caxa
caxa copied to clipboard
leafac
Windows Binary Issues, and workflow improvements
Windows Binary issues
First of all, some AV engines don't like Caxa's stub binary without any extra data, as seen in these results. (Windows.exe from GitHub) https://www.virustotal.com/gui/file/0754d487f128d0fa236f559c9bcbeff71bff3245ab518c0056a40d5ae25b97d1/detection
However, the main issue is with the final compiled binary and Windows Defender, as it detects Caxa binaries as malware due to the self-extracting nature of them.
The resulting exe will sometimes refuse to run, or be deleted completely. Checking the Defender logs revealed that Windows had detected the output file as both Program:Win32/Wacapew.C!ml and Trojan:Win32/Wacatac.B!ml on separate occasions.
This is nothing to do with my own code, as any code causes the AV to trip a false positive. WinRAR's self extracting archives on silent mode do the same thing.
Workflow improvements
My build workflow uses a script to copy node_modules, index.js and a custom native module into a folder, then runs Caxa in that folder, creating the binary. If I don't do this, then package.json, readme.md and other files are also included in the final build.
"build": "node-gyp rebuild --verbose && copy build\\Release\\addon.node out\\addon.node && npm run buildfolder",
"buildfolder": "(robocopy node_modules out\\node_modules /E) ^& IF %ERRORLEVEL% LEQ 1 exit 0",
"postbuildfolder": "move index.js out",
"postbuild": "npx caxa -d out --command {{caxa}}/node_modules/.bin/node {{caxa}}/index.js --output app.exe && move app.exe out"
Please make it so I can specify what files to include in the final exe from within package.json instead of relying on custom scripts and copying lots of files. PKG does this with the "files" section: maybe read from this section as most programs already have this filled in.
Overall, my experience with Caxa has been mostly positive as it finally allows for embedding files into my packaged executable, but it could definitely use some improvements.
Ohh, do you have any idea how to fix the antivirus issue for the windows binary? I wonder if the same problem happens with portable Electron distributions for Windows (from electron-builder) (via --win portable). I thought they were also self-extracting.
Ohh, do you have any idea how to fix the antivirus issue for the windows binary? I wonder if the same problem happens with portable Electron distributions for Windows (from electron-builder) (via
--win portable). I thought they were also self-extracting.
Discord and FaceIt are examples of apps that are built with Electron and have installers that work like this. Both are obviously not flagged as malware... this could potentially be a code signing issue? Maybe if the stub was signed it would fix part of the problem?
Please make it so I can specify what files to include in the final exe from within package.json instead of relying on custom scripts and copying lots of files.
I added this feature in v2.0.0 (see the --exclude flag).
I’ve been reading up on how Electron packages applications. It seems like the best practice is to use asar, which is like the tarball we use, and it may also trigger antivirus software under some circumstances. Their recommendation is to ship the files separately. If you were to do that in the caxa world you actually don’t need caxa: just create a .zip including the node executable and a shell/PowerShell script to start the application. Maybe signing the application helps…
Hi y’all,
Thanks for using caxa and for the conversation here.
I’ve been thinking about the broad strategy employed by caxa and concluded that there is a better way to solve the problem. It amounts to the zip with a Shell script that I mentioned above.
It’s a different enough approach that I think it deserves a new name, and it’s part of a bigger toolset that I’m building, which I call Radically Straightforward · Package.
I’m deprecating caxa and archiving this repository. I invite you to continue the conversation in Radically Straightforward’s issues.
Best.