signal-desktop: Fix the database encryption by preloading SQLCipher

AFAIK this is the only reliable way for us to ensure SQLCipher will be loaded instead of SQLite. It feels like a hack/workaround but according to the SQLCipher developers [0] "this issue can and should be handled downstream at the application level: 1. While it may feel like a workaround, using LD_PRELOAD is a legitimate approach here because it will substitute the system SQLite with SQLCipher which is the intended usage model;". This fixes #108772 for NixOS 20.09 users who upgrade to NixOS 21.05 and replaces #117555. For nixos-unstable users this will unfortunately break everything again so we should add a script to ease the transition (in a separate commit so that we can revert it for NixOS 21.05). [0]: sqlcipher/sqlcipher#385 (comment)
NixOS · May 14, 2021 · 940dfa9 · 940dfa9
1 parent 1cdf5f4
commit 940dfa9
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/nixos/tests/signal-desktop.nix b/nixos/tests/signal-desktop.nix
@@ -44,12 +44,11 @@ import ./make-test-python.nix ({ pkgs, ...} :
     # - https://github.com/NixOS/nixpkgs/issues/108772
     # - https://github.com/NixOS/nixpkgs/pull/117555
     print(machine.succeed("su - alice -c 'file ~/.config/Signal/sql/db.sqlite'"))
-    # TODO: The DB should be encrypted and the following should be machine.fail
-    # instead of machine.succeed but the DB is currently unencrypted and we
-    # want to notice if this isn't the case anymore as the transition to a
-    # encrypted DB can cause data loss!:
     machine.succeed(
-        "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep -i sqlite"
+        "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep 'db.sqlite: data'"
+    )
+    machine.fail(
+        "su - alice -c 'file ~/.config/Signal/sql/db.sqlite' | grep -e SQLite -e database"
     )
   '';
 })
diff --git a/pkgs/applications/networking/instant-messengers/signal-desktop/default.nix b/pkgs/applications/networking/instant-messengers/signal-desktop/default.nix
@@ -117,9 +117,15 @@ in stdenv.mkDerivation rec {
     runHook postInstall
   '';
 
+  # Required for $SQLCIPHER_LIB which contains "/build/" inside the path:
+  noAuditTmpdir = true;
+
   preFixup = ''
+    export SQLCIPHER_LIB="$out/lib/Signal/resources/app.asar.unpacked/node_modules/better-sqlite3/build/Release/better_sqlite3.node"
+    test -x "$SQLCIPHER_LIB" # To ensure the location hasn't changed
     gappsWrapperArgs+=(
       --prefix LD_LIBRARY_PATH : "${lib.makeLibraryPath [ stdenv.cc.cc ] }"
+      --prefix LD_PRELOAD : "$SQLCIPHER_LIB"
       ${customLanguageWrapperArgs}
     )