
+              id: executable
+              shell: bash
+              env:
+                  EXECUTABLE: ${{ inputs.executable }}
+              run: |
+                  FILES=($EXECUTABLE)
+                  echo "path=${FILES[0]}" >> $GITHUB_OUTPUT
+
+            # We previously disabled the `EnableNodeCliInspectArguments` fuse, but Playwright requires
+            # it to be enabled to test Electron apps, so turn it back on.
+            - name: Set EnableNodeCliInspectArguments fuse enabled
+              run: $RUN_AS npx @electron/fuses write --app "$EXECUTABLE" EnableNodeCliInspectArguments=on
+              shell: bash
+              env:
+                  # We need sudo on Linux as it is installed in /opt/
+                  RUN_AS: ${{ runner.os == 'Linux' && 'sudo' || '' }}
+                  EXECUTABLE: ${{ steps.executable.outputs.path }}
+
+            - name: Run tests
+              uses: coactions/setup-xvfb@6b00cf1889f4e1d5a48635647013c0508128ee1a
+              timeout-minutes: 20
+              with:
+                  run: yarn test --project=${{ inputs.artifact }} ${{ runner.os != 'Linux' && '--ignore-snapshots' || '' }} ${{ inputs.blob_report == false && '--reporter=html' || '' }}
+              env:
+                  ELEMENT_DESKTOP_EXECUTABLE: ${{ steps.executable.outputs.path }}
+
+            - name: Upload blob report
+              if: always() && inputs.blob_report
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+              with:
+                  name: blob-report-${{ inputs.artifact }}
+                  path: blob-report
+                  retention-days: 1
+
+            - name: Upload HTML report
+              if: always() && inputs.blob_report == false
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+              with:
+                  name: ${{ inputs.artifact }}-test
+                  path: playwright-report
+                  retention-days: 14

.github/workflows/build_windows.yaml

@@ -30,13 +30,17 @@ on:
                 type: string
                 required: false
                 description: "Whether to sign & notarise the build, requires 'packages.element.io' environment"
+            blob_report:
+                type: boolean
+                required: false
+                description: "Whether to run the blob report"
 permissions: {} # No permissions required
 jobs:
     build:
-        runs-on: windows-2022
+        runs-on: windows-2025
         environment: ${{ inputs.sign && 'packages.element.io' || '' }}
         env:
-            SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe"
+            SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.26100.0/x86/signtool.exe"
         steps:
             - uses: nbucic/variable-mapper@0673f6891a0619ba7c002ecfed0f9f4f39017b6f
               id: config
@@ -56,29 +60,25 @@ jobs:
                         "ia32": {
                           "target": "i686-pc-windows-msvc",
                           "build-args": "--ia32",
-                          "arch": "x86"
+                          "arch": "x86",
+                          "extra_config": "{\"user_notice\": {\"title\": \"Your desktop environment is unsupported.\",\"description\": \"Support for 32-bit Windows installations has ended. Transition to the web or mobile app for continued access.\"}}"
                         }
                       }
 
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/download-artifact@v4
+            - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
               with:
                   name: webapp
 
             - name: Cache .hak
               id: cache
-              uses: actions/cache@v4
+              uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
               with:
                   key: ${{ runner.os }}-${{ inputs.arch }}-${{ hashFiles('hakHash', 'electronVersion') }}
                   path: |
                       ./.hak
 
-            - name: Set up build tools
-              uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
-              with:
-                  arch: ${{ steps.config.outputs.arch || inputs.arch }}
-
             # ActiveTCL package on choco is from 2015,
             # this one is newer but includes more than we need
             - name: Choco install tclsh
@@ -102,15 +102,40 @@ jobs:
                   rustup default stable
                   rustup target add ${{ steps.config.outputs.target }}
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
-                  node-version-file: package.json
+                  node-version-file: .node-version
                   cache: "yarn"
 
-            # Does not need branch matching as only analyses this layer
             - name: Install Deps
               run: "yarn install --frozen-lockfile"
 
+            - name: Insert config snippet
+              if: steps.config.outputs.extra_config != ''
+              shell: bash
+              run: |
+                  mkdir config-edit
+                  yarn asar extract webapp.asar config-edit
+                  cd config-edit
+                  mv config.json old-config.json
+                  echo '${{ steps.config.outputs.extra_config }}' | jq -s '.[0] * .[1]' old-config.json - > config.json
+                  rm old-config.json
+                  cd ..
+                  rm webapp.asar
+                  yarn asar pack config-edit/ webapp.asar
+
+            - name: Set up sqlcipher macros
+              if: steps.cache.outputs.cache-hit != 'true' && contains(inputs.arch, 'arm')
+              shell: pwsh
+              run: |
+                  echo "NCC=${{ github.workspace }}\scripts\cl.bat" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+
+            - name: Set up build tools
+              if: steps.cache.outputs.cache-hit != 'true'
+              uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
+              with:
+                  arch: ${{ steps.config.outputs.arch || inputs.arch }}
+
             - name: Build Natives
               if: steps.cache.outputs.cache-hit != 'true'
               run: |
@@ -160,29 +185,47 @@ jobs:
                   INSTALL_DIR: C:\Users\runneradmin\eSignerCKA
                   MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key
 
-            - name: "[Nightly] Resolve version"
-              if: inputs.version != ''
-              shell: bash
-              run: |
-                  echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV
-
-            # XXX: For whatever reason if we use `yarn build ...` it freezes, but splitting it into parts it is fine
-            - run: yarn run build:ts
-            - run: yarn run build:res
-
             - name: Build App
+              run: yarn build --publish never -w ${{ steps.config.outputs.build-args }}
+              env:
+                  # Only set for Nightly builds
+                  ED_NIGHTLY: ${{ inputs.version }}
+
+            - name: Trust eSigner sandbox cert
+              if: inputs.sign == ''
               run: |
-                  yarn electron-builder --publish never -w ${{ steps.config.outputs.build-args }}
+                  Set-StrictMode -Version 'Latest'
+                  Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath .github/SSLcom-sandbox.crt
 
             - name: Check app was signed successfully
-              if: inputs.sign
               run: |
-                  . "$env:SIGNTOOL_PATH" verify /pa (get-item ./dist/squirrel-windows*/*.exe)
+                  Set-StrictMode -Version 'Latest'
+                  Get-ChildItem `
+                      -Recurse dist `
+                      -Include *.exe, *.msi `
+                  | ForEach-Object -Process {. $env:SIGNTOOL_PATH verify /pa $_.FullName; if(!$?) { throw }}
 
             - name: Upload Artifacts
-              uses: actions/upload-artifact@v4
+              uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
               with:
                   name: win-${{ inputs.arch }}
                   path: |
                       dist
                   retention-days: 1
+
+            - name: Assert all required files are present
+              run: |
+                  Test-Path './dist/win-*unpacked/Element*.exe'
+                  Test-Path './dist/squirrel-windows*/Element Setup*.exe'
+                  Test-Path './dist/squirrel-windows*/element-desktop-*-full.nupkg'
+                  Test-Path './dist/squirrel-windows*/RELEASES'
+                  Test-Path './dist/Element*.msi'
+
+    test:
+        needs: build
+        uses: ./.github/workflows/build_test.yaml
+        with:
+            artifact: win-${{ inputs.arch }}
+            runs-on: ${{ inputs.arch == 'arm64' && 'windows-11-arm' || 'windows-2022' }}
+            executable: ./dist/win*-unpacked/Element*.exe
+            blob_report: ${{ inputs.blob_report }}

.github/workflows/dockerbuild.yaml

@@ -19,20 +19,20 @@ jobs:
             contents: read
             packages: write
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
             - name: Set up QEMU
-              uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
+              uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
 
             - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
+              uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
               with:
                   install: true
 
             - name: Build test image
-              uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
+              uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
               with:
-                  context: dockerbuild
+                  file: dockerbuild/Dockerfile
                   push: false
                   load: true
                   tags: element-desktop-dockerbuild
@@ -42,7 +42,7 @@ jobs:
               run: docker run -v $PWD:/project element-desktop-dockerbuild yarn install
 
             - name: Log in to the Container registry
-              uses: docker/login-action@327cd5a69de6c009b9ce71bce8395f28e651bf99
+              uses: docker/login-action@6d4b68b490aef8836e8fb5e50ee7b3bdfa5894f0
               if: github.event_name != 'pull_request'
               with:
                   registry: ${{ env.REGISTRY }}
@@ -52,7 +52,7 @@ jobs:
             - name: Extract metadata for Docker
               id: meta
               if: github.event_name != 'pull_request'
-              uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5
+              uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
               with:
                   images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
                   tags: |
@@ -61,9 +61,9 @@ jobs:
 
             - name: Build and push Docker image
               if: github.event_name != 'pull_request'
-              uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6
+              uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
               with:
-                  context: dockerbuild
+                  file: dockerbuild/Dockerfile
                   push: true
                   tags: ${{ steps.meta.outputs.tags }}
                   labels: ${{ steps.meta.outputs.labels }}

.github/workflows/release.yml

@@ -19,6 +19,7 @@ jobs:
             contents: write
             issues: write
             pull-requests: read
+            id-token: write
         secrets:
             ELEMENT_BOT_TOKEN: ${{ secrets.ELEMENT_BOT_TOKEN }}
             GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}

.github/workflows/static_analysis.yaml

@@ -9,9 +9,9 @@ jobs:
         name: "Typescript Syntax Check"
         runs-on: ubuntu-24.04
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   node-version-file: package.json
                   cache: "yarn"
@@ -35,9 +35,9 @@ jobs:
         name: "ESLint"
         runs-on: ubuntu-24.04
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   node-version-file: package.json
                   cache: "yarn"
@@ -53,9 +53,9 @@ jobs:
         name: "Workflow Lint"
         runs-on: ubuntu-24.04
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   node-version-file: package.json
                   cache: "yarn"
@@ -71,9 +71,9 @@ jobs:
         name: "Analyse Dead Code"
         runs-on: ubuntu-24.04
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-            - uses: actions/setup-node@v4
+            - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
               with:
                   node-version-file: package.json
                   cache: "yarn"

.github/workflows/triage-stale.yml

@@ -12,9 +12,11 @@ jobs:
             issues: write
             pull-requests: write
         steps:
-            - uses: actions/stale@v9
+            - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
               with:
-                  operations-per-run: 100
+                  operations-per-run: 250
+                  days-before-issue-stale: -1
+                  days-before-issue-close: -1
                   days-before-pr-stale: 180
                   days-before-pr-close: 0
                   close-pr-message: "This PR has been automatically closed because it has been stale for 180 days. If you wish to continue working on this PR, please ping a maintainer to reopen it."

.node-version

@@ -0,0 +1 @@
+v22.15.0

CHANGELOG.md

@@ -1,3 +1,226 @@
+Changes in [1.11.100](https://github.com/element-hq/element-desktop/releases/tag/v1.11.100) (2025-05-06)
+========================================================================================================
+## ✨ Features
+
+* Move rich topics out of labs / stabilise MSC3765 ([#29817](https://github.com/element-hq/element-web/pull/29817)). Contributed by @Johennes.
+* Spell out that Element Web does \*not\* work on mobile. ([#29211](https://github.com/element-hq/element-web/pull/29211)). Contributed by @ara4n.
+* Add message preview support to the new room list ([#29784](https://github.com/element-hq/element-web/pull/29784)). Contributed by @dbkr.
+* Global configuration flag for media previews ([#29582](https://github.com/element-hq/element-web/pull/29582)). Contributed by @Half-Shot.
+* New room list: add partial keyboard shortcuts support ([#29783](https://github.com/element-hq/element-web/pull/29783)). Contributed by @florianduros.
+* MVVM RoomSummaryCard Topic ([#29710](https://github.com/element-hq/element-web/pull/29710)). Contributed by @MarcWadai.
+* Warn on self change from settings > roles ([#28926](https://github.com/element-hq/element-web/pull/28926)). Contributed by @MarcWadai.
+* New room list: new visual for invitation ([#29773](https://github.com/element-hq/element-web/pull/29773)). Contributed by @florianduros.
+
+## 🐛 Bug Fixes
+
+* Apply workaround to fix app launching on Linux ([#2308](https://github.com/element-hq/element-desktop/pull/2308)). Contributed by @dbkr.
+* Notification fixes for Windows - AppID name was messing up handler ([#2275](https://github.com/element-hq/element-desktop/pull/2275)). Contributed by @Fusseldieb.
+* Fix incorrect display of the user info display name ([#29826](https://github.com/element-hq/element-web/pull/29826)). Contributed by @langleyd.
+* RoomListStore: Remove invite rooms on decline ([#29804](https://github.com/element-hq/element-web/pull/29804)). Contributed by @MidhunSureshR.
+* Fix the buttons not being displayed with long preview text ([#29811](https://github.com/element-hq/element-web/pull/29811)). Contributed by @dbkr.
+* New room list: fix missing/incorrect notification decoration  ([#29796](https://github.com/element-hq/element-web/pull/29796)). Contributed by @florianduros.
+* New Room List: Prevent potential scroll jump/flicker when switching spaces ([#29781](https://github.com/element-hq/element-web/pull/29781)). Contributed by @MidhunSureshR.
+* New room list: fix incorrect decoration ([#29770](https://github.com/element-hq/element-web/pull/29770)). Contributed by @florianduros.
+
+
+
+Changes in [1.11.99](https://github.com/element-hq/element-desktop/releases/tag/v1.11.99) (2025-04-23)
+======================================================================================================
+## 🐛 Bug Fixes
+
+* [Backport staging] Fix `io.element.desktop` protocol handler ([#2281](https://github.com/element-hq/element-desktop/pull/2281)). Contributed by @RiotRobot.
+
+
+
+Changes in [1.11.98](https://github.com/element-hq/element-desktop/releases/tag/v1.11.98) (2025-04-22)
+======================================================================================================
+## 🦖 Deprecations
+
+* Remove support for 32 bit / ia32 Windows. ([#2225](https://github.com/element-hq/element-desktop/pull/2225)). Contributed by @Half-Shot.
+
+## ✨ Features
+
+* Update config logging to specify config file path ([#2231](https://github.com/element-hq/element-desktop/pull/2231)). Contributed by @nbolton.
+* Support specifying the profile dir path via env var (#2226) ([#2246](https://github.com/element-hq/element-desktop/pull/2246)). Contributed by @schuhj.
+* print better errors in the search view instead of a blocking modal ([#29724](https://github.com/element-hq/element-web/pull/29724)). Contributed by @Jujure.
+* New room list: video room and video call decoration  ([#29693](https://github.com/element-hq/element-web/pull/29693)). Contributed by @florianduros.
+* Remove Secure Backup, Cross-signing and Cryptography sections in `Security & Privacy` user settings ([#29088](https://github.com/element-hq/element-web/pull/29088)). Contributed by @florianduros.
+* Allow reporting a room when rejecting an invite. ([#29570](https://github.com/element-hq/element-web/pull/29570)). Contributed by @Half-Shot.
+* RoomListViewModel: Reset primary and secondary filters on space change ([#29672](https://github.com/element-hq/element-web/pull/29672)). Contributed by @MidhunSureshR.
+* RoomListStore: Support specific sorting requirements for muted rooms ([#29665](https://github.com/element-hq/element-web/pull/29665)). Contributed by @MidhunSureshR.
+* New room list: add notification options menu ([#29639](https://github.com/element-hq/element-web/pull/29639)). Contributed by @florianduros.
+* Room List: Scroll to top of the list when active room is not in the list ([#29650](https://github.com/element-hq/element-web/pull/29650)). Contributed by @MidhunSureshR.
+
+## 🐛 Bug Fixes
+
+* Fix unwanted form submit behaviour in memberlist ([#29747](https://github.com/element-hq/element-web/pull/29747)). Contributed by @MidhunSureshR.
+* New room list: fix public room icon visibility when filter change ([#29737](https://github.com/element-hq/element-web/pull/29737)). Contributed by @florianduros.
+* Fix custom theme support for short hex \& rgba hex strings ([#29726](https://github.com/element-hq/element-web/pull/29726)). Contributed by @t3chguy.
+* New room list: minor visual fixes ([#29723](https://github.com/element-hq/element-web/pull/29723)). Contributed by @florianduros.
+* Fix getOidcCallbackUrl for Element Desktop ([#29711](https://github.com/element-hq/element-web/pull/29711)). Contributed by @t3chguy.
+* Fix some webp images improperly marked as animated ([#29713](https://github.com/element-hq/element-web/pull/29713)). Contributed by @Petersmit27.
+* Revert deletion of hydrateSession ([#29703](https://github.com/element-hq/element-web/pull/29703)). Contributed by @Jujure.
+* Fix converttoroom \& converttodm not working ([#29705](https://github.com/element-hq/element-web/pull/29705)). Contributed by @t3chguy.
+* Ensure forceCloseAllModals also closes priority/static modals ([#29706](https://github.com/element-hq/element-web/pull/29706)). Contributed by @t3chguy.
+* Continue button is disabled when uploading a recovery key file ([#29695](https://github.com/element-hq/element-web/pull/29695)). Contributed by @Giwayume.
+* Catch errors after syncing recovery ([#29691](https://github.com/element-hq/element-web/pull/29691)). Contributed by @andybalaam.
+* New room list: fix multiple visual issues ([#29673](https://github.com/element-hq/element-web/pull/29673)). Contributed by @florianduros.
+* New Room List: Fix mentions filter matching rooms with any highlight ([#29668](https://github.com/element-hq/element-web/pull/29668)). Contributed by @MidhunSureshR.
+*  Fix truncated emoji label during emoji SAS ([#29643](https://github.com/element-hq/element-web/pull/29643)). Contributed by @florianduros.
+* Remove duplicate jitsi link ([#29642](https://github.com/element-hq/element-web/pull/29642)). Contributed by @dbkr.
+
+
+
+Changes in [1.11.97](https://github.com/element-hq/element-desktop/releases/tag/v1.11.97) (2025-04-08)
+======================================================================================================
+## ✨ Features
+
+* New room list: reduce padding between avatar and room list border ([#29634](https://github.com/element-hq/element-web/pull/29634)). Contributed by @florianduros.
+* Bundle Element Call with Element Web packages ([#29309](https://github.com/element-hq/element-web/pull/29309)). Contributed by @t3chguy.
+* Hide an event notification if it is redacted ([#29605](https://github.com/element-hq/element-web/pull/29605)). Contributed by @Half-Shot.
+* Docker: Use nginx-unprivileged as base image ([#29353](https://github.com/element-hq/element-web/pull/29353)). Contributed by @AndrewFerr.
+* Switch away from nesting React trees and mangling the DOM ([#29586](https://github.com/element-hq/element-web/pull/29586)). Contributed by @t3chguy.
+* New room list: add notification decoration ([#29552](https://github.com/element-hq/element-web/pull/29552)). Contributed by @florianduros.
+* RoomListStore: Unread filter should match rooms that were marked as unread ([#29580](https://github.com/element-hq/element-web/pull/29580)). Contributed by @MidhunSureshR.
+* Add support for hiding videos ([#29496](https://github.com/element-hq/element-web/pull/29496)). Contributed by @Half-Shot.
+* Use an outline icon for the report room button ([#29573](https://github.com/element-hq/element-web/pull/29573)). Contributed by @robintown.
+* Generate/load pickle key on SSO ([#29568](https://github.com/element-hq/element-web/pull/29568)). Contributed by @Jujure.
+* Add report room dialog button/dialog. ([#29513](https://github.com/element-hq/element-web/pull/29513)). Contributed by @Half-Shot.
+* RoomListViewModel: Make the active room sticky in the list ([#29551](https://github.com/element-hq/element-web/pull/29551)). Contributed by @MidhunSureshR.
+* Replace checkboxes with Compound checkboxes, and appropriately label each checkbox. ([#29363](https://github.com/element-hq/element-web/pull/29363)). Contributed by @Half-Shot.
+* New room list: add selection decoration ([#29531](https://github.com/element-hq/element-web/pull/29531)). Contributed by @florianduros.
+* Simplified Sliding Sync ([#28515](https://github.com/element-hq/element-web/pull/28515)). Contributed by @dbkr.
+* Add ability to hide images after clicking "show image" ([#29467](https://github.com/element-hq/element-web/pull/29467)). Contributed by @Half-Shot.
+
+## 🐛 Bug Fixes
+
+* Fix scroll issues in memberlist ([#29392](https://github.com/element-hq/element-web/pull/29392)). Contributed by @MidhunSureshR.
+* Ensure clicks on spoilers do not get handled by the hidden content ([#29618](https://github.com/element-hq/element-web/pull/29618)). Contributed by @t3chguy.
+* New room list: add cursor pointer on room list item ([#29627](https://github.com/element-hq/element-web/pull/29627)). Contributed by @florianduros.
+* Fix missing ambiguous url tooltips on Element Desktop ([#29619](https://github.com/element-hq/element-web/pull/29619)). Contributed by @t3chguy.
+* New room list: fix spacing and padding ([#29607](https://github.com/element-hq/element-web/pull/29607)). Contributed by @florianduros.
+* Make fetchdep check out matching branch name ([#29601](https://github.com/element-hq/element-web/pull/29601)). Contributed by @dbkr.
+* Fix MFileBody fileName not considering `filename` ([#29589](https://github.com/element-hq/element-web/pull/29589)). Contributed by @t3chguy.
+* Fix token expiry racing with login causing wrong error to be shown ([#29566](https://github.com/element-hq/element-web/pull/29566)). Contributed by @t3chguy.
+* Fix bug which caused startup to hang if the clock was wound back since a previous session ([#29558](https://github.com/element-hq/element-web/pull/29558)). Contributed by @richvdh.
+* RoomListViewModel: Reset any primary filter on secondary filter change ([#29562](https://github.com/element-hq/element-web/pull/29562)). Contributed by @MidhunSureshR.
+* RoomListStore: Unread filter should only filter rooms having unread counts ([#29555](https://github.com/element-hq/element-web/pull/29555)). Contributed by @MidhunSureshR.
+* In force-verify mode, prevent bypassing by cancelling device verification ([#29487](https://github.com/element-hq/element-web/pull/29487)). Contributed by @andybalaam.
+* Add title attribute to user identifier ([#29547](https://github.com/element-hq/element-web/pull/29547)). Contributed by @arpitbatra123.
+
+
+
+Changes in [1.11.96](https://github.com/element-hq/element-desktop/releases/tag/v1.11.96) (2025-03-25)
+======================================================================================================
+## ✨ Features
+
+* RoomListViewModel: Track the index of the active room in the list ([#29519](https://github.com/element-hq/element-web/pull/29519)). Contributed by @MidhunSureshR.
+* New room list: add empty state ([#29512](https://github.com/element-hq/element-web/pull/29512)). Contributed by @florianduros.
+* Implement `MessagePreviewViewModel` ([#29514](https://github.com/element-hq/element-web/pull/29514)). Contributed by @MidhunSureshR.
+* RoomListViewModel: Add functionality to toggle message preview setting ([#29511](https://github.com/element-hq/element-web/pull/29511)). Contributed by @MidhunSureshR.
+* New room list: add more options menu on room list item ([#29445](https://github.com/element-hq/element-web/pull/29445)). Contributed by @florianduros.
+* RoomListViewModel: Provide a way to resort the room list and track the active sort method ([#29499](https://github.com/element-hq/element-web/pull/29499)). Contributed by @MidhunSureshR.
+* Change \*All rooms\* meta space name to \*All Chats\* ([#29498](https://github.com/element-hq/element-web/pull/29498)). Contributed by @florianduros.
+* Add setting to hide avatars of rooms you have been invited to. ([#29497](https://github.com/element-hq/element-web/pull/29497)). Contributed by @Half-Shot.
+* Room List Store: Save preferred sorting algorithm and use that on app launch ([#29493](https://github.com/element-hq/element-web/pull/29493)). Contributed by @MidhunSureshR.
+* Add key storage toggle to Encryption settings ([#29310](https://github.com/element-hq/element-web/pull/29310)). Contributed by @dbkr.
+* New room list: add primary filters ([#29481](https://github.com/element-hq/element-web/pull/29481)). Contributed by @florianduros.
+* Implement MSC4142: Remove unintentional intentional mentions in replies ([#28209](https://github.com/element-hq/element-web/pull/28209)). Contributed by @tulir.
+* White background for 'They do not match' button ([#29470](https://github.com/element-hq/element-web/pull/29470)). Contributed by @andybalaam.
+* RoomListViewModel: Support secondary filters in the view model ([#29465](https://github.com/element-hq/element-web/pull/29465)). Contributed by @MidhunSureshR.
+* RoomListViewModel: Support primary filters in the view model ([#29454](https://github.com/element-hq/element-web/pull/29454)). Contributed by @MidhunSureshR.
+* Room List Store: Implement secondary filters ([#29458](https://github.com/element-hq/element-web/pull/29458)). Contributed by @MidhunSureshR.
+* Room List Store: Implement rest of the primary filters ([#29444](https://github.com/element-hq/element-web/pull/29444)). Contributed by @MidhunSureshR.
+* Room List Store: Support filters by implementing just the favourite filter ([#29433](https://github.com/element-hq/element-web/pull/29433)). Contributed by @MidhunSureshR.
+* Move toggle switch for integration manager for a11y ([#29436](https://github.com/element-hq/element-web/pull/29436)). Contributed by @Half-Shot.
+* New room list: basic flat list ([#29368](https://github.com/element-hq/element-web/pull/29368)). Contributed by @florianduros.
+* Improve rageshake upload experience by providing useful error information ([#29378](https://github.com/element-hq/element-web/pull/29378)). Contributed by @Half-Shot.
+* Add more functionality to the room list vm ([#29402](https://github.com/element-hq/element-web/pull/29402)). Contributed by @MidhunSureshR.
+
+## 🐛 Bug Fixes
+
+* Fix `--no-update` command line flag ([#2210](https://github.com/element-hq/element-desktop/pull/2210)). Contributed by @t3chguy.
+* New room list: fix compose menu action in space  ([#29500](https://github.com/element-hq/element-web/pull/29500)). Contributed by @florianduros.
+* Change ToggleHiddenEventVisibility \& GoToHome KeyBindingActions ([#29374](https://github.com/element-hq/element-web/pull/29374)). Contributed by @gy-mate.
+* Fix Docker Healthcheck ([#29471](https://github.com/element-hq/element-web/pull/29471)). Contributed by @benbz.
+* Room List Store: Fetch rooms after space store is ready + attach store to window ([#29453](https://github.com/element-hq/element-web/pull/29453)). Contributed by @MidhunSureshR.
+* Room List Store: Fix bug where left rooms appear in room list ([#29452](https://github.com/element-hq/element-web/pull/29452)). Contributed by @MidhunSureshR.
+* Add space to the bottom of the room summary actions below leave room ([#29270](https://github.com/element-hq/element-web/pull/29270)). Contributed by @langleyd.
+* Show error screens in group calls ([#29254](https://github.com/element-hq/element-web/pull/29254)). Contributed by @robintown.
+* Prevent user from accidentally triggering multiple identity resets ([#29388](https://github.com/element-hq/element-web/pull/29388)). Contributed by @uhoreg.
+* Remove buggy tooltip on room intro \& homepage ([#29406](https://github.com/element-hq/element-web/pull/29406)). Contributed by @t3chguy.
+
+
+
+Changes in [1.11.95](https://github.com/element-hq/element-desktop/releases/tag/v1.11.95) (2025-03-11)
+======================================================================================================
+## ✨ Features
+
+* Switch to shiftkey/node-keytar as it has NAPI 10 updates ([#2172](https://github.com/element-hq/element-desktop/pull/2172)). Contributed by @t3chguy.
+* Add support for Windows arm64 ([#624](https://github.com/element-hq/element-desktop/pull/624)). Contributed by @t3chguy.
+* Room List Store: Filter rooms by active space ([#29399](https://github.com/element-hq/element-web/pull/29399)). Contributed by @MidhunSureshR.
+* Room List - Update the room list store on actions from the dispatcher ([#29397](https://github.com/element-hq/element-web/pull/29397)). Contributed by @MidhunSureshR.
+* Room List  - Implement a minimal view model ([#29357](https://github.com/element-hq/element-web/pull/29357)). Contributed by @MidhunSureshR.
+* New room list: add space menu in room header ([#29352](https://github.com/element-hq/element-web/pull/29352)). Contributed by @florianduros.
+* Room List - Store sorted rooms in skip list ([#29345](https://github.com/element-hq/element-web/pull/29345)). Contributed by @MidhunSureshR.
+* New room list: add dial to search section ([#29359](https://github.com/element-hq/element-web/pull/29359)). Contributed by @florianduros.
+* New room list: add compose menu for spaces in header ([#29347](https://github.com/element-hq/element-web/pull/29347)). Contributed by @florianduros.
+* Use EditInPlace control for Identity Server picker to improve a11y ([#29280](https://github.com/element-hq/element-web/pull/29280)). Contributed by @Half-Shot.
+* First step to add header to new room list ([#29320](https://github.com/element-hq/element-web/pull/29320)). Contributed by @florianduros.
+* Add Windows 64-bit arm link and remove 32-bit link on compatibility page ([#29312](https://github.com/element-hq/element-web/pull/29312)). Contributed by @t3chguy.
+* Honour the backup disable flag from Element X ([#29290](https://github.com/element-hq/element-web/pull/29290)). Contributed by @dbkr.
+
+## 🐛 Bug Fixes
+
+* Fix edited code block width ([#29394](https://github.com/element-hq/element-web/pull/29394)). Contributed by @florianduros.
+* new room list: keep space name in one line in header ([#29369](https://github.com/element-hq/element-web/pull/29369)). Contributed by @florianduros.
+* Dismiss "Key storage out of sync" toast when secrets received ([#29348](https://github.com/element-hq/element-web/pull/29348)). Contributed by @richvdh.
+* Minor CSS fixes for the new room list ([#29334](https://github.com/element-hq/element-web/pull/29334)). Contributed by @florianduros.
+* Add padding to room header icon ([#29271](https://github.com/element-hq/element-web/pull/29271)). Contributed by @langleyd.
+
+
+
+Changes in [1.11.94](https://github.com/element-hq/element-desktop/releases/tag/v1.11.94) (2025-02-27)
+======================================================================================================
+* No changes
+
+## 🐛 Bug Fixes
+
+* [Backport staging] fix: /tmp/element-web-config may already exist preventing the container from booting up ([#29377](https://github.com/element-hq/element-web/pull/29377)). Contributed by @RiotRobot.
+
+
+
+Changes in [1.11.93](https://github.com/element-hq/element-desktop/releases/tag/v1.11.93) (2025-02-25)
+======================================================================================================
+## ✨ Features
+
+* [backport] Dynamically load Element Web modules in Docker entrypoint ([#29358](https://github.com/element-hq/element-web/pull/29358)). Contributed by @t3chguy.
+* ChangeRecoveryKey: error handling ([#29262](https://github.com/element-hq/element-web/pull/29262)). Contributed by @richvdh.
+* Dehydration: enable dehydrated device on "Set up recovery" ([#29265](https://github.com/element-hq/element-web/pull/29265)). Contributed by @richvdh.
+* Render reason for invite rejection. ([#29257](https://github.com/element-hq/element-web/pull/29257)). Contributed by @Half-Shot.
+* New room list: add search section ([#29251](https://github.com/element-hq/element-web/pull/29251)). Contributed by @florianduros.
+* New room list: hide favourites and people meta spaces ([#29241](https://github.com/element-hq/element-web/pull/29241)). Contributed by @florianduros.
+* New Room List: Create new labs flag ([#29239](https://github.com/element-hq/element-web/pull/29239)). Contributed by @MidhunSureshR.
+* Stop URl preview from covering message box ([#29215](https://github.com/element-hq/element-web/pull/29215)). Contributed by @edent.
+* Rename "security key" into "recovery key" ([#29217](https://github.com/element-hq/element-web/pull/29217)). Contributed by @florianduros.
+* Add new verification section to user profile ([#29200](https://github.com/element-hq/element-web/pull/29200)). Contributed by @MidhunSureshR.
+* Initial support for runtime modules ([#29104](https://github.com/element-hq/element-web/pull/29104)). Contributed by @t3chguy.
+* Add `Forgot recovery key?` button to encryption tab ([#29202](https://github.com/element-hq/element-web/pull/29202)). Contributed by @florianduros.
+* Add KeyIcon to key storage out of sync toast ([#29201](https://github.com/element-hq/element-web/pull/29201)). Contributed by @florianduros.
+* Improve rendering of empty topics in the timeline  ([#29152](https://github.com/element-hq/element-web/pull/29152)). Contributed by @Half-Shot.
+
+## 🐛 Bug Fixes
+
+* Fix font scaling in member list ([#29285](https://github.com/element-hq/element-web/pull/29285)). Contributed by @florianduros.
+* Grow member list search field when resizing the right panel ([#29267](https://github.com/element-hq/element-web/pull/29267)). Contributed by @langleyd.
+* Don't reload roomview on offline connectivity check ([#29243](https://github.com/element-hq/element-web/pull/29243)). Contributed by @dbkr.
+* Respect user's 12/24 hour preference consistently ([#29237](https://github.com/element-hq/element-web/pull/29237)). Contributed by @t3chguy.
+* Restore the accessibility role on call views ([#29225](https://github.com/element-hq/element-web/pull/29225)). Contributed by @robintown.
+* Revert `GoToHome` keyboard shortcut to `Ctrl`–`Shift`–`H` on macOS ([#28577](https://github.com/element-hq/element-web/pull/28577)). Contributed by @gy-mate.
+* Encryption tab: display correct encryption panel when user cancels the reset identity flow ([#29216](https://github.com/element-hq/element-web/pull/29216)). Contributed by @florianduros.
+
+
+
 Changes in [1.11.92](https://github.com/element-hq/element-desktop/releases/tag/v1.11.92) (2025-02-11)
 ======================================================================================================
 ## ✨ Features

dockerbuild/Dockerfile

@@ -1,8 +1,8 @@
 # Docker image to facilitate building Element Desktop's native bits using a glibc version (2.31)
 # with broader compatibility, down to Debian bullseye & Ubuntu focal.
-FROM rust:bullseye
+FROM rust:bullseye@sha256:f40b8cc3195deda321031e8dfe23c7d2586e3db7c4103fa36946982d9fd6d588
 
-ENV DEBIAN_FRONTEND noninteractive
+ENV DEBIAN_FRONTEND=noninteractive
 
 RUN curl --proto "=https" -L https://yarnpkg.com/latest.tar.gz | tar xvz && mv yarn-* /yarn && ln -s /yarn/bin/yarn /usr/bin/yarn
 RUN apt-get -qq update && apt-get -y -qq dist-upgrade && \
@@ -16,13 +16,12 @@ RUN apt-get -qq update && apt-get -y -qq dist-upgrade && \
   apt-get purge -y --auto-remove && rm -rf /var/lib/apt/lists/*
 RUN ln -s /usr/bin/python3 /usr/bin/python & ln -s /usr/bin/pip3 /usr/bin/pip
 
-ENV DEBUG_COLORS true
-ENV FORCE_COLOR true
+ENV DEBUG_COLORS=true
+ENV FORCE_COLOR=true
 
 WORKDIR /project
 
-ENV NODE_VERSION 20.18.2
 ARG TARGETOS
 ARG TARGETARCH
-COPY setup.sh /setup.sh
+COPY .node-version dockerbuild/setup.sh /
 RUN /setup.sh

dockerbuild/setup.sh

@@ -3,5 +3,6 @@
 set -x
 declare -A archMap=(["amd64"]="x64" ["arm64"]="arm64")
 ARCH="${archMap["$TARGETARCH"]}"
-curl --proto "=https" -L "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-$TARGETOS-$ARCH.tar.gz" | tar xz -C /usr/local --strip-components=1 && \
+NODE_VERSION=$(cat /.node-version)
+curl --proto "=https" -L "https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$TARGETOS-$ARCH.tar.gz" | tar xz -C /usr/local --strip-components=1 && \
   unlink /usr/local/CHANGELOG.md && unlink /usr/local/LICENSE && unlink /usr/local/README.md

docs/SUMMARY.md

@@ -2,10 +2,11 @@
 
 - [Introduction](../README.md)
 
-# Build
+# Build/Debug
 
 - [Native Node modules](native-node-modules.md)
 - [Windows requirements](windows-requirements.md)
+- [Using gdb](gdb.md)
 
 # Distribution
 

docs/gdb.md

@@ -0,0 +1,46 @@
+# Using gdb against Element-Desktop
+
+Occasionally it is useful to be able to connect to a running Element-Desktop
+with [`gdb`](https://sourceware.org/gdb/), or to analayze a coredump. For this,
+you will need debug symbols.
+
+1. If you don't already have the right version of Element-Desktop (eg because
+   you are analyzing someone else's coredump), download and unpack the tarball
+   from https://packages.element.io/desktop/install/linux/. If it was a
+   nightly, your best bet may be to download the deb from
+   https://packages.element.io/debian/pool/main/e/element-nightly/ and unpack
+   it.
+2. Figure out which version of Electron your Element-Desktop is based on. The
+   best way to do this is to figure out the version of Element-Desktop, then
+   look at
+   [`yarn.lock`](https://github.com/element-hq/element-desktop/blob/develop/yarn.lock)
+   for the corresponding version. There should be an entry starting
+   `electron@`, and under it a `version` line: this will tell you the version
+   of Electron that was used for that version of Element-Desktop.
+
+3. Go to [Electron's releases page](https://github.com/electron/electron/releases/)
+   and find the version you just identified. Under "Assets", download
+   `electron-v<version>-linux-x64-debug.zip` (or, the -debug zip corresponding to your
+   architecture).
+
+4. The debug zip has a structure like:
+
+    ```
+    .
+    ├── debug
+    │   ├── chrome_crashpad_handler.debug
+    │   ├── electron.debug
+    │   ├── libEGL.so.debug
+    │   ├── libffmpeg.so.debug
+    │   ├── libGLESv2.so.debug
+    │   └── libvk_swiftshader.so.debug
+    ├── LICENSE
+    ├── LICENSES.chromium.html
+    └── version
+    ```
+
+    Take all the contents of `debug`, and copy them into the Element-Desktop directory,
+    so that `electron.debug` is alongside the `element-desktop-nightly` executable.
+
+5. You now have a thing you can gdb as normal, either as `gdb --args element-desktop-nightly`, or
+   `gdb element-desktop-nightly core`.

docs/windows-requirements.md

@@ -12,6 +12,13 @@ If you want to build native modules, make sure that the following tools are inst
 - [Strawberry Perl](https://strawberryperl.com/)
 - [Rustup](https://rustup.rs/)
 - [NASM](https://www.nasm.us/)
+
+You can install the above tools using [Chocolatey](https://chocolatey.org/install):
+
+```cmd
+choco install --no-progress -y git nodejs-lts yarn python StrawberryPerl rustup.install nasm magicsplat-tcl-tk
+```
+
 - [Build Tools for Visual Studio 2019](https://visualstudio.microsoft.com/downloads/#build-tools-for-visual-studio-2019) with the following configuration:
     - On the Workloads tab:
         - Desktop & Mobile -> C++ build tools

electron-builder.ts

@@ -1,10 +1,6 @@
 import * as os from "node:os";
 import * as fs from "node:fs";
-import * as path from "node:path";
-import * as plist from "plist";
-import { AfterPackContext, Arch, Configuration as BaseConfiguration, Platform } from "electron-builder";
-import { computeData } from "app-builder-lib/out/asar/integrity";
-import { readFile, writeFile } from "node:fs/promises";
+import { type Configuration as BaseConfiguration, type Protocol } from "electron-builder";
 
 /**
  * This script has different outputs depending on your os platform.
@@ -20,9 +16,13 @@ import { readFile, writeFile } from "node:fs/promises";
  *  Passes $ED_DEBIAN_CHANGELOG to build.deb.fpm if specified
  */
 
+const DEFAULT_APP_ID = "im.riot.app";
 const NIGHTLY_APP_ID = "im.riot.nightly";
 const NIGHTLY_DEB_NAME = "element-nightly";
 
+const DEFAULT_PROTOCOL_SCHEME = "io.element.desktop";
+const NIGHTLY_PROTOCOL_SCHEME = "io.element.nightly";
+
 interface Pkg {
     name: string;
     productName: string;
@@ -37,7 +37,11 @@ type Writable<T> = NonNullable<
 const pkg: Pkg = JSON.parse(fs.readFileSync("package.json", "utf8"));
 
 interface Configuration extends BaseConfiguration {
-    extraMetadata: Partial<Pick<Pkg, "version">> & Omit<Pkg, "version">;
+    extraMetadata: Partial<Pick<Pkg, "version">> &
+        Omit<Pkg, "version"> & {
+            electron_appId: string;
+            electron_protocol: string;
+        };
     linux: BaseConfiguration["linux"];
     win: BaseConfiguration["win"];
     mac: BaseConfiguration["mac"];
@@ -46,26 +50,6 @@ interface Configuration extends BaseConfiguration {
     } & BaseConfiguration["deb"];
 }
 
-async function injectAsarIntegrity(context: AfterPackContext) {
-    const packager = context.packager;
-
-    // We only need to re-generate asar on universal Mac builds, due to https://github.com/electron/universal/issues/116
-    if (packager.platform !== Platform.MAC || context.arch !== Arch.universal) return;
-
-    const resourcesPath = packager.getResourcesDir(context.appOutDir);
-    const asarIntegrity = await computeData({
-        resourcesPath,
-        resourcesRelativePath: "Resources",
-        resourcesDestinationPath: resourcesPath,
-        extraResourceMatchers: [],
-    });
-
-    const plistPath = path.join(resourcesPath, "..", "Info.plist");
-    const data = plist.parse(await readFile(plistPath, "utf8")) as unknown as Writable<plist.PlistObject>;
-    data["ElectronAsarIntegrity"] = asarIntegrity as unknown as Writable<plist.PlistValue>;
-    await writeFile(plistPath, plist.build(data));
-}
-
 /**
  * @type {import('electron-builder').Configuration}
  * @see https://www.electron.build/configuration/configuration
@@ -74,7 +58,7 @@ const config: Omit<Writable<Configuration>, "electronFuses"> & {
     // Make all fuses required to ensure they are all explicitly specified
     electronFuses: Required<Configuration["electronFuses"]>;
 } = {
-    appId: "im.riot.app",
+    appId: DEFAULT_APP_ID,
     asarUnpack: "**/*.node",
     electronFuses: {
         enableCookieEncryption: true,
@@ -90,9 +74,6 @@ const config: Omit<Writable<Configuration>, "electronFuses"> & {
         loadBrowserProcessSpecificV8Snapshot: false,
         enableEmbeddedAsarIntegrityValidation: true,
     },
-    afterPack: async (context: AfterPackContext) => {
-        await injectAsarIntegrity(context);
-    },
     files: [
         "package.json",
         {
@@ -112,6 +93,8 @@ const config: Omit<Writable<Configuration>, "electronFuses"> & {
         name: pkg.name,
         productName: pkg.productName,
         description: pkg.description,
+        electron_appId: DEFAULT_APP_ID,
+        electron_protocol: DEFAULT_PROTOCOL_SCHEME,
     },
     linux: {
         target: ["tar.gz", "deb"],
@@ -154,6 +137,7 @@ const config: Omit<Writable<Configuration>, "electronFuses"> & {
         entitlements: "./build/entitlements.mac.plist",
         icon: "build/icons/icon.icns",
         mergeASARs: true,
+        x64ArchFiles: "**/matrix-seshat/*.node", // hak already runs lipo
     },
     win: {
         target: ["squirrel", "msi"],
@@ -168,12 +152,13 @@ const config: Omit<Writable<Configuration>, "electronFuses"> & {
     directories: {
         output: "dist",
     },
-    protocols: [
-        {
-            name: "element",
-            schemes: ["io.element.desktop", "element"],
-        },
-    ],
+    protocols: {
+        name: "element",
+        schemes: [DEFAULT_PROTOCOL_SCHEME, "element"],
+    },
+    nativeRebuilder: "sequential",
+    nodeGypRebuild: false,
+    npmRebuild: true,
 };
 
 /**
@@ -193,11 +178,12 @@ if (process.env.ED_SIGNTOOL_SUBJECT_NAME && process.env.ED_SIGNTOOL_THUMBPRINT)
 if (process.env.ED_NIGHTLY) {
     config.deb.fpm = []; // Clear the fpm as the breaks deb fields don't apply to nightly
 
-    config.appId = NIGHTLY_APP_ID;
+    config.appId = config.extraMetadata.electron_appId = NIGHTLY_APP_ID;
     config.extraMetadata.productName += " Nightly";
     config.extraMetadata.name += "-nightly";
     config.extraMetadata.description += " (nightly unstable build)";
     config.deb.fpm.push("--name", NIGHTLY_DEB_NAME);
+    (config.protocols as Protocol).schemes[0] = config.extraMetadata.electron_protocol = NIGHTLY_PROTOCOL_SCHEME;
 
     let version = process.env.ED_NIGHTLY;
     if (os.platform() === "win32") {

hak/keytar/build.ts

@@ -1,26 +0,0 @@
-/*
-Copyright 2024 New Vector Ltd.
-Copyright 2020 The Matrix.org Foundation C.I.C.
-
-SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
-Please see LICENSE files in the repository root for full details.
-*/
-
-import path from "node:path";
-
-import type HakEnv from "../../scripts/hak/hakEnv.js";
-import type { DependencyInfo } from "../../scripts/hak/dep.js";
-
-export default async function buildKeytar(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    const env = hakEnv.makeGypEnv();
-
-    console.log("Running yarn with env", env);
-    await hakEnv.spawn(
-        path.join(moduleInfo.nodeModuleBinDir, "node-gyp"),
-        ["rebuild", "--arch", hakEnv.getTargetArch()],
-        {
-            cwd: moduleInfo.moduleBuildDir,
-            env,
-        },
-    );
-}

hak/keytar/check.ts

@@ -1,15 +0,0 @@
-/*
-Copyright 2024 New Vector Ltd.
-Copyright 2020 The Matrix.org Foundation C.I.C.
-
-SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
-Please see LICENSE files in the repository root for full details.
-*/
-
-import type HakEnv from "../../scripts/hak/hakEnv.js";
-import type { DependencyInfo } from "../../scripts/hak/dep.js";
-
-export default async function (hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    // node-gyp uses python for reasons beyond comprehension
-    await hakEnv.checkTools([["python", "--version"]]);
-}

hak/keytar/hak.json

@@ -1,10 +0,0 @@
-{
-    "scripts": {
-        "check": "check.ts",
-        "build": "build.ts"
-    },
-    "copy": "build/Release/keytar.node",
-    "dependencies": {
-        "libsecret": "0.20.3"
-    }
-}

knip.ts

@@ -5,7 +5,6 @@ export default {
     project: ["**/*.{js,ts}"],
     ignoreDependencies: [
         // Brought in via hak scripts
-        "keytar",
         "matrix-seshat",
         // Required for `action-validator`
         "@action-validator/*",

package.json

@@ -3,7 +3,7 @@
     "productName": "Element",
     "main": "lib/electron-main.js",
     "exports": "./lib/electron-main.js",
-    "version": "1.11.91",
+    "version": "1.11.100",
     "description": "Element: the future of secure communication",
     "author": "Element",
     "homepage": "https://element.io",
@@ -44,7 +44,7 @@
         "build": "yarn run build:ts && yarn run build:res && electron-builder",
         "build:ts": "tsc",
         "build:res": "tsx scripts/copy-res.ts",
-        "docker:setup": "docker build --platform linux/amd64 -t element-desktop-dockerbuild dockerbuild",
+        "docker:setup": "docker build --platform linux/amd64 -t element-desktop-dockerbuild -f dockerbuild/Dockerfile .",
         "docker:build:native": "scripts/in-docker.sh yarn run hak",
         "docker:build": "scripts/in-docker.sh yarn run build",
         "docker:install": "scripts/in-docker.sh yarn install",
@@ -53,15 +53,17 @@
         "test": "playwright test",
         "test:open": "yarn test --ui",
         "test:screenshots:build": "docker build playwright -t element-desktop-playwright --platform linux/amd64",
-        "test:screenshots:run": "docker run --rm --network host -v $(pwd):/work/element-desktop -v /var/run/docker.sock:/var/run/docker.sock --platform linux/amd64 -it element-desktop-playwright"
+        "test:screenshots:run": "docker run --rm --network host -v $(pwd):/work/element-desktop -v /var/run/docker.sock:/var/run/docker.sock --platform linux/amd64 -it element-desktop-playwright",
+        "postinstall": "electron-builder install-app-deps"
     },
     "dependencies": {
-        "@sentry/electron": "^5.0.0",
+        "@sentry/electron": "^6.0.0",
         "@standardnotes/electron-clear-data": "^1.0.5",
         "auto-launch": "^5.0.5",
         "counterpart": "^0.18.6",
         "electron-store": "^10.0.0",
         "electron-window-state": "^5.0.3",
+        "keytar-forked": "7.10.0",
         "minimist": "^1.2.6",
         "png-to-ico": "^2.1.1",
         "uuid": "^11.0.0"
@@ -72,22 +74,22 @@
         "@babel/core": "^7.18.10",
         "@babel/preset-env": "^7.18.10",
         "@babel/preset-typescript": "^7.18.6",
-        "@electron/asar": "3.2.18",
-        "@playwright/test": "1.50.1",
-        "@stylistic/eslint-plugin": "^3.0.0",
+        "@electron/asar": "3.4.1",
+        "@playwright/test": "1.52.0",
+        "@stylistic/eslint-plugin": "^4.0.0",
         "@types/auto-launch": "^5.0.1",
         "@types/counterpart": "^0.18.1",
         "@types/minimist": "^1.2.1",
-        "@types/node": "18.19.74",
+        "@types/node": "18.19.100",
         "@types/pacote": "^11.1.1",
         "@typescript-eslint/eslint-plugin": "^8.0.0",
         "@typescript-eslint/parser": "^8.0.0",
-        "app-builder-lib": "26.0.1",
+        "app-builder-lib": "26.0.15",
         "chokidar": "^4.0.0",
         "detect-libc": "^2.0.0",
-        "electron": "34.0.2",
-        "electron-builder": "26.0.1",
-        "electron-builder-squirrel-windows": "26.0.1",
+        "electron": "36.2.0",
+        "electron-builder": "26.0.15",
+        "electron-builder-squirrel-windows": "26.0.15",
         "electron-devtools-installer": "^4.0.0",
         "eslint": "^8.26.0",
         "eslint-config-google": "^0.14.0",
@@ -99,23 +101,22 @@
         "glob": "^11.0.0",
         "husky": "^9.1.6",
         "knip": "^5.0.0",
-        "lint-staged": "^15.2.10",
+        "lint-staged": "^16.0.0",
         "matrix-web-i18n": "^3.2.1",
         "mkdirp": "^3.0.0",
         "pacote": "^21.0.0",
-        "plist": "^3.1.0",
         "prettier": "^3.0.0",
         "rimraf": "^6.0.0",
         "tar": "^7.0.0",
         "tsx": "^4.19.2",
-        "typescript": "5.7.3"
+        "typescript": "5.8.3"
     },
     "hakDependencies": {
-        "matrix-seshat": "^4.0.0",
-        "keytar": "^7.9.0"
+        "matrix-seshat": "^4.0.1"
     },
     "resolutions": {
-        "@types/node": "18.19.74",
-        "config-file-ts": "0.2.8-rc1"
+        "@types/node": "18.19.100",
+        "config-file-ts": "0.2.8-rc1",
+        "node-abi": "4.8.0"
     }
 }

playwright.config.ts

@@ -8,7 +8,25 @@ Please see LICENSE files in the repository root for full details.
 
 import { defineConfig } from "@playwright/test";
 
+const projects = [
+    "macos",
+    "win-x64",
+    "win-ia32",
+    "win-arm64",
+    "linux-amd64-sqlcipher-system",
+    "linux-amd64-sqlcipher-static",
+    "linux-arm64-sqlcipher-system",
+    "linux-arm64-sqlcipher-static",
+];
+
 export default defineConfig({
+    // Allows the GitHub action to specify a project name (OS + arch) for the combined report to make sense
+    // workaround for https://github.com/microsoft/playwright/issues/33521
+    projects: process.env.CI
+        ? projects.map((name) => ({
+              name,
+          }))
+        : undefined,
     use: {
         viewport: { width: 1280, height: 720 },
         video: "retain-on-failure",
@@ -18,7 +36,7 @@ export default defineConfig({
     outputDir: "playwright/test-results",
     workers: 1,
     retries: process.env.CI ? 2 : 0,
-    reporter: [["html", { outputFolder: "playwright/html-report" }]],
+    reporter: process.env.CI ? [["blob"], ["github"]] : [["html", { outputFolder: "playwright/html-report" }]],
     snapshotDir: "playwright/snapshots",
     snapshotPathTemplate: "{snapshotDir}/{testFilePath}/{arg}-{platform}{ext}",
     timeout: 30 * 1000,

playwright/Dockerfile

@@ -1,4 +1,4 @@
-FROM mcr.microsoft.com/playwright:v1.50.1-jammy
+FROM mcr.microsoft.com/playwright:v1.52.0-jammy@sha256:ff2946177f0756c87482c0ef958b7cfbf389b92525ace78a1c9890281d0d60f4
 
 WORKDIR /work/element-desktop
 

playwright/e2e/launch/launch.spec.ts

@@ -6,21 +6,24 @@ SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Com
 Please see LICENSE files in the repository root for full details.
 */
 
-import { platform } from "node:os";
+import keytar from "keytar-forked";
 
 import { test, expect } from "../../element-desktop-test.js";
 
 declare global {
+    interface ElectronPlatform {
+        getEventIndexingManager():
+            | {
+                  supportsEventIndexing(): Promise<boolean>;
+              }
+            | undefined;
+        getPickleKey(userId: string, deviceId: string): Promise<string | null>;
+        createPickleKey(userId: string, deviceId: string): Promise<string | null>;
+    }
+
     interface Window {
         mxPlatformPeg: {
-            get(): {
-                getEventIndexingManager():
-                    | {
-                          supportsEventIndexing(): Promise<boolean>;
-                      }
-                    | undefined;
-                createPickleKey(userId: string, deviceId: string): Promise<string | null>;
-            };
+            get(): ElectronPlatform;
         };
     }
 }
@@ -46,13 +49,57 @@ test.describe("App launch", () => {
         ).resolves.toBeTruthy();
     });
 
-    test("should launch and render the welcome view successfully and support keytar", async ({ page }) => {
-        test.skip(platform() === "linux", "This test does not yet support Linux");
+    test.describe("safeStorage", () => {
+        const userId = "@user:server";
+        const deviceId = "ABCDEF";
 
-        await expect(
-            page.evaluate<string | null>(async () => {
-                return await window.mxPlatformPeg.get().createPickleKey("@user:server", "ABCDEF");
-            }),
-        ).resolves.not.toBeNull();
+        test("should be supported", async ({ page }) => {
+            await expect(
+                page.evaluate(
+                    ([userId, deviceId]) => window.mxPlatformPeg.get().createPickleKey(userId, deviceId),
+                    [userId, deviceId],
+                ),
+            ).resolves.not.toBeNull();
+        });
+
+        test.describe("migrate from keytar", () => {
+            test.skip(
+                process.env.GITHUB_ACTIONS && ["linux", "darwin"].includes(process.platform),
+                "GitHub Actions hosted runner are not a compatible environment for this test",
+            );
+
+            const pickleKey = "DEADBEEF1234";
+            const keytarService = "element.io";
+            const keytarKey = `${userId}|${deviceId}`;
+
+            test.beforeAll(async () => {
+                await keytar.setPassword(keytarService, keytarKey, pickleKey);
+                await expect(keytar.getPassword(keytarService, keytarKey)).resolves.toBe(pickleKey);
+            });
+            test.afterAll(async () => {
+                await keytar.deletePassword(keytarService, keytarKey);
+            });
+
+            test("should migrate successfully", async ({ page }) => {
+                await expect(
+                    page.evaluate(
+                        ([userId, deviceId]) => window.mxPlatformPeg.get().getPickleKey(userId, deviceId),
+                        [userId, deviceId],
+                    ),
+                ).resolves.toBe(pickleKey);
+            });
+        });
+    });
+
+    test.describe("--no-update", () => {
+        test.use({
+            extraArgs: ["--no-update"],
+        });
+
+        // XXX: this test works fine locally but in CI the app start races with the test plumbing up the stdout/stderr pipes
+        // which means the logs are missed, disabling for now.
+        test.skip("should respect option", async ({ page, stdout }) => {
+            expect(stdout.data.toString()).toContain("Auto update disabled via command line flag");
+        });
     });
 });

playwright/e2e/launch/oidc.spec.ts

@@ -0,0 +1,36 @@
+/*
+Copyright 2025 New Vector Ltd.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+import { test, expect } from "../../element-desktop-test.js";
+
+declare global {
+    interface ElectronPlatform {
+        getOidcCallbackUrl(): URL;
+    }
+
+    interface Window {
+        mxPlatformPeg: {
+            get(): ElectronPlatform;
+        };
+    }
+}
+
+test.describe("OIDC Native", () => {
+    test.slow();
+
+    test.beforeEach(async ({ page }) => {
+        await page.locator(".mx_Welcome").waitFor();
+    });
+
+    test("should use OIDC callback URL without authority component", async ({ page }) => {
+        await expect(
+            page.evaluate<string>(() => {
+                return window.mxPlatformPeg.get().getOidcCallbackUrl().toString();
+            }),
+        ).resolves.toBe("io.element.desktop:/vector/webapp/");
+    });
+});

playwright/element-desktop-test.ts

@@ -11,12 +11,37 @@ import fs from "node:fs/promises";
 import path, { dirname } from "node:path";
 import os from "node:os";
 import { fileURLToPath } from "node:url";
+import { PassThrough } from "node:stream";
+
+/**
+ * A PassThrough stream that captures all data written to it.
+ */
+class CapturedPassThrough extends PassThrough {
+    private _chunks = [];
+
+    public constructor() {
+        super();
+        super.on("data", this.onData);
+    }
+
+    private onData = (chunk): void => {
+        this._chunks.push(chunk);
+    };
+
+    public get data(): Buffer {
+        return Buffer.concat(this._chunks);
+    }
+}
 
 interface Fixtures {
     app: ElectronApplication;
     tmpDir: string;
     extraEnv: Record<string, string>;
     extraArgs: string[];
+
+    // Utilities to capture stdout and stderr for tests to make assertions against
+    stdout: CapturedPassThrough;
+    stderr: CapturedPassThrough;
 }
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -24,15 +49,34 @@ const __dirname = dirname(fileURLToPath(import.meta.url));
 export const test = base.extend<Fixtures>({
     extraEnv: {},
     extraArgs: [],
+
+    // eslint-disable-next-line no-empty-pattern
+    stdout: async ({}, use) => {
+        await use(new CapturedPassThrough());
+    },
+    // eslint-disable-next-line no-empty-pattern
+    stderr: async ({}, use) => {
+        await use(new CapturedPassThrough());
+    },
+
     // eslint-disable-next-line no-empty-pattern
     tmpDir: async ({}, use) => {
         const tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), "element-desktop-tests-"));
-        console.log("Using temp profile directory: ", tmpDir);
         await use(tmpDir);
         await fs.rm(tmpDir, { recursive: true });
     },
-    app: async ({ tmpDir, extraEnv, extraArgs }, use) => {
-        const args = ["--profile-dir", tmpDir];
+    app: async ({ tmpDir, extraEnv, extraArgs, stdout, stderr }, use) => {
+        const args = ["--profile-dir", tmpDir, ...extraArgs];
+
+        if (process.env.GITHUB_ACTIONS) {
+            if (process.platform === "linux") {
+                // GitHub Actions hosted runner lacks dbus and a compatible keyring, so we need to force plaintext storage
+                args.push("--storage-mode", "force-plaintext");
+            } else if (process.platform === "darwin") {
+                // GitHub Actions hosted runner has no working default keychain, so allow plaintext storage
+                args.push("--storage-mode", "allow-plaintext");
+            }
+        }
 
         const executablePath = process.env["ELEMENT_DESKTOP_EXECUTABLE"];
         if (!executablePath) {
@@ -40,17 +84,19 @@ export const test = base.extend<Fixtures>({
             args.unshift(path.join(__dirname, "..", "lib", "electron-main.js"));
         }
 
+        console.log(`Launching '${executablePath}' with args ${args.join(" ")}`);
+
         const app = await electron.launch({
             env: {
                 ...process.env,
                 ...extraEnv,
             },
             executablePath,
-            args: [...args, ...extraArgs],
+            args,
         });
 
-        app.process().stdout.pipe(process.stdout);
-        app.process().stderr.pipe(process.stderr);
+        app.process().stdout.pipe(stdout).pipe(process.stdout);
+        app.process().stderr.pipe(stderr).pipe(process.stderr);
 
         await app.firstWindow();
 

scripts/branch-match.sh

@@ -0,0 +1,48 @@
+#!/bin/bash
+
+# Script for downloading a branch of element-web matching the branch a PR is contributed from
+
+set -x
+
+deforg="element-hq"
+defrepo="element-web"
+
+# The PR_NUMBER variable must be set explicitly.
+default_org_repo=${GITHUB_REPOSITORY:-"$deforg/$defrepo"}
+PR_ORG=${PR_ORG:-${default_org_repo%%/*}}
+PR_REPO=${PR_REPO:-${default_org_repo##*/}}
+
+# A function that clones a branch of a repo based on the org, repo and branch
+clone() {
+    org=$1
+    repo=$2
+    branch=$3
+    if [ -n "$branch" ]
+    then
+        echo "Trying to use $org/$repo#$branch"
+        # Disable auth prompts: https://serverfault.com/a/665959
+        GIT_TERMINAL_PROMPT=0 git clone https://github.com/$org/$repo.git $repo --branch "$branch" --depth 1 && exit 0
+    fi
+}
+
+echo "Getting info about a PR with number $PR_NUMBER"
+apiEndpoint="https://api.github.com/repos/$PR_ORG/$PR_REPO/pulls/$PR_NUMBER"
+head=$(curl "$apiEndpoint" | jq -r '.head.label')
+
+# for forks, $head will be in the format "fork:branch", so we split it by ":"
+# into an array. On non-forks, this has the effect of splitting into a single
+# element array given ":" shouldn't appear in the head - it'll just be the
+# branch name. Based on the results, we clone.
+BRANCH_ARRAY=(${head//:/ })
+TRY_ORG=$deforg
+TRY_BRANCH=${BRANCH_ARRAY[0]}
+if [[ "$head" == *":"* ]]; then
+    # ... but only match that fork if it's a real fork
+    if [ "${BRANCH_ARRAY[0]}" != "$PR_ORG" ]; then
+        TRY_ORG=${BRANCH_ARRAY[0]}
+    fi
+    TRY_BRANCH=${BRANCH_ARRAY[1]}
+fi
+clone "$TRY_ORG" "$defrepo" "$TRY_BRANCH"
+
+exit 1

scripts/cl.bat

@@ -0,0 +1,7 @@
+REM Batch file to aid in cross-compiling sqlcipher for Windows ARM64
+REM Full path should be passed to Makefile.msc as NCC env var
+
+setlocal
+call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvarsall.bat" %VSCMD_ARG_HOST_ARCH%
+cl.exe %*
+endlocal

scripts/fetchdep.sh

@@ -1,41 +0,0 @@
-#!/bin/bash
-
-set -x
-
-deforg="$1"
-defrepo="$2"
-defbranch="$3"
-
-[ -z "$defbranch" ] && defbranch="develop"
-
-rm -r "$defrepo" || true
-
-clone() {
-    org=$1
-    repo=$2
-    branch=$3
-    if [ -n "$branch" ]
-    then
-        echo "Trying to use $org/$repo#$branch"
-        # Disable auth prompts: https://serverfault.com/a/665959
-        GIT_TERMINAL_PROMPT=0 git clone https://github.com/$org/$repo.git $repo --branch "$branch" --depth 1 && exit 0
-    fi
-}
-
-# Try the PR author's branch in case it exists on the deps as well.
-# If BUILDKITE_BRANCH is set, it will contain either:
-#   * "branch" when the author's branch and target branch are in the same repo
-#   * "author:branch" when the author's branch is in their fork
-# We can split on `:` into an array to check.
-BUILDKITE_BRANCH_ARRAY=(${BUILDKITE_BRANCH//:/ })
-if [[ "${#BUILDKITE_BRANCH_ARRAY[@]}" == "1" ]]; then
-    clone $deforg $defrepo $BUILDKITE_BRANCH
-elif [[ "${#BUILDKITE_BRANCH_ARRAY[@]}" == "2" ]]; then
-    clone ${BUILDKITE_BRANCH_ARRAY[0]} $defrepo ${BUILDKITE_BRANCH_ARRAY[1]}
-fi
-# Try the target branch of the push or PR.
-clone $deforg $defrepo $BUILDKITE_PULL_REQUEST_BASE_BRANCH
-# Try the current branch from Jenkins.
-clone $deforg $defrepo `"echo $GIT_BRANCH" | sed -e 's/^origin\///'`
-# Use the default branch as the last resort.
-clone $deforg $defrepo $defbranch

scripts/hak/README.md

@@ -67,14 +67,14 @@ Hak is divided into lifecycle stages, in order:
 
 # hak.json
 
-The scripts section contains scripts used for lifecycle stages that need them (fetch, fetchDeps, build).
+The scripts section contains scripts used for lifecycle stages that need them (fetch, build).
 It also contains 'prune' and 'copy' which are globs of files to delete from the output module directory
 and copy over from the module build directory to the output module directory, respectively.
 
 # Shortcomings
 
 Hak doesn't know about dependencies between lifecycle stages, ie. it doesn't know that you need to
-'fetch' and 'fetchDeps' before you can 'build', etc. You get to run each individually, and remember
+'fetch' before you can 'build', etc. You get to run each individually, and remember
 the right order.
 
 There is also a _lot_ of duplication in the command execution: we should abstract away

scripts/hak/check.ts

@@ -10,7 +10,5 @@ import type { DependencyInfo } from "./dep.js";
 import type HakEnv from "./hakEnv.js";
 
 export default async function check(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    if (moduleInfo.scripts.check) {
-        await moduleInfo.scripts.check(hakEnv, moduleInfo);
-    }
+    await moduleInfo.scripts.check?.(hakEnv, moduleInfo);
 }

scripts/hak/copy.ts

@@ -9,7 +9,6 @@ Please see LICENSE files in the repository root for full details.
 import path from "node:path";
 import fsProm from "node:fs/promises";
 import childProcess from "node:child_process";
-import { rimraf } from "rimraf";
 import { glob } from "glob";
 import { mkdirp } from "mkdirp";
 
@@ -17,20 +16,6 @@ import type HakEnv from "./hakEnv.js";
 import type { DependencyInfo } from "./dep.js";
 
 export default async function copy(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    if (moduleInfo.cfg.prune) {
-        console.log("Removing " + moduleInfo.cfg.prune + " from " + moduleInfo.moduleOutDir);
-        // rimraf doesn't have a 'cwd' option: it always uses process.cwd()
-        // (and if you set glob.cwd it just breaks because it can't find the files)
-        const oldCwd = process.cwd();
-        try {
-            await mkdirp(moduleInfo.moduleOutDir);
-            process.chdir(moduleInfo.moduleOutDir);
-            await rimraf(moduleInfo.cfg.prune);
-        } finally {
-            process.chdir(oldCwd);
-        }
-    }
-
     if (moduleInfo.cfg.copy) {
         // If there are multiple moduleBuildDirs, singular moduleBuildDir
         // is the same as moduleBuildDirs[0], so we're just listing the contents

scripts/hak/fetchDeps.ts

@@ -1,19 +0,0 @@
-/*
-Copyright 2024 New Vector Ltd.
-Copyright 2020 The Matrix.org Foundation C.I.C.
-
-SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
-Please see LICENSE files in the repository root for full details.
-*/
-
-import { mkdirp } from "mkdirp";
-
-import type { DependencyInfo } from "./dep.js";
-import type HakEnv from "./hakEnv.js";
-
-export default async function fetchDeps(hakEnv: HakEnv, moduleInfo: DependencyInfo): Promise<void> {
-    await mkdirp(moduleInfo.moduleDotHakDir);
-    if (moduleInfo.scripts.fetchDeps) {
-        await moduleInfo.scripts.fetchDeps(hakEnv, moduleInfo);
-    }
-}

scripts/hak/index.ts

@@ -19,7 +19,7 @@ import packageJson from "../../package.json";
 const MODULECOMMANDS = ["check", "fetch", "link", "build", "copy", "clean"];
 
 // Shortcuts for multiple commands at once (useful for building universal binaries
-// because you can run the fetch/fetchDeps/build for each arch and then copy/link once)
+// because you can run the fetch/build for each arch and then copy/link once)
 const METACOMMANDS: Record<string, string[]> = {
     fetchandbuild: ["check", "fetch", "build"],
     copyandlink: ["copy", "link"],

scripts/tsconfig.json

@@ -8,7 +8,7 @@
         "module": "node16",
         "sourceMap": false,
         "strict": true,
-        "lib": ["es2020"]
+        "lib": ["es2021"]
     },
     "include": ["../src/@types", "./**/*.ts"]
 }

src/@types/global.d.ts

@@ -7,30 +7,23 @@ Please see LICENSE files in the repository root for full details.
 
 import { type BrowserWindow } from "electron";
 
-import type Store from "electron-store";
 import type AutoLaunch from "auto-launch";
 import { type AppLocalization } from "../language-helper.js";
 
 // global type extensions need to use var for whatever reason
 /* eslint-disable no-var */
 declare global {
+    type IConfigOptions = Record<string, any>;
+
     var mainWindow: BrowserWindow | null;
     var appQuitting: boolean;
     var appLocalization: AppLocalization;
     var launcher: AutoLaunch;
-    var vectorConfig: Record<string, any>;
+    var vectorConfig: IConfigOptions;
     var trayConfig: {
         // eslint-disable-next-line camelcase
         icon_path: string;
         brand: string;
     };
-    var store: Store<{
-        warnBeforeExit?: boolean;
-        minimizeToTray?: boolean;
-        spellCheckerEnabled?: boolean;
-        autoHideMenuBar?: boolean;
-        locale?: string | string[];
-        disableHardwareAcceleration?: boolean;
-    }>;
 }
 /* eslint-enable no-var */

src/@types/keytar.d.ts

@@ -1,54 +0,0 @@
-// Based on https://github.com/atom/node-keytar/blob/master/keytar.d.ts because keytar is a hak-dependency and not a normal one
-// Definitions by: Milan Burda <https://github.com/miniak>, Brendan Forster <https://github.com/shiftkey>, Hari Juturu <https://github.com/juturu>
-// Adapted from DefinitelyTyped: https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/keytar/index.d.ts
-
-declare module "keytar" {
-    /**
-     * Get the stored password for the service and account.
-     *
-     * @param service The string service name.
-     * @param account The string account name.
-     *
-     * @returns A promise for the password string.
-     */
-    export function getPassword(service: string, account: string): Promise<string | null>;
-
-    /**
-     * Add the password for the service and account to the keychain.
-     *
-     * @param service The string service name.
-     * @param account The string account name.
-     * @param password The string password.
-     *
-     * @returns A promise for the set password completion.
-     */
-    export function setPassword(service: string, account: string, password: string): Promise<void>;
-
-    /**
-     * Delete the stored password for the service and account.
-     *
-     * @param service The string service name.
-     * @param account The string account name.
-     *
-     * @returns A promise for the deletion status. True on success.
-     */
-    export function deletePassword(service: string, account: string): Promise<boolean>;
-
-    /**
-     * Find a password for the service in the keychain.
-     *
-     * @param service The string service name.
-     *
-     * @returns A promise for the password string.
-     */
-    export function findPassword(service: string): Promise<string | null>;
-
-    /**
-     * Find all accounts and passwords for `service` in the keychain.
-     *
-     * @param service The string service name.
-     *
-     * @returns A promise for the array of found credentials.
-     */
-    export function findCredentials(service: string): Promise<Array<{ account: string; password: string }>>;
-}

src/build-config.ts

@@ -0,0 +1,26 @@
+/*
+Copyright 2025 New Vector Ltd.
+
+SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
+Please see LICENSE files in the repository root for full details.
+*/
+
+import path, { dirname } from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { type JsonObject, loadJsonFile } from "./utils.js";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+interface BuildConfig {
+    appId: string;
+    protocol: string;
+}
+
+export function readBuildConfig(): BuildConfig {
+    const packageJson = loadJsonFile(path.join(__dirname, "..", "package.json")) as JsonObject;
+    return {
+        appId: (packageJson["electron_appId"] as string) || "im.riot.app",
+        protocol: (packageJson["electron_protocol"] as string) || "io.element.desktop",
+    };
+}

src/electron-main.ts

@@ -10,31 +10,31 @@ Please see LICENSE files in the repository root for full details.
 
 // Squirrel on windows starts the app with various flags as hooks to tell us when we've been installed/uninstalled etc.
 import "./squirrelhooks.js";
-import { app, BrowserWindow, Menu, autoUpdater, protocol, dialog, type Input, type Event, session } from "electron";
+import { app, BrowserWindow, Menu, autoUpdater, dialog, type Input, type Event, session, protocol } from "electron";
 // eslint-disable-next-line n/file-extension-in-import
 import * as Sentry from "@sentry/electron/main";
 import AutoLaunch from "auto-launch";
 import path, { dirname } from "node:path";
 import windowStateKeeper from "electron-window-state";
-import Store from "electron-store";
 import fs, { promises as afs } from "node:fs";
 import { URL, fileURLToPath } from "node:url";
 import minimist from "minimist";
 
 import "./ipc.js";
-import "./keytar.js";
 import "./seshat.js";
 import "./settings.js";
 import * as tray from "./tray.js";
+import Store from "./store.js";
 import { buildMenuTemplate } from "./vectormenu.js";
 import webContentsHandler from "./webcontents-handler.js";
 import * as updater from "./updater.js";
-import { getProfileFromDeeplink, protocolInit } from "./protocol.js";
+import ProtocolHandler from "./protocol.js";
 import { _t, AppLocalization } from "./language-helper.js";
 import { setDisplayMediaCallback } from "./displayMediaCallback.js";
 import { setupMacosTitleBar } from "./macos-titlebar.js";
-import { loadJsonFile } from "./utils.js";
+import { type Json, loadJsonFile } from "./utils.js";
 import { setupMediaAuth } from "./media-auth.js";
+import { readBuildConfig } from "./build-config.js";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -45,7 +45,12 @@ const argv = minimist(process.argv, {
 if (argv["help"]) {
     console.log("Options:");
     console.log("  --profile-dir {path}: Path to where to store the profile.");
-    console.log("  --profile {name}:     Name of alternate profile to use, allows for running multiple accounts.");
+    console.log(
+        `  --profile {name}:     Name of alternate profile to use, allows for running multiple accounts.\n` +
+            `                         Ignored if --profile-dir is specified.\n` +
+            `                         The ELEMENT_PROFILE_DIR environment variable may be used to change the default profile path.\n` +
+            `                         It is overridden by --profile-dir, but can be combined with --profile.`,
+    );
     console.log("  --devtools:           Install and use react-devtools and react-perf.");
     console.log(
         `  --config:             Path to the config.json file. May also be specified via the ELEMENT_DESKTOP_CONFIG_JSON environment variable.\n` +
@@ -59,6 +64,7 @@ if (argv["help"]) {
 }
 
 const LocalConfigLocation = process.env.ELEMENT_DESKTOP_CONFIG_JSON ?? argv["config"];
+const LocalConfigFilename = "config.json";
 
 // Electron creates the user data directory (with just an empty 'Dictionaries' directory...)
 // as soon as the app path is set, so pick a random path in it that must exist if it's a
@@ -67,16 +73,19 @@ function isRealUserDataDir(d: string): boolean {
     return fs.existsSync(path.join(d, "IndexedDB"));
 }
 
+const buildConfig = readBuildConfig();
+const protocolHandler = new ProtocolHandler(buildConfig.protocol);
+
 // check if we are passed a profile in the SSO callback url
 let userDataPath: string;
 
-const userDataPathInProtocol = getProfileFromDeeplink(argv["_"]);
+const userDataPathInProtocol = protocolHandler.getProfileFromDeeplink(argv["_"]);
 if (userDataPathInProtocol) {
     userDataPath = userDataPathInProtocol;
 } else if (argv["profile-dir"]) {
     userDataPath = argv["profile-dir"];
 } else {
-    let newUserDataPath = app.getPath("userData");
+    let newUserDataPath = process.env.ELEMENT_PROFILE_DIR ?? app.getPath("userData");
     if (argv["profile"]) {
         newUserDataPath += "-" + argv["profile"];
     }
@@ -137,6 +146,17 @@ function getAsarPath(): Promise<string> {
     return asarPathPromise;
 }
 
+function loadLocalConfigFile(): Json {
+    if (LocalConfigLocation) {
+        console.log("Loading local config: " + LocalConfigLocation);
+        return loadJsonFile(LocalConfigLocation);
+    } else {
+        const configDir = app.getPath("userData");
+        console.log(`Loading local config: ${path.join(configDir, LocalConfigFilename)}`);
+        return loadJsonFile(configDir, LocalConfigFilename);
+    }
+}
+
 // Loads the config from asar, and applies a config.json from userData atop if one exists
 // Writes config to `global.vectorConfig`. Does nothing if `global.vectorConfig` is already set.
 async function loadConfig(): Promise<void> {
@@ -145,7 +165,8 @@ async function loadConfig(): Promise<void> {
     const asarPath = await getAsarPath();
 
     try {
-        global.vectorConfig = loadJsonFile(asarPath, "config.json");
+        console.log(`Loading app config: ${path.join(asarPath, LocalConfigFilename)}`);
+        global.vectorConfig = loadJsonFile(asarPath, LocalConfigFilename);
     } catch {
         // it would be nice to check the error code here and bail if the config
         // is unparsable, but we get MODULE_NOT_FOUND in the case of a missing
@@ -156,9 +177,7 @@ async function loadConfig(): Promise<void> {
 
     try {
         // Load local config and use it to override values from the one baked with the build
-        const localConfig = LocalConfigLocation
-            ? loadJsonFile(LocalConfigLocation)
-            : loadJsonFile(app.getPath("userData"), "config.json");
+        const localConfig = loadLocalConfigFile();
 
         // If the local config has a homeserver defined, don't use the homeserver from the build
         // config. This is to avoid a problem where Riot thinks there are multiple homeservers
@@ -258,8 +277,6 @@ async function moveAutoLauncher(): Promise<void> {
     }
 }
 
-global.store = new Store({ name: "electron-config" });
-
 global.appQuitting = false;
 
 const exitShortcuts: Array<(input: Input, platform: string) => boolean> = [
@@ -269,32 +286,6 @@ const exitShortcuts: Array<(input: Input, platform: string) => boolean> = [
         platform === "darwin" && input.meta && !input.control && input.key.toUpperCase() === "Q",
 ];
 
-const warnBeforeExit = (event: Event, input: Input): void => {
-    const shouldWarnBeforeExit = global.store.get("warnBeforeExit", true);
-    const exitShortcutPressed =
-        input.type === "keyDown" && exitShortcuts.some((shortcutFn) => shortcutFn(input, process.platform));
-
-    if (shouldWarnBeforeExit && exitShortcutPressed && global.mainWindow) {
-        const shouldCancelCloseRequest =
-            dialog.showMessageBoxSync(global.mainWindow, {
-                type: "question",
-                buttons: [
-                    _t("action|cancel"),
-                    _t("action|close_brand", {
-                        brand: global.vectorConfig.brand || "Element",
-                    }),
-                ],
-                message: _t("confirm_quit"),
-                defaultId: 1,
-                cancelId: 0,
-            }) === 0;
-
-        if (shouldCancelCloseRequest) {
-            event.preventDefault();
-        }
-    }
-};
-
 void configureSentry();
 
 // handle uncaught errors otherwise it displays
@@ -311,6 +302,11 @@ app.commandLine.appendSwitch("--enable-usermedia-screen-capturing");
 if (!app.commandLine.hasSwitch("enable-features")) {
     app.commandLine.appendSwitch("enable-features", "WebRTCPipeWireCapturer");
 }
+// Workaround bug in electron 36:https://github.com/electron/electron/issues/46538
+// Hopefully this will no longer be needed soon and can be removed
+if (process.platform === "linux") {
+    app.commandLine.appendSwitch("gtk-version", "3");
+}
 
 const gotLock = app.requestSingleInstanceLock();
 if (!gotLock) {
@@ -319,7 +315,7 @@ if (!gotLock) {
 }
 
 // do this after we know we are the primary instance of the app
-protocolInit();
+protocolHandler.initialise(userDataPath);
 
 // Register the scheme the app is served from as 'standard'
 // which allows things like relative URLs and IndexedDB to
@@ -351,13 +347,17 @@ app.enableSandbox();
 // We disable media controls here. We do this because calls use audio and video elements and they sometimes capture the media keys. See https://github.com/vector-im/element-web/issues/15704
 app.commandLine.appendSwitch("disable-features", "HardwareMediaKeyHandling,MediaSessionService");
 
+const store = Store.initialize(argv["storage-mode"]); // must be called before any async actions
+
 // Disable hardware acceleration if the setting has been set.
-if (global.store.get("disableHardwareAcceleration", false) === true) {
+if (store.get("disableHardwareAcceleration")) {
     console.log("Disabling hardware acceleration.");
     app.disableHardwareAcceleration();
 }
 
 app.on("ready", async () => {
+    console.debug("Reached Electron ready state");
+
     let asarPath: string;
 
     try {
@@ -437,8 +437,9 @@ app.on("ready", async () => {
         });
     });
 
-    if (argv["no-update"]) {
-        console.log('Auto update disabled via command line flag "--no-update"');
+    // Minimist parses `--no-`-prefixed arguments as booleans with value `false` rather than verbatim.
+    if (argv["update"] === false) {
+        console.log("Auto update disabled via command line flag");
     } else if (global.vectorConfig["update_base_url"]) {
         console.log(`Starting auto update with base URL: ${global.vectorConfig["update_base_url"]}`);
         void updater.start(global.vectorConfig["update_base_url"]);
@@ -446,12 +447,27 @@ app.on("ready", async () => {
         console.log("No update_base_url is defined: auto update is disabled");
     }
 
+    // Set up i18n before loading storage as we need translations for dialogs
+    global.appLocalization = new AppLocalization({
+        components: [(): void => tray.initApplicationMenu(), (): void => Menu.setApplicationMenu(buildMenuTemplate())],
+        store,
+    });
+
+    try {
+        console.debug("Ensuring storage is ready");
+        await store.safeStorageReady();
+    } catch (e) {
+        console.error(e);
+        app.exit(1);
+    }
+
     // Load the previous window state with fallback to defaults
     const mainWindowState = windowStateKeeper({
         defaultWidth: 1024,
         defaultHeight: 768,
     });
 
+    console.debug("Opening main window");
     const preloadScript = path.normalize(`${__dirname}/preload.cjs`);
     global.mainWindow = new BrowserWindow({
         // https://www.electronjs.org/docs/faq#the-font-looks-blurry-what-is-this-and-what-can-i-do
@@ -462,7 +478,7 @@ app.on("ready", async () => {
 
         icon: global.trayConfig.icon_path,
         show: false,
-        autoHideMenuBar: global.store.get("autoHideMenuBar", true),
+        autoHideMenuBar: store.get("autoHideMenuBar"),
 
         x: mainWindowState.x,
         y: mainWindowState.y,
@@ -484,10 +500,10 @@ app.on("ready", async () => {
 
     // Handle spellchecker
     // For some reason spellCheckerEnabled isn't persisted, so we have to use the store here
-    global.mainWindow.webContents.session.setSpellCheckerEnabled(global.store.get("spellCheckerEnabled", true));
+    global.mainWindow.webContents.session.setSpellCheckerEnabled(store.get("spellCheckerEnabled", true));
 
     // Create trayIcon icon
-    if (global.store.get("minimizeToTray", true)) tray.create(global.trayConfig);
+    if (store.get("minimizeToTray")) tray.create(global.trayConfig);
 
     global.mainWindow.once("ready-to-show", () => {
         if (!global.mainWindow) return;
@@ -501,7 +517,31 @@ app.on("ready", async () => {
         }
     });
 
-    global.mainWindow.webContents.on("before-input-event", warnBeforeExit);
+    global.mainWindow.webContents.on("before-input-event", (event: Event, input: Input): void => {
+        const shouldWarnBeforeExit = store.get("warnBeforeExit", true);
+        const exitShortcutPressed =
+            input.type === "keyDown" && exitShortcuts.some((shortcutFn) => shortcutFn(input, process.platform));
+
+        if (shouldWarnBeforeExit && exitShortcutPressed && global.mainWindow) {
+            const shouldCancelCloseRequest =
+                dialog.showMessageBoxSync(global.mainWindow, {
+                    type: "question",
+                    buttons: [
+                        _t("action|cancel"),
+                        _t("action|close_brand", {
+                            brand: global.vectorConfig.brand || "Element",
+                        }),
+                    ],
+                    message: _t("confirm_quit"),
+                    defaultId: 1,
+                    cancelId: 0,
+                }) === 0;
+
+            if (shouldCancelCloseRequest) {
+                event.preventDefault();
+            }
+        }
+    });
 
     global.mainWindow.on("closed", () => {
         global.mainWindow = null;
@@ -539,11 +579,6 @@ app.on("ready", async () => {
 
     webContentsHandler(global.mainWindow.webContents);
 
-    global.appLocalization = new AppLocalization({
-        store: global.store,
-        components: [(): void => tray.initApplicationMenu(), (): void => Menu.setApplicationMenu(buildMenuTemplate())],
-    });
-
     session.defaultSession.setDisplayMediaRequestHandler((_, callback) => {
         global.mainWindow?.webContents.send("openDesktopCapturerSourcePicker");
         setDisplayMediaCallback(callback);
@@ -580,8 +615,9 @@ app.on("second-instance", (ev, commandLine, workingDirectory) => {
     }
 });
 
-// Set the App User Model ID to match what the squirrel
-// installer uses for the shortcut icon.
-// This makes notifications work on windows 8.1 (and is
-// a noop on other platforms).
-app.setAppUserModelId("com.squirrel.element-desktop.Element");
+// This is required to make notification handlers work
+// on Windows 8.1/10/11 (and is a noop on other platforms);
+// It must also match the ID found in 'electron-builder'
+// in order to get the title and icon to show up correctly.
+// Ref: https://stackoverflow.com/a/77314604/3525780
+app.setAppUserModelId(buildConfig.appId);

src/i18n/strings/cs.json

@@ -22,7 +22,9 @@
         "about": "O",
         "brand_help": "%(brand)s nápověda",
         "help": "Nápověda",
-        "preferences": "Předvolby"
+        "no": "Ne",
+        "preferences": "Předvolby",
+        "yes": "Ano"
     },
     "confirm_quit": "Opravdu chcete ukončit aplikaci?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "Obrázek se nepodařilo uložit",
         "save_image_as_error_title": "Chyba při ukládání obrázku"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Vymazat data a znovu načíst?",
+            "backend_changed_detail": "Nelze získat přístup k tajnému klíči ze systémové klíčenky, zdá se, že se změnil.",
+            "backend_changed_title": "Nepodařilo se načíst databázi",
+            "unknown_backend_override": "Váš systém má nepodporovanou klíčenku, což znamená, že databázi nelze otevřít.",
+            "unknown_backend_override_details": "Další podrobnosti naleznete v protokolech.",
+            "unknown_backend_override_title": "Nepodařilo se načíst databázi",
+            "unsupported_keyring": "Váš systém má nepodporovanou klíčenku, což znamená, že databázi nelze otevřít.",
+            "unsupported_keyring_cta": "Používat slabší šifrování",
+            "unsupported_keyring_detail": "Detekce klíčenky Electronu nenalezla podporovaný backend. Můžete se pokusit ručně nakonfigurovat backend spuštěním %(brand)s s argumentem příkazového řádku, jednorázovou operací. Viz %(link)s.",
+            "unsupported_keyring_title": "Systém není podporován"
+        }
+    },
     "view_menu": {
         "actual_size": "Aktuální velikost",
         "toggle_developer_tools": "Přepnout zobrazení nástrojů pro vývojáře",

src/i18n/strings/cy.json

@@ -0,0 +1,79 @@
+{
+    "action": {
+        "cancel": "Diddymu",
+        "close": "Cau",
+        "close_brand": "Cau %(brand)s",
+        "copy": "Copïo",
+        "cut": "Torri",
+        "delete": "Dileu",
+        "edit": "Golygu",
+        "minimise": "Lleihau",
+        "paste": "Gludo",
+        "paste_match_style": "Arddull Gludo a Chyfateb",
+        "quit": "Gadael",
+        "redo": "Ail-wneud",
+        "select_all": "Dewis y Cyfan",
+        "show_hide": "Dangos/Cuddio",
+        "undo": "Dadwneud",
+        "zoom_in": "Chwyddo i Mewn",
+        "zoom_out": "Chwyddo Allan"
+    },
+    "common": {
+        "about": "Ynghylch",
+        "brand_help": "Cymorth %(brand)s",
+        "help": "Cymorth",
+        "no": "Na",
+        "preferences": "Dewisiadau",
+        "yes": "Iawn"
+    },
+    "confirm_quit": "Ydych chi'n siŵr eich bod am roi'r gorau iddi?",
+    "edit_menu": {
+        "speech": "Lleferydd",
+        "speech_start_speaking": "Cychwyn Llefaru",
+        "speech_stop_speaking": "Peidio Llefaru"
+    },
+    "file_menu": {
+        "label": "Ffeil"
+    },
+    "menu": {
+        "hide": "Cuddio",
+        "hide_others": "Cuddio'r Gweddill",
+        "services": "Gwasanaethau",
+        "unhide": "Datguddio"
+    },
+    "right_click_menu": {
+        "add_to_dictionary": "Ychwanegu at y geiriadur",
+        "copy_email": "Copïo cyfeiriad e-bost",
+        "copy_image": "Copïo delwedd",
+        "copy_image_url": "Copïo cyfeiriad delwedd",
+        "copy_link_url": "Copïo cyfeiriad y ddolen",
+        "save_image_as": "Cadw delwedd fel...",
+        "save_image_as_error_description": "Methodd cadw'r ddelwedd",
+        "save_image_as_error_title": "Methodd cadw'r ddelwedd"
+    },
+    "store": {
+        "error": {
+            "backend_changed": "Clirio data ac ail-lwytho?",
+            "backend_changed_detail": "Methu cael mynediad at y gyfrinach o allweddi'r system, mae'n ymddangos ei fod wedi newid.",
+            "backend_changed_title": "Methwyd llwytho'r gronfa ddata",
+            "unknown_backend_override": "Mae gan eich system allweddell nad yw'n cael ei chefnogi sy'n golygu na ellir agor y gronfa ddata.",
+            "unknown_backend_override_details": "Gwiriwch y logiau am fwy o fanylion.",
+            "unknown_backend_override_title": "Methwyd llwytho'r gronfa ddata",
+            "unsupported_keyring": "Mae gan eich system allweddell nad yw'n cael ei chefnogi sy'n golygu nad oes modd agor y gronfa ddata.",
+            "unsupported_keyring_cta": "Defnyddiwch amgryptio gwannach",
+            "unsupported_keyring_detail": "Heb ganfod allweddell Electron gefn. Gallwch geisio ffurfweddu'r gefn â llaw trwy gychwyn %(brand)s gyda dadl llinell orchymyn, gweithrediad untro. Gweler %(link)s.",
+            "unsupported_keyring_title": "System heb ei chefnogi"
+        }
+    },
+    "view_menu": {
+        "actual_size": "Maint Gwirioneddol",
+        "toggle_developer_tools": "Toglo Offer Datblygwyr",
+        "toggle_full_screen": "Toglo Sgrin Lawn",
+        "view": "Golwg"
+    },
+    "window_menu": {
+        "bring_all_to_front": "Popeth i'r Blaen",
+        "label": "Ffenestr",
+        "zoom": "Chwyddo"
+    }
+}

src/i18n/strings/de_DE.json

@@ -22,7 +22,9 @@
         "about": "Über",
         "brand_help": "%(brand)s Hilfe",
         "help": "Hilfe",
-        "preferences": "Präferenzen"
+        "no": "Nein",
+        "preferences": "Präferenzen",
+        "yes": "Ja"
     },
     "confirm_quit": "Wirklich beenden?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "Das Bild konnte nicht gespeichert werden",
         "save_image_as_error_title": "Bild kann nicht gespeichert werden"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Daten löschen und neu laden?",
+            "backend_changed_detail": "Zugriff auf Schlüssel im Systemschlüsselbund nicht möglich, er scheint sich geändert zu haben.",
+            "backend_changed_title": "Datenbank konnte nicht geladen werden",
+            "unknown_backend_override": "Der Schlüsselbund ihres Systems wird nicht unterstützt, wodurch die Datenbank nicht geöffnet werden kann.",
+            "unknown_backend_override_details": "Weitere Informationen finden Sie in den Protokollen.",
+            "unknown_backend_override_title": "Die Datenbank konnte nicht geladen werden",
+            "unsupported_keyring": "Der Schlüsselbund ihres Systems wird nicht unterstützt, wodurch die Datenbank nicht geöffnet werden kann.",
+            "unsupported_keyring_cta": "Schwächere Verschlüsselung verwenden",
+            "unsupported_keyring_detail": "Die Schlüsselbunderkennung von Electron hat kein unterstütztes Backend gefunden. Möglicherweise können sie dennoch den ihres Systemes verwenden. Infos unter %(link)s.",
+            "unsupported_keyring_title": "System nicht unterstützt"
+        }
+    },
     "view_menu": {
         "actual_size": "Tatsächliche Größe",
         "toggle_developer_tools": "Developer-Tools an/aus",

src/i18n/strings/en_EN.json

@@ -22,7 +22,9 @@
         "about": "About",
         "brand_help": "%(brand)s Help",
         "help": "Help",
-        "preferences": "Preferences"
+        "no": "No",
+        "preferences": "Preferences",
+        "yes": "Yes"
     },
     "confirm_quit": "Are you sure you want to quit?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "The image failed to save",
         "save_image_as_error_title": "Failed to save image"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Clear data and reload?",
+            "backend_changed_detail": "Unable to access secret from system keyring, it appears to have changed.",
+            "backend_changed_title": "Failed to load database",
+            "unknown_backend_override": "Your system has an unsupported keyring meaning the database cannot be opened.",
+            "unknown_backend_override_details": "Please check the logs for more details.",
+            "unknown_backend_override_title": "Failed to load database",
+            "unsupported_keyring": "Your system has an unsupported keyring meaning the database cannot be opened.",
+            "unsupported_keyring_cta": "Use weaker encryption",
+            "unsupported_keyring_detail": "Electron's keyring detection did not find a supported backend. You can attempt to manually configure the backend by starting %(brand)s with a command-line argument, a one-time operation. See %(link)s.",
+            "unsupported_keyring_title": "System unsupported"
+        }
+    },
     "view_menu": {
         "actual_size": "Actual Size",
         "toggle_developer_tools": "Toggle Developer Tools",

src/i18n/strings/et.json

@@ -22,7 +22,9 @@
         "about": "Rakenduse teave",
         "brand_help": "%(brand)s abiteave",
         "help": "Abiteave",
-        "preferences": "Eelistused"
+        "no": "Ei",
+        "preferences": "Eelistused",
+        "yes": "Jah"
     },
     "confirm_quit": "Kas sa kindlasti soovid rakendusest väljuda?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "Seda pilti ei õnnestunud salvestada",
         "save_image_as_error_title": "Pildi salvestamine ei õnnestunud"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Kas kustutame andmed ja laadime uuesti?",
+            "backend_changed_detail": "Süsteemsest võtmerõngast ei õnnestu laadida vajalikku saladust, tundub et ta on muutunud.",
+            "backend_changed_title": "Andmebaasi ei õnnestunud laadida",
+            "unknown_backend_override": "Sinu süsteemis on kasutusel mittetoetatud võtmerõnga versioon ning see tähendab, et andmebaasi ei saa avada.",
+            "unknown_backend_override_details": "Lisateavet leiad logidest.",
+            "unknown_backend_override_title": "Andmebaasi ei õnnestunud laadida",
+            "unsupported_keyring": "Sinu süsteemis on kasutusel mittetoetatud võtmerõnga versioon ning see tähendab, et andmebaasi ei saa avada.",
+            "unsupported_keyring_cta": "Kasuta nõrgemat krüptimist",
+            "unsupported_keyring_detail": "Electroni võtmerõnga tuvastamine ei leidnud toetatud taustateenust. Kui käivitad rakenduse %(brand)s käsurealt õigete argumentidega, siis võib taustateenuse käsitsi seadistamine õnnestuda ning seda tegevust peaksid vaid üks kord tegema. Lisateave: %(link)s.",
+            "unsupported_keyring_title": "Süsteem pole toetatud"
+        }
+    },
     "view_menu": {
         "actual_size": "Näita tavasuuruses",
         "toggle_developer_tools": "Arendaja töövahendid sisse/välja",

src/i18n/strings/fi.json

@@ -22,7 +22,9 @@
         "about": "Tietoa",
         "brand_help": "%(brand)s-tuki",
         "help": "Ohje",
-        "preferences": "Valinnat"
+        "no": "Ei",
+        "preferences": "Valinnat",
+        "yes": "Kyllä"
     },
     "confirm_quit": "Haluatko varmasti poistua?",
     "edit_menu": {
@@ -49,6 +51,15 @@
         "save_image_as_error_description": "Kuvan tallennus epäonnistui",
         "save_image_as_error_title": "Kuvan tallennus epäonnistui"
     },
+    "store": {
+        "error": {
+            "backend_changed_title": "Tietokannan lataaminen epäonnistui",
+            "unknown_backend_override_details": "Katso tarkemmat tiedot lokeista.",
+            "unknown_backend_override_title": "Tietokannan lataaminen epäonnistui",
+            "unsupported_keyring_cta": "Käytä heikompaa salausta",
+            "unsupported_keyring_title": "Järjestelmä ei ole tuettu"
+        }
+    },
     "view_menu": {
         "actual_size": "Alkuperäinen koko",
         "toggle_developer_tools": "Näytä tai piilota kehittäjätyökalut",

src/i18n/strings/fr.json

@@ -22,7 +22,9 @@
         "about": "À propos",
         "brand_help": "Aide de %(brand)s",
         "help": "Aide",
-        "preferences": "Préférences"
+        "no": "Non",
+        "preferences": "Préférences",
+        "yes": "Oui"
     },
     "confirm_quit": "Êtes-vous sûr de vouloir quitter ?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "L’image n’a pas pu être sauvegardée",
         "save_image_as_error_title": "Échec de la sauvegarde de l’image"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Effacer les données et recharger ?",
+            "backend_changed_detail": "Impossible d'accéder aux secrets depuis le trousseau de clés du système, il semble avoir changé.",
+            "backend_changed_title": "Impossible de charger la base de données",
+            "unknown_backend_override": "Votre système possède un trousseau de clés non pris en charge, ce qui signifie que la base de données ne peut pas être ouverte.",
+            "unknown_backend_override_details": "Veuillez consulter les journaux pour plus de détails.",
+            "unknown_backend_override_title": "Impossible de charger la base de données",
+            "unsupported_keyring": "Votre système possède un trousseau de clés non pris en charge, la base de données ne peut pas être ouverte.",
+            "unsupported_keyring_cta": "Utiliser un chiffrement plus faible",
+            "unsupported_keyring_detail": "La détection du porte-clés par Electron n'a pas permis de trouver de backend compatible. Vous pouvez essayer de configurer manuellement le backend en utilisant %(brand)s avec un argument de ligne de commande. Cette opération doit être effectuer une seule fois. Voir%(link)s.",
+            "unsupported_keyring_title": "Système non pris en charge"
+        }
+    },
     "view_menu": {
         "actual_size": "Taille réelle",
         "toggle_developer_tools": "Basculer les outils de développement",

src/i18n/strings/hu.json

@@ -2,7 +2,7 @@
     "action": {
         "cancel": "Mégse",
         "close": "Bezárás",
-        "close_brand": "%(brand)s bezárása",
+        "close_brand": "Az %(brand)s bezárása",
         "copy": "Másolás",
         "cut": "Kivágás",
         "delete": "Törlés",
@@ -22,7 +22,9 @@
         "about": "Névjegy",
         "brand_help": "%(brand)s Súgó",
         "help": "Súgó",
-        "preferences": "Beállítások"
+        "no": "Nem",
+        "preferences": "Beállítások",
+        "yes": "Igen"
     },
     "confirm_quit": "Biztos, hogy kilép?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "A kép mentése sikertelen",
         "save_image_as_error_title": "Kép mentése sikertelen"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Adatok törlése és újratöltés?",
+            "backend_changed_detail": "Nem sikerült hozzáférni a rendszerkulcstartó titkos kódjához, úgy tűnik, megváltozott.",
+            "backend_changed_title": "Nem sikerült betölteni az adatbázist",
+            "unknown_backend_override": "A rendszer nem támogatott kulcstartóval rendelkezik, ami azt jelenti, hogy az adatbázis nem nyitható meg.",
+            "unknown_backend_override_details": "További részletekért ellenőrizze a naplókat.",
+            "unknown_backend_override_title": "Nem sikerült betölteni az adatbázist",
+            "unsupported_keyring": "A rendszer nem támogatott kulcstartóval rendelkezik, ami azt jelenti, hogy az adatbázis nem nyitható meg.",
+            "unsupported_keyring_cta": "Gyengébb titkosítás használata",
+            "unsupported_keyring_detail": "Az Electron kulcstartóészlelése nem talált támogatott háttérrendszert. Megpróbálhatja kézileg beállítani a háttérrendszert az %(brand)s egyszeri, parancssori argumentummal való indításával. Lásd: %(link)s.",
+            "unsupported_keyring_title": "A rendszer nem támogatott"
+        }
+    },
     "view_menu": {
         "actual_size": "Jelenlegi méret",
         "toggle_developer_tools": "Fejlesztői eszközök",
@@ -56,7 +72,7 @@
         "view": "Megtekintés"
     },
     "window_menu": {
-        "bring_all_to_front": "Mindent előtérbe hoz",
+        "bring_all_to_front": "Minden előtérbe hozása",
         "label": "Ablak",
         "zoom": "Nagyítás"
     }

src/i18n/strings/id.json

@@ -22,7 +22,9 @@
         "about": "Tentang",
         "brand_help": "Bantuan %(brand)s",
         "help": "Bantuan",
-        "preferences": "Preferensi"
+        "no": "Tidak",
+        "preferences": "Preferensi",
+        "yes": "Ya"
     },
     "confirm_quit": "Apakah Anda yakin ingin keluar?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "Gambar gagal disimpan",
         "save_image_as_error_title": "Gagal menyimpan gambar"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Hapus data dan muat ulang?",
+            "backend_changed_detail": "Tidak dapat mengakses rahasia dari keyring sistem, tampaknya telah berubah.",
+            "backend_changed_title": "Gagal memuat basis data",
+            "unknown_backend_override": "Sistem Anda memiliki keyring yang tidak didukung yang berarti basis data tidak dapat dibuka.",
+            "unknown_backend_override_details": "Silakan periksa log untuk detail lebih lanjut.",
+            "unknown_backend_override_title": "Gagal memuat basis data",
+            "unsupported_keyring": "Sistem Anda memiliki keyring yang tidak didukung yang berarti basis data tidak dapat dibuka.",
+            "unsupported_keyring_cta": "Gunakan enkripsi yang lebih lemah",
+            "unsupported_keyring_detail": "Deteksi keyring Electron tidak menemukan backend yang didukung. Anda dapat mencoba mengonfigurasi backend secara manual dengan memulai %(brand)s dengan argumen baris perintah, operasi satu kali. Lihat %(link)s.",
+            "unsupported_keyring_title": "Sistem tidak didukung"
+        }
+    },
     "view_menu": {
         "actual_size": "Ukuran Sebenarnya",
         "toggle_developer_tools": "Beralih Alat Pengembang",

src/i18n/strings/ka.json

@@ -0,0 +1,63 @@
+{
+    "action": {
+        "cancel": "გაუქმება",
+        "close": "დახურვა",
+        "close_brand": "დახურვა %(brand)s",
+        "copy": "კოპირება",
+        "cut": "მოჭრა",
+        "delete": "წაშალეთ",
+        "edit": "რედაქტირება",
+        "minimise": "შეამცირეთ",
+        "paste": "პასტა",
+        "paste_match_style": "ჩასვით და მატჩის სტილი",
+        "quit": "თავი დაანებე",
+        "redo": "რედო",
+        "select_all": "აირჩიეთ ყველა",
+        "show_hide": "ჩვენება/დამალვა",
+        "undo": "გაუქმება",
+        "zoom_in": "გაზარდოთ",
+        "zoom_out": "გაფართოება"
+    },
+    "common": {
+        "about": "შესახებ",
+        "brand_help": "%(brand)sდახმარება",
+        "help": "დახმარება",
+        "preferences": "პრეფერენციები"
+    },
+    "confirm_quit": "დარწმუნებული ხართ, რომ გსურთ დატოვება?",
+    "edit_menu": {
+        "speech": "გამოსვლა",
+        "speech_start_speaking": "დაიწყეთ საუბარი",
+        "speech_stop_speaking": "შეწყვიტე ლაპარ"
+    },
+    "file_menu": {
+        "label": "ფაილი"
+    },
+    "menu": {
+        "hide": "დამალვა",
+        "hide_others": "სხვების დამალვა",
+        "services": "მომსახურება",
+        "unhide": "გამოხატე"
+    },
+    "right_click_menu": {
+        "add_to_dictionary": "ლექსიკონში დამატება",
+        "copy_email": "ელ. ფოსტის მისამართის",
+        "copy_image": "სურათის დაკოპირება",
+        "copy_image_url": "გამოსახულების მისამართის კოპირ",
+        "copy_link_url": "ბმულის მისამართის კოპირება",
+        "save_image_as": "შეინახეთ სურათი როგორც...",
+        "save_image_as_error_description": "სურათის შენახვა ვერ შეძლო",
+        "save_image_as_error_title": "სურათის შენახვა ვერ შეძლ"
+    },
+    "view_menu": {
+        "actual_size": "რეალური ზომა",
+        "toggle_developer_tools": "დეველოპერის ინსტრუმენტების",
+        "toggle_full_screen": "სრული ეკრანის გადართვა",
+        "view": "ნახვა"
+    },
+    "window_menu": {
+        "bring_all_to_front": "ყველაფერი წინ წამოიყვანეთ",
+        "label": "ფანჯარა",
+        "zoom": "გაზუსტება"
+    }
+}

src/i18n/strings/lv.json

@@ -0,0 +1,63 @@
+{
+    "action": {
+        "cancel": "Atcelt",
+        "close": "Aizvērt",
+        "close_brand": "Aizvērt %(brand)s",
+        "copy": "Kopēt",
+        "cut": "Izgriezt",
+        "delete": "Dzēst",
+        "edit": "Labot",
+        "minimise": "Samazināt",
+        "paste": "Ielīmēt",
+        "paste_match_style": "Ielīmēt un pielāgot stilu",
+        "quit": "Iziet",
+        "redo": "Atatsaukt",
+        "select_all": "Atzīmēt visu",
+        "show_hide": "Parādīt/paslēpt",
+        "undo": "Atsaukt",
+        "zoom_in": "Tuvināt",
+        "zoom_out": "Tālināt"
+    },
+    "common": {
+        "about": "Par",
+        "brand_help": "%(brand)s palīdzība",
+        "help": "Palīdzība",
+        "preferences": "Iestatījumi"
+    },
+    "confirm_quit": "Vai tiešām iziet?",
+    "edit_menu": {
+        "speech": "Runa",
+        "speech_start_speaking": "Uzsākt runāšanu",
+        "speech_stop_speaking": "Pārtraukt runāšanu"
+    },
+    "file_menu": {
+        "label": "Datne"
+    },
+    "menu": {
+        "hide": "Paslēpt",
+        "hide_others": "Paslēpt citus",
+        "services": "Pakalpojumi",
+        "unhide": "Rādīt"
+    },
+    "right_click_menu": {
+        "add_to_dictionary": "Pievienot vārdnīcai",
+        "copy_email": "Ievietot e-pasta adresi starpliktuvē",
+        "copy_image": "Ievietot attēlu starpliktuvē",
+        "copy_image_url": "Ievietot attēla adresi starpliktuvē",
+        "copy_link_url": "Ievietot saites adresi starpliktuvē",
+        "save_image_as": "Saglabāt attēlu kā...",
+        "save_image_as_error_description": "Attēlu neizdevās saglabāt",
+        "save_image_as_error_title": "Neizdevās saglabāt attēlu"
+    },
+    "view_menu": {
+        "actual_size": "Īstais izmērs",
+        "toggle_developer_tools": "Pārslēgt izstrādātāja rīkus",
+        "toggle_full_screen": "Pārslēgt pilnekrānu",
+        "view": "Skats"
+    },
+    "window_menu": {
+        "bring_all_to_front": "Iznest visu priekšplānā",
+        "label": "Logs",
+        "zoom": "Tālummaiņa"
+    }
+}

src/i18n/strings/mg_MG.json

@@ -0,0 +1,63 @@
+{
+    "action": {
+        "cancel": "Hanafoana",
+        "close": "Akatona",
+        "close_brand": "Anakatona%(brand)s",
+        "copy": "Dika Mitovy",
+        "cut": "Tapaina",
+        "delete": "Fafaina",
+        "edit": "Anova",
+        "minimise": "Manamaivana",
+        "paste": "Koba",
+        "paste_match_style": "Mametaka sy Mampifanandrify ny fomba",
+        "quit": "Mialà",
+        "redo": "Averina atao",
+        "select_all": "Isafidy ny rehetra",
+        "show_hide": "Aneho/Anafina",
+        "undo": "Ravao",
+        "zoom_in": "Angedao",
+        "zoom_out": "Hahelezo"
+    },
+    "common": {
+        "about": "Mombamomba",
+        "brand_help": "%(marques)Fanampiana",
+        "help": "Fanampiana",
+        "preferences": "Safidy manokana"
+    },
+    "confirm_quit": "Azo Antoka ve fa tena hiala ianao",
+    "edit_menu": {
+        "speech": "Fitenenana",
+        "speech_start_speaking": "Atomboy ny resaka/Manomboha fitenenena",
+        "speech_stop_speaking": "Atsaharo ny fitenenana"
+    },
+    "file_menu": {
+        "label": "Manapetraka/apetrao"
+    },
+    "menu": {
+        "hide": "Afeno",
+        "hide_others": "Afeno ny hafa",
+        "services": "Tolotra",
+        "unhide": "Asehoy"
+    },
+    "right_click_menu": {
+        "add_to_dictionary": "Ampio ao amin'ny rakibolana",
+        "copy_email": "Adikao ny adiresy imailaka",
+        "copy_image": "Andika ny sary",
+        "copy_image_url": "Adikao ny adiresin'ny sary",
+        "copy_link_url": "Adikao ny adiresy rohy",
+        "save_image_as": "Hitahiry ny sary ho",
+        "save_image_as_error_description": "Tsy voatahiry ilay sary",
+        "save_image_as_error_title": "Tsy nahahomby ny fitahirizana an'ilay sary"
+    },
+    "view_menu": {
+        "actual_size": "Habe Ankehitriny",
+        "toggle_developer_tools": "Amadika fitaovana fampandrosoana",
+        "toggle_full_screen": "Hamadika amin'ny efijery feno",
+        "view": "Hijery"
+    },
+    "window_menu": {
+        "bring_all_to_front": "Ataovy aloha ny zava-drehetra",
+        "label": "Varavarankely",
+        "zoom": "Anakaiky fahitana"
+    }
+}

src/i18n/strings/nb_NO.json

@@ -0,0 +1,79 @@
+{
+    "action": {
+        "cancel": "Avbryt",
+        "close": "Lukk",
+        "close_brand": "Avslutt %(brand)s",
+        "copy": "Kopier",
+        "cut": "Klipp",
+        "delete": "Slett",
+        "edit": "Rediger",
+        "minimise": "Minimere",
+        "paste": "Lim inn",
+        "paste_match_style": "Lim inn og match stil",
+        "quit": "Avslutt",
+        "redo": "Gjør om",
+        "select_all": "Velg alle",
+        "show_hide": "Vis/Skjul",
+        "undo": "Angre",
+        "zoom_in": "Zoom inn",
+        "zoom_out": "Zoom ut"
+    },
+    "common": {
+        "about": "Om",
+        "brand_help": "%(brand)s Hjelp",
+        "help": "Hjelp",
+        "no": "Nei",
+        "preferences": "Brukervalg",
+        "yes": "Ja"
+    },
+    "confirm_quit": "Er du sikker på at du vil slutte?",
+    "edit_menu": {
+        "speech": "Tale",
+        "speech_start_speaking": "Begynn å snakke",
+        "speech_stop_speaking": "Slutt å snakke"
+    },
+    "file_menu": {
+        "label": "Fil"
+    },
+    "menu": {
+        "hide": "Skjul",
+        "hide_others": "Skjul andre",
+        "services": "Tjenester",
+        "unhide": "Slutt å skjule"
+    },
+    "right_click_menu": {
+        "add_to_dictionary": "Legg til i ordbok",
+        "copy_email": "Kopier e-postadressen",
+        "copy_image": "Kopier bildet",
+        "copy_image_url": "Kopier bildeadresse",
+        "copy_link_url": "Kopier link adresse",
+        "save_image_as": "Lagre bildet som...",
+        "save_image_as_error_description": "Bildet kunne ikke lagres",
+        "save_image_as_error_title": "Kunne ikke lagre bildet"
+    },
+    "store": {
+        "error": {
+            "backend_changed": "Tøm data og last inn på nytt?",
+            "backend_changed_detail": "Kan ikke få tilgang til hemmeligheten fra systemnøkkelringen, den ser ut til å ha blitt endret.",
+            "backend_changed_title": "Kunne ikke laste inn databasen",
+            "unknown_backend_override": "Systemet ditt har en nøkkelring som ikke støttes, noe som betyr at databasen ikke kan åpnes.",
+            "unknown_backend_override_details": "Vennligst sjekk loggene for mer informasjon.",
+            "unknown_backend_override_title": "Kunne ikke laste inn databasen",
+            "unsupported_keyring": "Systemet ditt har en nøkkelring som ikke støttes, noe som betyr at databasen ikke kan åpnes.",
+            "unsupported_keyring_cta": "Bruk svakere kryptering",
+            "unsupported_keyring_detail": "Electrons nøkkelringdeteksjon fant ikke en støttet backend. Du kan prøve å konfigurere backend manuelt ved å starte %(brand)s med et kommandolinjeargument, en engangsoperasjon. Se%(link)s.",
+            "unsupported_keyring_title": "Systemet støttes ikke"
+        }
+    },
+    "view_menu": {
+        "actual_size": "Faktisk størrelse",
+        "toggle_developer_tools": "Veksle Utvikleralternativer",
+        "toggle_full_screen": "Veksle Fullskjerm",
+        "view": "Vis"
+    },
+    "window_menu": {
+        "bring_all_to_front": "Flytt Alt Frem",
+        "label": "Vindu",
+        "zoom": "Forstørr"
+    }
+}

src/i18n/strings/pl.json

@@ -22,7 +22,9 @@
         "about": "Informacje",
         "brand_help": "Pomoc %(brand)s",
         "help": "Pomoc",
-        "preferences": "Preferencje"
+        "no": "Nie",
+        "preferences": "Preferencje",
+        "yes": "Tak"
     },
     "confirm_quit": "Czy na pewno chcesz zamknąć?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "Obraz nie został zapisany",
         "save_image_as_error_title": "Nie udało się zapisać obrazu"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Wyczyścić dane i przeładować?",
+            "backend_changed_detail": "Nie można uzyskać dostępu do sekretnego magazynu, wygląda na to, że uległ zmianie.",
+            "backend_changed_title": "Nie udało się załadować bazy danych",
+            "unknown_backend_override": "System zawiera niewspierany keyring, nie można otworzyć bazy danych.",
+            "unknown_backend_override_details": "Sprawdź dziennik, aby uzyskać więcej informacji.",
+            "unknown_backend_override_title": "Nie udało się załadować bazy danych",
+            "unsupported_keyring": "System zawiera niewspierany keyring, nie można otworzyć bazy danych.",
+            "unsupported_keyring_cta": "Użyj słabszego szyfrowania",
+            "unsupported_keyring_detail": "Wykrywanie keyringu Electron nie znalazł wspieranego backendu. Możesz spróbować ręcznie ustawić backed, uruchamiając %(brand)s za pomocą wiesza poleceń. Zobacz %(link)s.",
+            "unsupported_keyring_title": "System niewspierany"
+        }
+    },
     "view_menu": {
         "actual_size": "Rozmiar rzeczywisty",
         "toggle_developer_tools": "Przełącz narzędzia deweloperskie",

src/i18n/strings/pt_BR.json

@@ -20,8 +20,11 @@
     },
     "common": {
         "about": "Sobre",
+        "brand_help": "%(brand)s Ajuda",
         "help": "Ajuda",
-        "preferences": "Preferências"
+        "no": "Não",
+        "preferences": "Preferências",
+        "yes": "Sim"
     },
     "confirm_quit": "Você tem certeza que você quer sair?",
     "edit_menu": {
@@ -48,6 +51,20 @@
         "save_image_as_error_description": "A imagem falhou para salvar",
         "save_image_as_error_title": "Falha para salvar imagem"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Limpar dados e recarregar?",
+            "backend_changed_detail": "Não foi possível acessar o segredo no cofre do sistema, parece que ele foi alterado.",
+            "backend_changed_title": "Falha ao carregar o banco de dados",
+            "unknown_backend_override": "Seu sistema possui um cofre não compatível, o que impede a abertura do banco de dados.",
+            "unknown_backend_override_details": "Verifique os logs para obter mais detalhes.",
+            "unknown_backend_override_title": "Falha ao carregar o banco de dados",
+            "unsupported_keyring": "Seu sistema possui um cofre não compatível, o que impede a abertura do banco de dados.",
+            "unsupported_keyring_cta": "Use criptografia mais fraca",
+            "unsupported_keyring_detail": "A detecção de chaveiro do Electron não encontrou um backend compatível. Você pode tentar configurar manualmente o backend iniciando %(brand)s com um argumento de linha de comando, uma operação única. Consulte %(link)s.",
+            "unsupported_keyring_title": "Sistema não suportado"
+        }
+    },
     "view_menu": {
         "actual_size": "Tamanho de Verdade",
         "toggle_developer_tools": "Ativar/Desativar Ferramentas de Desenvolvimento",
@@ -56,6 +73,7 @@
     },
     "window_menu": {
         "bring_all_to_front": "Trazer Todas Para Frente",
-        "label": "Janela"
+        "label": "Janela",
+        "zoom": "Zoom"
     }
 }

src/i18n/strings/sk.json

@@ -22,7 +22,9 @@
         "about": "Informácie",
         "brand_help": "%(brand)s Pomoc",
         "help": "Pomocník",
-        "preferences": "Predvoľby"
+        "no": "Nie",
+        "preferences": "Predvoľby",
+        "yes": "Áno"
     },
     "confirm_quit": "Naozaj chcete zavrieť aplikáciu?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "Obrázok sa nepodarilo uložiť",
         "save_image_as_error_title": "Chyba pri ukladaní obrázka"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Vymazať údaje a znova načítať?",
+            "backend_changed_detail": "Nepodarilo sa získať prístup k tajnému kľúču zo systémového zväzku kľúčov, zdá sa, že sa zmenil.",
+            "backend_changed_title": "Nepodarilo sa načítať databázu",
+            "unknown_backend_override": "Váš systém má nepodporovaný zväzok kľúčov, čo znamená, že databázu nemožno otvoriť.",
+            "unknown_backend_override_details": "Pre viac informácií si pozrite protokoly.",
+            "unknown_backend_override_title": "Nepodarilo sa načítať databázu",
+            "unsupported_keyring": "Váš systém má nepodporovaný zväzok kľúčov, čo znamená, že databázu nemožno otvoriť.",
+            "unsupported_keyring_cta": "Použiť slabšie šifrovanie",
+            "unsupported_keyring_detail": "Detekcia zväzku kľúčov aplikácie Electron nenašla podporovaný backend. Môžete sa pokúsiť manuálne nastaviť backend spustením aplikácie %(brand)s s argumentom príkazového riadka, je to jednorazová operácia. Pozrite si %(link)s .",
+            "unsupported_keyring_title": "Systém nie je podporovaný"
+        }
+    },
     "view_menu": {
         "actual_size": "Aktuálna veľkosť",
         "toggle_developer_tools": "Nástroje pre vývojárov",

src/i18n/strings/tr.json

@@ -0,0 +1,63 @@
+{
+    "action": {
+        "cancel": "İptal",
+        "close": "Kapat",
+        "close_brand": "Kapat %(brand)s",
+        "copy": "Kopyala",
+        "cut": "Kes",
+        "delete": "Sil",
+        "edit": "Düzenle",
+        "minimise": "Küçült",
+        "paste": "Yapıştır",
+        "paste_match_style": "Stili Yapıştır ve Eşleştir",
+        "quit": "Çık",
+        "redo": "Yeniden yap",
+        "select_all": "Tümünü seç",
+        "show_hide": "Göster/Gizle",
+        "undo": "Geri al",
+        "zoom_in": "Yakınlaştır",
+        "zoom_out": "Uzaklaştır"
+    },
+    "common": {
+        "about": "Hakkında",
+        "brand_help": "%(brand)s Yardım",
+        "help": "Yardım",
+        "preferences": "Tercihler"
+    },
+    "confirm_quit": "Çıkmak istediğinizden emin misiniz?",
+    "edit_menu": {
+        "speech": "Konuşma",
+        "speech_start_speaking": "Konuşmaya başla",
+        "speech_stop_speaking": "Konuşmayı durdur"
+    },
+    "file_menu": {
+        "label": "Dosya"
+    },
+    "menu": {
+        "hide": "Gizle",
+        "hide_others": "Diğerlerini gizle",
+        "services": "Hizmetler",
+        "unhide": "Göster"
+    },
+    "right_click_menu": {
+        "add_to_dictionary": "Sözlüğe ekle",
+        "copy_email": "E-posta adresini kopyala",
+        "copy_image": "Resmi kopyala",
+        "copy_image_url": "Görsel adresini kopyala",
+        "copy_link_url": "Bağlantılı adresi kopyala",
+        "save_image_as": "Resmi farklı kaydet...",
+        "save_image_as_error_description": "Görüntü kaydedilemedi",
+        "save_image_as_error_title": "Resim kaydedilemedi"
+    },
+    "view_menu": {
+        "actual_size": "Gerçek boyut",
+        "toggle_developer_tools": "Geliştirici araçları",
+        "toggle_full_screen": "Tam ekran",
+        "view": "Görüntüle"
+    },
+    "window_menu": {
+        "bring_all_to_front": "Hepsini öne getir",
+        "label": "Pencere",
+        "zoom": "Yaklaştır"
+    }
+}

src/i18n/strings/uk.json

@@ -22,7 +22,9 @@
         "about": "Про застосунок",
         "brand_help": "Довідка %(brand)s",
         "help": "Довідка",
-        "preferences": "Параметри"
+        "no": "Ні",
+        "preferences": "Параметри",
+        "yes": "Так"
     },
     "confirm_quit": "Ви впевнені, що хочете вийти?",
     "edit_menu": {
@@ -49,6 +51,20 @@
         "save_image_as_error_description": "Не вдалося зберегти зображення",
         "save_image_as_error_title": "Не вдалося зберегти зображення"
     },
+    "store": {
+        "error": {
+            "backend_changed": "Очистити дані та перезавантажити?",
+            "backend_changed_detail": "Не вдається отримати доступ до таємного ключа з системного набору ключів, видається, він змінився.",
+            "backend_changed_title": "Не вдалося завантажити базу даних",
+            "unknown_backend_override": "Ваша система має непідтримуваний ключ, що означає, що базу даних неможливо відкрити.",
+            "unknown_backend_override_details": "Перегляньте журнал, щоб дізнатися подробиці.",
+            "unknown_backend_override_title": "Не вдалося завантажити базу даних",
+            "unsupported_keyring": "Ваша система має непідтримуваний набір ключів. Це означає, що базу даних неможливо відкрити.",
+            "unsupported_keyring_cta": "Використовувати слабше шифрування",
+            "unsupported_keyring_detail": "Electron не виявив підтримуваного бекенда для роботи зі сховищем паролів. Ви можете вручну налаштувати його, запустивши %(brand)s з відповідним аргументом у командному рядку. Цю дію потрібно виконати лише один раз. Докладніше – %(link)s.",
+            "unsupported_keyring_title": "Система не підтримується"
+        }
+    },
     "view_menu": {
         "actual_size": "Фактичний розмір",
         "toggle_developer_tools": "Перемкнути інструменти розробника",

src/ipc.ts

@@ -6,14 +6,12 @@ Please see LICENSE files in the repository root for full details.
 */
 
 import { app, autoUpdater, desktopCapturer, ipcMain, powerSaveBlocker, TouchBar, nativeImage } from "electron";
-import { relaunchApp } from "@standardnotes/electron-clear-data";
 
 import IpcMainEvent = Electron.IpcMainEvent;
-import { recordSSOSession } from "./protocol.js";
 import { randomArray } from "./utils.js";
 import { Settings } from "./settings.js";
-import { keytar } from "./keytar.js";
 import { getDisplayMediaCallback, setDisplayMediaCallback } from "./displayMediaCallback.js";
+import Store, { clearDataAndRelaunch } from "./store.js";
 
 ipcMain.on("setBadgeCount", function (_ev: IpcMainEvent, count: number): void {
     if (process.platform !== "win32") {
@@ -61,7 +59,8 @@ ipcMain.on("app_onAction", function (_ev: IpcMainEvent, payload) {
 });
 
 ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
-    if (!global.mainWindow) return;
+    const store = Store.instance;
+    if (!global.mainWindow || !store) return;
 
     const args = payload.args || [];
     let ret: any;
@@ -96,9 +95,7 @@ ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
                 global.mainWindow.focus();
             }
             break;
-        case "getConfig":
-            ret = global.vectorConfig;
-            break;
+
         case "navigateBack":
             if (global.mainWindow.webContents.canGoBack()) {
                 global.mainWindow.webContents.goBack();
@@ -113,11 +110,11 @@ ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
             if (typeof args[0] !== "boolean") return;
 
             global.mainWindow.webContents.session.setSpellCheckerEnabled(args[0]);
-            global.store.set("spellCheckerEnabled", args[0]);
+            store.set("spellCheckerEnabled", args[0]);
             break;
 
         case "getSpellCheckEnabled":
-            ret = global.store.get("spellCheckerEnabled", true);
+            ret = store.get("spellCheckerEnabled");
             break;
 
         case "setSpellCheckLanguages":
@@ -135,18 +132,9 @@ ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
             ret = global.mainWindow.webContents.session.availableSpellCheckerLanguages;
             break;
 
-        case "startSSOFlow":
-            recordSSOSession(args[0]);
-            break;
-
         case "getPickleKey":
             try {
-                ret = await keytar?.getPassword("element.io", `${args[0]}|${args[1]}`);
-                // migrate from riot.im (remove once we think there will no longer be
-                // logins from the time of riot.im)
-                if (ret === null) {
-                    ret = await keytar?.getPassword("riot.im", `${args[0]}|${args[1]}`);
-                }
+                ret = await store.getSecret(`${args[0]}|${args[1]}`);
             } catch {
                 // if an error is thrown (e.g. keytar can't connect to the keychain),
                 // then return null, which means the default pickle key will be used
@@ -157,22 +145,20 @@ ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
         case "createPickleKey":
             try {
                 const pickleKey = await randomArray(32);
-                // We purposefully throw if keytar is not available so the caller can handle it
-                // rather than sending them a pickle key we did not store on their behalf.
-                await keytar!.setPassword("element.io", `${args[0]}|${args[1]}`, pickleKey);
+                await store.setSecret(`${args[0]}|${args[1]}`, pickleKey);
                 ret = pickleKey;
-            } catch {
+            } catch (e) {
+                console.error("Failed to create pickle key", e);
                 ret = null;
             }
             break;
 
         case "destroyPickleKey":
             try {
-                await keytar?.deletePassword("element.io", `${args[0]}|${args[1]}`);
-                // migrate from riot.im (remove once we think there will no longer be
-                // logins from the time of riot.im)
-                await keytar?.deletePassword("riot.im", `${args[0]}|${args[1]}`);
-            } catch {}
+                await store.deleteSecret(`${args[0]}|${args[1]}`);
+            } catch (e) {
+                console.error("Failed to destroy pickle key", e);
+            }
             break;
         case "getDesktopCapturerSources":
             ret = (await desktopCapturer.getSources(args[0])).map((source) => ({
@@ -188,10 +174,7 @@ ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
             break;
 
         case "clearStorage":
-            global.store.clear();
-            global.mainWindow.webContents.session.flushStorageData();
-            await global.mainWindow.webContents.session.clearStorageData();
-            relaunchApp();
+            await clearDataAndRelaunch();
             return; // the app is about to stop, we don't need to reply to the IPC
 
         case "breadcrumbs": {
@@ -258,3 +241,5 @@ ipcMain.on("ipcCall", async function (_ev: IpcMainEvent, payload) {
         reply: ret,
     });
 });
+
+ipcMain.handle("getConfig", () => global.vectorConfig);

src/keytar.ts

@@ -1,21 +0,0 @@
-/*
-Copyright 2022-2024 New Vector Ltd.
-
-SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Commercial
-Please see LICENSE files in the repository root for full details.
-*/
-
-import type * as Keytar from "keytar"; // Hak dependency type
-
-let keytar: typeof Keytar | undefined;
-try {
-    ({ default: keytar } = await import("keytar"));
-} catch (e) {
-    if ((<NodeJS.ErrnoException>e).code === "MODULE_NOT_FOUND") {
-        console.log("Keytar isn't installed; secure key storage is disabled.");
-    } else {
-        console.warn("Keytar unexpected error:", e);
-    }
-}
-
-export { keytar };

src/language-helper.ts

@@ -10,9 +10,9 @@ import { type TranslationKey as TKey } from "matrix-web-i18n";
 import { dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 
-import type Store from "electron-store";
 import type EN from "./i18n/strings/en_EN.json";
 import { loadJsonFile } from "./utils.js";
+import type Store from "./store.js";
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 
@@ -59,26 +59,24 @@ export function _t(text: TranslationKey, variables: Variables = {}): string {
 
 type Component = () => void;
 
-type TypedStore = Store<{ locale?: string | string[] }>;
-
 export class AppLocalization {
     private static readonly STORE_KEY = "locale";
 
-    private readonly store: TypedStore;
     private readonly localizedComponents?: Set<Component>;
+    private readonly store: Store;
 
-    public constructor({ store, components = [] }: { store: TypedStore; components: Component[] }) {
+    public constructor({ components = [], store }: { components: Component[]; store: Store }) {
         counterpart.registerTranslations(FALLBACK_LOCALE, this.fetchTranslationJson("en_EN"));
         counterpart.setFallbackLocale(FALLBACK_LOCALE);
         counterpart.setSeparator("|");
 
+        this.store = store;
         if (Array.isArray(components)) {
             this.localizedComponents = new Set(components);
         }
 
-        this.store = store;
-        if (this.store.has(AppLocalization.STORE_KEY)) {
-            const locales = this.store.get(AppLocalization.STORE_KEY);
+        if (store.has(AppLocalization.STORE_KEY)) {
+            const locales = store.get(AppLocalization.STORE_KEY);
             // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
             this.setAppLocale(locales!);
         }

src/preload.cts

@@ -49,4 +49,16 @@ contextBridge.exposeInMainWorld("electron", {
         }
         ipcRenderer.send(channel, ...args);
     },
+
+    async initialise(): Promise<{
+        protocol: string;
+        sessionId: string;
+        config: IConfigOptions;
+    }> {
+        const [{ protocol, sessionId }, config] = await Promise.all([
+            ipcRenderer.invoke("getProtocol"),
+            ipcRenderer.invoke("getConfig"),
+        ]);
+        return { protocol, sessionId, config };
+    },
 });

src/protocol.ts

@@ -6,119 +6,136 @@ SPDX-License-Identifier: AGPL-3.0-only OR GPL-3.0-only OR LicenseRef-Element-Com
 Please see LICENSE files in the repository root for full details.
 */
 
-import { app } from "electron";
+import { app, ipcMain } from "electron";
 import { URL } from "node:url";
 import path from "node:path";
 import fs from "node:fs";
+import { randomUUID } from "node:crypto";
 
 const LEGACY_PROTOCOL = "element";
-const PROTOCOL = "io.element.desktop";
 const SEARCH_PARAM = "element-desktop-ssoid";
 const STORE_FILE_NAME = "sso-sessions.json";
 
 // we getPath userData before electron-main changes it, so this is the default value
 const storePath = path.join(app.getPath("userData"), STORE_FILE_NAME);
 
-function processUrl(url: string): void {
-    if (!global.mainWindow) return;
+export default class ProtocolHandler {
+    private readonly store: Record<string, string> = {};
+    private readonly sessionId: string;
 
-    const parsed = new URL(url);
-    // sanity check: we only register for the one protocol, so we shouldn't
-    // be getting anything else unless the user is forcing a URL to open
-    // with the Element app.
-    if (parsed.protocol !== `${PROTOCOL}:` && parsed.protocol !== `${LEGACY_PROTOCOL}:`) {
-        console.log("Ignoring unexpected protocol: ", parsed.protocol);
-        return;
+    public constructor(private readonly protocol: string) {
+        // get all args except `hidden` as it'd mean the app would not get focused
+        // XXX: passing args to protocol handlers only works on Windows, so unpackaged deep-linking
+        // --profile/--profile-dir are passed via the SEARCH_PARAM var in the callback url
+        const args = process.argv.slice(1).filter((arg) => arg !== "--hidden" && arg !== "-hidden");
+        if (app.isPackaged) {
+            app.setAsDefaultProtocolClient(this.protocol, process.execPath, args);
+            app.setAsDefaultProtocolClient(LEGACY_PROTOCOL, process.execPath, args);
+        } else if (process.platform === "win32") {
+            // on Mac/Linux this would just cause the electron binary to open
+            // special handler for running without being packaged, e.g `electron .` by passing our app path to electron
+            app.setAsDefaultProtocolClient(this.protocol, process.execPath, [app.getAppPath(), ...args]);
+            app.setAsDefaultProtocolClient(LEGACY_PROTOCOL, process.execPath, [app.getAppPath(), ...args]);
+        }
+
+        if (process.platform === "darwin") {
+            // Protocol handler for macos
+            app.on("open-url", (ev, url) => {
+                ev.preventDefault();
+                this.processUrl(url);
+            });
+        } else {
+            // Protocol handler for win32/Linux
+            app.on("second-instance", (ev, commandLine) => {
+                const url = commandLine[commandLine.length - 1];
+                if (!url.startsWith(`${this.protocol}:/`) && !url.startsWith(`${LEGACY_PROTOCOL}://`)) return;
+                this.processUrl(url);
+            });
+        }
+
+        this.store = this.readStore();
+        this.sessionId = randomUUID();
+
+        ipcMain.handle("getProtocol", this.onGetProtocol);
     }
 
-    const urlToLoad = new URL("vector://vector/webapp/");
-    // ignore anything other than the search (used for SSO login redirect)
-    // and the hash (for general element deep links)
-    // There's no reason to allow anything else, particularly other paths,
-    // since this would allow things like the internal jitsi wrapper to
-    // be loaded, which would get the app stuck on that page and generally
-    // be a bit strange and confusing.
-    urlToLoad.search = parsed.search;
-    urlToLoad.hash = parsed.hash;
+    private readonly onGetProtocol = (): { protocol: string; sessionId: string } => {
+        return {
+            protocol: this.protocol,
+            sessionId: this.sessionId,
+        };
+    };
 
-    console.log("Opening URL: ", urlToLoad.href);
-    void global.mainWindow.loadURL(urlToLoad.href);
-}
+    private processUrl(url: string): void {
+        if (!global.mainWindow) return;
 
-function readStore(): Record<string, string> {
-    try {
-        const s = fs.readFileSync(storePath, { encoding: "utf8" });
-        const o = JSON.parse(s);
-        return typeof o === "object" ? o : {};
-    } catch {
-        return {};
+        const parsed = new URL(url);
+        // sanity check: we only register for the one protocol, so we shouldn't
+        // be getting anything else unless the user is forcing a URL to open
+        // with the Element app.
+        if (parsed.protocol !== `${this.protocol}:` && parsed.protocol !== `${LEGACY_PROTOCOL}:`) {
+            console.log("Ignoring unexpected protocol: ", parsed.protocol);
+            return;
+        }
+
+        const urlToLoad = new URL("vector://vector/webapp/");
+        // ignore anything other than the search (used for SSO login redirect)
+        // and the hash (for general element deep links)
+        // There's no reason to allow anything else, particularly other paths,
+        // since this would allow things like the internal jitsi wrapper to
+        // be loaded, which would get the app stuck on that page and generally
+        // be a bit strange and confusing.
+        urlToLoad.search = parsed.search;
+        urlToLoad.hash = parsed.hash;
+
+        console.log("Opening URL: ", urlToLoad.href);
+        void global.mainWindow.loadURL(urlToLoad.href);
     }
-}
 
-function writeStore(data: Record<string, string>): void {
-    fs.writeFileSync(storePath, JSON.stringify(data));
-}
-
-export function recordSSOSession(sessionID: string): void {
-    const userDataPath = app.getPath("userData");
-    const store = readStore();
-    for (const key in store) {
-        // ensure each instance only has one (the latest) session ID to prevent the file growing unbounded
-        if (store[key] === userDataPath) {
-            delete store[key];
-            break;
+    private readStore(): Record<string, string> {
+        try {
+            const s = fs.readFileSync(storePath, { encoding: "utf8" });
+            const o = JSON.parse(s);
+            return typeof o === "object" ? o : {};
+        } catch {
+            return {};
         }
     }
-    store[sessionID] = userDataPath;
-    writeStore(store);
-}
 
-export function getProfileFromDeeplink(args: string[]): string | undefined {
-    // check if we are passed a profile in the SSO callback url
-    const deeplinkUrl = args.find((arg) => arg.startsWith(`${PROTOCOL}://`) || arg.startsWith(`${LEGACY_PROTOCOL}://`));
-    if (deeplinkUrl?.includes(SEARCH_PARAM)) {
-        const parsedUrl = new URL(deeplinkUrl);
-        if (parsedUrl.protocol === `${PROTOCOL}:` || parsedUrl.protocol === `${LEGACY_PROTOCOL}:`) {
-            const store = readStore();
-            let ssoID = parsedUrl.searchParams.get(SEARCH_PARAM);
-            if (!ssoID) {
-                // In OIDC, we must shuttle the value in the `state` param rather than `element-desktop-ssoid`
-                // We encode it as a suffix like `:element-desktop-ssoid:XXYYZZ`
-                ssoID = parsedUrl.searchParams.get("state")!.split(`:${SEARCH_PARAM}:`)[1];
+    private writeStore(): void {
+        fs.writeFileSync(storePath, JSON.stringify(this.store));
+    }
+
+    public initialise(userDataPath: string): void {
+        for (const key in this.store) {
+            // ensure each instance only has one (the latest) session ID to prevent the file growing unbounded
+            if (this.store[key] === userDataPath) {
+                delete this.store[key];
+                break;
+            }
+        }
+        this.store[this.sessionId] = userDataPath;
+        this.writeStore();
+    }
+
+    public getProfileFromDeeplink(args: string[]): string | undefined {
+        // check if we are passed a profile in the SSO callback url
+        const deeplinkUrl = args.find(
+            (arg) => arg.startsWith(`${this.protocol}://`) || arg.startsWith(`${LEGACY_PROTOCOL}://`),
+        );
+        if (deeplinkUrl?.includes(SEARCH_PARAM)) {
+            const parsedUrl = new URL(deeplinkUrl);
+            if (parsedUrl.protocol === `${this.protocol}:` || parsedUrl.protocol === `${LEGACY_PROTOCOL}:`) {
+                const store = this.readStore();
+                let sessionId = parsedUrl.searchParams.get(SEARCH_PARAM);
+                if (!sessionId) {
+                    // In OIDC, we must shuttle the value in the `state` param rather than `element-desktop-ssoid`
+                    // We encode it as a suffix like `:element-desktop-ssoid:XXYYZZ`
+                    sessionId = parsedUrl.searchParams.get("state")!.split(`:${SEARCH_PARAM}:`)[1];
+                }
+                console.log("Forwarding to profile: ", store[sessionId]);
+                return store[sessionId];
             }
-            console.log("Forwarding to profile: ", store[ssoID]);
-            return store[ssoID];
         }
     }
 }
-
-export function protocolInit(): void {
-    // get all args except `hidden` as it'd mean the app would not get focused
-    // XXX: passing args to protocol handlers only works on Windows, so unpackaged deep-linking
-    // --profile/--profile-dir are passed via the SEARCH_PARAM var in the callback url
-    const args = process.argv.slice(1).filter((arg) => arg !== "--hidden" && arg !== "-hidden");
-    if (app.isPackaged) {
-        app.setAsDefaultProtocolClient(PROTOCOL, process.execPath, args);
-        app.setAsDefaultProtocolClient(LEGACY_PROTOCOL, process.execPath, args);
-    } else if (process.platform === "win32") {
-        // on Mac/Linux this would just cause the electron binary to open
-        // special handler for running without being packaged, e.g `electron .` by passing our app path to electron
-        app.setAsDefaultProtocolClient(PROTOCOL, process.execPath, [app.getAppPath(), ...args]);
-        app.setAsDefaultProtocolClient(LEGACY_PROTOCOL, process.execPath, [app.getAppPath(), ...args]);
-    }
-
-    if (process.platform === "darwin") {
-        // Protocol handler for macos
-        app.on("open-url", function (ev, url) {
-            ev.preventDefault();
-            processUrl(url);
-        });
-    } else {
-        // Protocol handler for win32/Linux
-        app.on("second-instance", (ev, commandLine) => {
-            const url = commandLine[commandLine.length - 1];
-            if (!url.startsWith(`${PROTOCOL}://`) && !url.startsWith(`${LEGACY_PROTOCOL}://`)) return;
-            processUrl(url);
-        });
-    }
-}

src/seshat.ts

@@ -16,7 +16,7 @@ import type {
 } from "matrix-seshat"; // Hak dependency type
 import IpcMainEvent = Electron.IpcMainEvent;
 import { randomArray } from "./utils.js";
-import { keytar } from "./keytar.js";
+import Store from "./store.js";
 
 let seshatSupported = false;
 let Seshat: typeof SeshatType;
@@ -40,21 +40,24 @@ try {
 let eventIndex: SeshatType | null = null;
 
 const seshatDefaultPassphrase = "DEFAULT_PASSPHRASE";
-async function getOrCreatePassphrase(key: string): Promise<string> {
-    if (keytar) {
-        try {
-            const storedPassphrase = await keytar.getPassword("element.io", key);
-            if (storedPassphrase !== null) {
-                return storedPassphrase;
-            } else {
-                const newPassphrase = await randomArray(32);
-                await keytar.setPassword("element.io", key, newPassphrase);
-                return newPassphrase;
-            }
-        } catch (e) {
-            console.log("Error getting the event index passphrase out of the secret store", e);
+async function getOrCreatePassphrase(store: Store, key: string): Promise<string> {
+    try {
+        const storedPassphrase = await store.getSecret(key);
+        if (storedPassphrase !== null) {
+            return storedPassphrase;
         }
+    } catch (e) {
+        console.error("Error getting the event index passphrase out of the secret store", e);
     }
+
+    try {
+        const newPassphrase = await randomArray(32);
+        await store.setSecret(key, newPassphrase);
+        return newPassphrase;
+    } catch (e) {
+        console.error("Error creating new event index passphrase, using default", e);
+    }
+
     return seshatDefaultPassphrase;
 }
 
@@ -74,7 +77,8 @@ const deleteContents = async (p: string): Promise<void> => {
 };
 
 ipcMain.on("seshat", async function (_ev: IpcMainEvent, payload): Promise<void> {
-    if (!global.mainWindow) return;
+    const store = Store.instance;
+    if (!global.mainWindow || !store) return;
 
     // We do this here to ensure we get the path after --profile has been resolved
     const eventStorePath = path.join(app.getPath("userData"), "EventStore");
@@ -101,7 +105,7 @@ ipcMain.on("seshat", async function (_ev: IpcMainEvent, payload): Promise<void>
                 const deviceId = args[1];
                 const passphraseKey = `seshat|${userId}|${deviceId}`;
 
-                const passphrase = await getOrCreatePassphrase(passphraseKey);
+                const passphrase = await getOrCreatePassphrase(store, passphraseKey);
 
                 try {
                     await afs.mkdir(eventStorePath, { recursive: true });

src/settings.ts

@@ -6,6 +6,7 @@ Please see LICENSE files in the repository root for full details.
 */
 
 import * as tray from "./tray.js";
+import Store from "./store.js";
 
 interface Setting {
     read(): Promise<any>;
@@ -27,10 +28,10 @@ export const Settings: Record<string, Setting> = {
     },
     "Electron.warnBeforeExit": {
         async read(): Promise<any> {
-            return global.store.get("warnBeforeExit", true);
+            return Store.instance?.get("warnBeforeExit");
         },
         async write(value: any): Promise<void> {
-            global.store.set("warnBeforeExit", value);
+            Store.instance?.set("warnBeforeExit", value);
         },
     },
     "Electron.alwaysShowMenuBar": {
@@ -39,7 +40,7 @@ export const Settings: Record<string, Setting> = {
             return !global.mainWindow!.autoHideMenuBar;
         },
         async write(value: any): Promise<void> {
-            global.store.set("autoHideMenuBar", !value);
+            Store.instance?.set("autoHideMenuBar", !value);
             global.mainWindow!.autoHideMenuBar = !value;
             global.mainWindow!.setMenuBarVisibility(value);
         },
@@ -56,15 +57,15 @@ export const Settings: Record<string, Setting> = {
             } else {
                 tray.destroy();
             }
-            global.store.set("minimizeToTray", value);
+            Store.instance?.set("minimizeToTray", value);
         },
     },
     "Electron.enableHardwareAcceleration": {
         async read(): Promise<any> {
-            return !global.store.get("disableHardwareAcceleration", false);
+            return !Store.instance?.get("disableHardwareAcceleration");
         },
         async write(value: any): Promise<void> {
-            global.store.set("disableHardwareAcceleration", !value);
+            Store.instance?.set("disableHardwareAcceleration", !value);
         },
     },
 };

src/store.ts

@@ -0,0 +1,456 @@
+/*
+Copyright 2022-2025 New Vector Ltd
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import ElectronStore from "electron-store";
+import keytar from "keytar-forked";
+import { app, safeStorage, dialog, type SafeStorage } from "electron";
+import { clearAllUserData, relaunchApp } from "@standardnotes/electron-clear-data";
+
+import { _t } from "./language-helper.js";
+
+/**
+ * Legacy keytar service name for storing secrets.
+ * @deprecated
+ */
+const KEYTAR_SERVICE = "element.io";
+/**
+ * Super legacy keytar service name for reading secrets.
+ * @deprecated
+ */
+const LEGACY_KEYTAR_SERVICE = "riot.im";
+
+/**
+ * String union type representing all the safeStorage backends.
+ * + The "unknown" backend shouldn't exist in practice once the app is ready
+ * + The "plaintext" is the temporarily-unencrypted backend for migration, data is wholly unencrypted - uses PlaintextStorageWriter
+ * + The "basic_text" backend is the 'plaintext' backend on Linux, data is encrypted but not using the keychain
+ * + The "system" backend is the encrypted backend on Windows & macOS, data is encrypted using system keychain
+ * + All other backends are linux-specific and are encrypted using the keychain
+ */
+type SafeStorageBackend = ReturnType<SafeStorage["getSelectedStorageBackend"]> | "system" | "plaintext";
+
+/**
+ * Map of safeStorage backends to their command line arguments.
+ * kwallet6 cannot be specified via command line
+ * https://www.electronjs.org/docs/latest/api/safe-storage#safestoragegetselectedstoragebackend-linux
+ */
+const safeStorageBackendMap: Omit<
+    Record<SafeStorageBackend, string>,
+    "unknown" | "kwallet6" | "system" | "plaintext"
+> = {
+    basic_text: "basic",
+    gnome_libsecret: "gnome-libsecret",
+    kwallet: "kwallet",
+    kwallet5: "kwallet5",
+};
+
+/**
+ * Clear all data and relaunch the app.
+ */
+export async function clearDataAndRelaunch(): Promise<void> {
+    Store.instance?.clear();
+    clearAllUserData();
+    relaunchApp();
+}
+
+interface StoreData {
+    warnBeforeExit: boolean;
+    minimizeToTray: boolean;
+    spellCheckerEnabled: boolean;
+    autoHideMenuBar: boolean;
+    locale?: string | string[];
+    disableHardwareAcceleration: boolean;
+    safeStorage?: Record<string, string>;
+    /** the safeStorage backend used for the safeStorage data as written */
+    safeStorageBackend?: SafeStorageBackend;
+    /** whether to explicitly override the safeStorage backend, used for migration */
+    safeStorageBackendOverride?: boolean;
+    /** whether to perform a migration of the safeStorage data */
+    safeStorageBackendMigrate?: boolean;
+}
+
+/**
+ * Fallback storage writer for secrets, mainly used for automated tests and systems without any safeStorage support.
+ */
+class PlaintextStorageWriter {
+    public constructor(protected readonly store: ElectronStore<StoreData>) {}
+
+    public getKey(key: string): `safeStorage.${string}` {
+        return `safeStorage.${key.replaceAll(".", "-")}`;
+    }
+
+    public set(key: string, secret: string): void {
+        this.store.set(this.getKey(key), secret);
+    }
+
+    public get(key: string): string | null {
+        return this.store.get(this.getKey(key));
+    }
+
+    public delete(key: string): void {
+        this.store.delete(this.getKey(key));
+    }
+}
+
+/**
+ * Storage writer for secrets using safeStorage.
+ */
+class SafeStorageWriter extends PlaintextStorageWriter {
+    public set(key: string, secret: string): void {
+        this.store.set(this.getKey(key), safeStorage.encryptString(secret).toString("base64"));
+    }
+
+    public get(key: string): string | null {
+        const ciphertext = this.store.get<string, string | undefined>(this.getKey(key));
+        if (ciphertext) {
+            try {
+                return safeStorage.decryptString(Buffer.from(ciphertext, "base64"));
+            } catch (e) {
+                console.error("Failed to decrypt secret", e);
+                console.error("...ciphertext:", JSON.stringify(ciphertext));
+            }
+        }
+        return null;
+    }
+}
+
+const enum Mode {
+    Encrypted = "encrypted", // default
+    AllowPlaintext = "allow-plaintext",
+    ForcePlaintext = "force-plaintext",
+}
+
+/**
+ * JSON-backed store for settings which need to be accessible by the main process.
+ * Secrets are stored within the `safeStorage` object, encrypted with safeStorage.
+ * Any secrets operations are blocked on Electron app ready emit, and keytar migration if still needed.
+ */
+class Store extends ElectronStore<StoreData> {
+    private static internalInstance?: Store;
+
+    public static get instance(): Store | undefined {
+        return Store.internalInstance;
+    }
+
+    /**
+     * Prepare the store, does not prepare safeStorage, which needs to be done after the app is ready.
+     * Must be executed in the first tick of the event loop so that it can call Electron APIs before ready state.
+     */
+    public static initialize(mode: Mode | undefined): Store {
+        if (Store.internalInstance) {
+            throw new Error("Store already initialized");
+        }
+
+        const store = new Store(mode ?? Mode.Encrypted);
+        Store.internalInstance = store;
+
+        if (process.platform === "linux" && store.get("safeStorageBackendOverride")) {
+            const backend = store.get("safeStorageBackend")!;
+            if (backend in safeStorageBackendMap) {
+                // If the safeStorage backend which was used to write the data is one we can specify via the commandLine
+                // then do so to ensure we use the same backend for reading the data.
+                app.commandLine.appendSwitch(
+                    "password-store",
+                    safeStorageBackendMap[backend as keyof typeof safeStorageBackendMap],
+                );
+            }
+        }
+
+        return store;
+    }
+
+    // Provides "raw" access to the underlying secrets storage,
+    // should be avoided in favour of the getSecret/setSecret/deleteSecret methods.
+    private secrets?: PlaintextStorageWriter | SafeStorageWriter;
+
+    private constructor(private mode: Mode) {
+        super({
+            name: "electron-config",
+            clearInvalidConfig: false,
+            schema: {
+                warnBeforeExit: {
+                    type: "boolean",
+                    default: true,
+                },
+                minimizeToTray: {
+                    type: "boolean",
+                    default: true,
+                },
+                spellCheckerEnabled: {
+                    type: "boolean",
+                    default: true,
+                },
+                autoHideMenuBar: {
+                    type: "boolean",
+                    default: true,
+                },
+                locale: {
+                    anyOf: [{ type: "string" }, { type: "array", items: { type: "string" } }],
+                },
+                disableHardwareAcceleration: {
+                    type: "boolean",
+                    default: false,
+                },
+                safeStorage: {
+                    type: "object",
+                },
+                safeStorageBackend: {
+                    type: "string",
+                },
+                safeStorageBackendOverride: {
+                    type: "boolean",
+                },
+                safeStorageBackendMigrate: {
+                    type: "boolean",
+                },
+            },
+        });
+    }
+
+    private safeStorageReadyPromise?: Promise<unknown>;
+    public async safeStorageReady(): Promise<void> {
+        if (!this.safeStorageReadyPromise) {
+            this.safeStorageReadyPromise = this.prepareSafeStorage();
+        }
+        await this.safeStorageReadyPromise;
+    }
+
+    /**
+     * Prepare the safeStorage backend for use.
+     * We don't eagerly import from keytar as that would bring in data for all Element profiles and not just the current one,
+     * so we import lazily in getSecret.
+     */
+    private async prepareSafeStorage(): Promise<void> {
+        await app.whenReady();
+
+        let safeStorageBackend = this.get("safeStorageBackend");
+        if (process.platform === "linux") {
+            // Linux safeStorage support is hellish, the support varies on the Desktop Environment used rather than the store itself.
+            // https://github.com/electron/electron/issues/39789 https://github.com/microsoft/vscode/issues/185212
+            const selectedSafeStorageBackend = safeStorage.getSelectedStorageBackend();
+            console.info(
+                `safeStorage backend '${selectedSafeStorageBackend}' selected, '${safeStorageBackend}' in config.`,
+            );
+
+            if (selectedSafeStorageBackend === "unknown") {
+                // This should never happen but good to be safe
+                await dialog.showMessageBox({
+                    title: _t("store|error|unknown_backend_override_title"),
+                    message: _t("store|error|unknown_backend_override"),
+                    detail: _t("store|error|unknown_backend_override_details"),
+                    type: "error",
+                });
+                throw new Error("safeStorage backend unknown");
+            }
+
+            if (this.get("safeStorageBackendMigrate")) {
+                return this.upgradeLinuxBackend2();
+            }
+
+            if (!safeStorageBackend) {
+                if (selectedSafeStorageBackend === "basic_text" && this.mode === Mode.Encrypted) {
+                    const { response } = await dialog.showMessageBox({
+                        title: _t("store|error|unsupported_keyring_title"),
+                        message: _t("store|error|unsupported_keyring"),
+                        detail: _t("store|error|unsupported_keyring_detail", {
+                            brand: global.vectorConfig.brand || "Element",
+                            link: "https://www.electronjs.org/docs/latest/api/safe-storage#safestoragegetselectedstoragebackend-linux",
+                        }),
+                        type: "error",
+                        buttons: [_t("action|cancel"), _t("store|error|unsupported_keyring_cta")],
+                        defaultId: 0,
+                        cancelId: 0,
+                    });
+                    if (response === 0) {
+                        throw new Error("safeStorage backend basic_text and user rejected it");
+                    }
+                    this.mode = Mode.AllowPlaintext;
+                }
+
+                // Store the backend used for the safeStorage data so we can detect if it changes
+                this.recordSafeStorageBackend(selectedSafeStorageBackend);
+                safeStorageBackend = selectedSafeStorageBackend;
+            } else if (safeStorageBackend !== selectedSafeStorageBackend) {
+                console.warn(`safeStorage backend changed from ${safeStorageBackend} to ${selectedSafeStorageBackend}`);
+
+                if (safeStorageBackend === "basic_text") {
+                    return this.upgradeLinuxBackend1();
+                } else if (safeStorageBackend === "plaintext") {
+                    this.upgradeLinuxBackend3();
+                } else if (safeStorageBackend in safeStorageBackendMap) {
+                    this.set("safeStorageBackendOverride", true);
+                    relaunchApp();
+                    return;
+                } else {
+                    // Warn the user that the backend has changed and tell them that we cannot migrate
+                    const { response } = await dialog.showMessageBox({
+                        title: _t("store|error|backend_changed_title"),
+                        message: _t("store|error|backend_changed"),
+                        detail: _t("store|error|backend_changed_detail"),
+                        type: "question",
+                        buttons: [_t("common|no"), _t("common|yes")],
+                        defaultId: 0,
+                        cancelId: 0,
+                    });
+                    if (response === 0) {
+                        throw new Error("safeStorage backend changed and cannot migrate");
+                    }
+                    await clearDataAndRelaunch();
+                }
+            }
+
+            // We do not check allowPlaintextStorage here as it was already checked above if the storage is new
+            // and if the storage is existing then we should continue to honour the backend used to write the data
+            if (safeStorageBackend === "basic_text" && selectedSafeStorageBackend === safeStorageBackend) {
+                safeStorage.setUsePlainTextEncryption(true);
+            }
+        } else if (!safeStorageBackend) {
+            safeStorageBackend = this.mode === Mode.Encrypted ? "system" : "plaintext";
+            this.recordSafeStorageBackend(safeStorageBackend);
+        }
+
+        if (this.mode !== Mode.ForcePlaintext && safeStorage.isEncryptionAvailable()) {
+            this.secrets = new SafeStorageWriter(this);
+        } else if (this.mode !== Mode.Encrypted) {
+            this.secrets = new PlaintextStorageWriter(this);
+        } else {
+            throw new Error(`safeStorage is not available`);
+        }
+
+        console.info(`Using storage mode '${this.mode}' with backend '${safeStorageBackend}'`);
+    }
+
+    private recordSafeStorageBackend(backend: SafeStorageBackend): void {
+        this.set("safeStorageBackend", backend);
+    }
+
+    /**
+     * Linux support for upgrading the backend from basic_text to one of the encrypted backends,
+     * this is quite a tricky process as the backend is not known until the app is ready & cannot be changed once it is.
+     * First we restart the app in basic_text backend mode, then decrypt the data & restart back in default backend mode,
+     * and re-encrypt the data.
+     */
+    private upgradeLinuxBackend1(): void {
+        console.info(`Starting safeStorage migration to ${safeStorage.getSelectedStorageBackend()}`);
+        this.set("safeStorageBackendMigrate", true);
+        relaunchApp();
+    }
+    private upgradeLinuxBackend2(): void {
+        if (!this.secrets) throw new Error("safeStorage not ready");
+        console.info("Performing safeStorage migration");
+        const data = this.get("safeStorage");
+        if (data) {
+            for (const key in data) {
+                this.set(this.secrets.getKey(key), this.secrets!.get(key));
+            }
+            this.recordSafeStorageBackend("plaintext");
+        }
+        this.set("safeStorageBackendMigrate", false);
+        relaunchApp();
+    }
+    private upgradeLinuxBackend3(): void {
+        if (!this.secrets) throw new Error("safeStorage not ready");
+        const selectedSafeStorageBackend = safeStorage.getSelectedStorageBackend();
+        console.info(`Finishing safeStorage migration to ${selectedSafeStorageBackend}`);
+        const data = this.get("safeStorage");
+        if (data) {
+            for (const key in data) {
+                this.secrets.set(key, data[key]);
+            }
+        }
+        this.recordSafeStorageBackend(selectedSafeStorageBackend);
+    }
+
+    /**
+     * Get the stored secret for the key.
+     * Lazily migrates keys from keytar if they are not yet in the store.
+     *
+     * @param key The string key name.
+     *
+     * @returns A promise for the secret string.
+     */
+    public async getSecret(key: string): Promise<string | null> {
+        await this.safeStorageReady();
+        let secret = this.secrets!.get(key);
+        if (secret) return secret;
+
+        try {
+            secret = await this.getSecretKeytar(key);
+        } catch (e) {
+            console.warn(`Failed to read data from keytar with key='${key}'`, e);
+        }
+        if (secret) {
+            console.debug("Migrating secret from keytar", key);
+            this.secrets!.set(key, secret);
+        }
+
+        return secret;
+    }
+
+    /**
+     * Add the secret for the key to the keychain.
+     * We write to both safeStorage & keytar to support downgrading the application.
+     *
+     * @param key The string key name.
+     * @param secret The string password.
+     *
+     * @returns A promise for the set password completion.
+     */
+    public async setSecret(key: string, secret: string): Promise<void> {
+        await this.safeStorageReady();
+        this.secrets!.set(key, secret);
+        try {
+            await keytar.setPassword(KEYTAR_SERVICE, key, secret);
+        } catch (e) {
+            console.warn(`Failed to write safeStorage backwards-compatibility key='${key}' data to keytar`, e);
+        }
+    }
+
+    /**
+     * Delete the stored password for the key.
+     * Removes from safeStorage, keytar & keytar legacy.
+     *
+     * @param key The string key name.
+     */
+    public async deleteSecret(key: string): Promise<void> {
+        await this.safeStorageReady();
+        this.secrets!.delete(key);
+        try {
+            await this.deleteSecretKeytar(key);
+        } catch (e) {
+            console.warn(`Failed to delete secret with key='${key}' from keytar`, e);
+        }
+    }
+
+    /**
+     * @deprecated will be removed in the near future
+     */
+    private async getSecretKeytar(key: string): Promise<string | null> {
+        return (
+            (await keytar.getPassword(KEYTAR_SERVICE, key)) ?? (await keytar.getPassword(LEGACY_KEYTAR_SERVICE, key))
+        );
+    }
+
+    /**
+     * @deprecated will be removed in the near future
+     */
+    private async deleteSecretKeytar(key: string): Promise<void> {
+        await keytar.deletePassword(LEGACY_KEYTAR_SERVICE, key);
+        await keytar.deletePassword(KEYTAR_SERVICE, key);
+    }
+}
+
+export default Store;

src/utils.ts

@@ -23,10 +23,10 @@ export async function randomArray(size: number): Promise<string> {
 
 type JsonValue = null | string | number;
 type JsonArray = Array<JsonValue | JsonObject | JsonArray>;
-interface JsonObject {
+export interface JsonObject {
     [key: string]: JsonObject | JsonArray | JsonValue;
 }
-type Json = JsonArray | JsonObject;
+export type Json = JsonArray | JsonObject;
 
 /**
  * Synchronously load a JSON file from the local filesystem.
@@ -34,6 +34,13 @@ type Json = JsonArray | JsonObject;
  * @param paths - An array of path segments which will be joined using the system's path delimiter.
  */
 export function loadJsonFile<T extends Json>(...paths: string[]): T {
-    const file = fs.readFileSync(path.join(...paths), { encoding: "utf-8" });
+    const joinedPaths = path.join(...paths);
+
+    if (!fs.existsSync(joinedPaths)) {
+        console.log(`Skipping nonexistent file: ${joinedPaths}`);
+        return {} as T;
+    }
+
+    const file = fs.readFileSync(joinedPaths, { encoding: "utf-8" });
     return JSON.parse(file);
 }