ocran 1.3.17 → 1.3.18

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b9a3cbb0a7f0f5d9eecc89b8f14d8c538abf146f9e95e982ece04a0fe1e58278
-  data.tar.gz: acd0b94387b943c42ca1bbbd336faaacddaf209768e69bd446baff44995ac3cd
+  metadata.gz: 816bbf710efb38734ee1955a19ff5bd418b83ff1a5cf21b7a4d0bfe100b2c439
+  data.tar.gz: 95173c8a2bd36ea959f4dfe5ddafba5a96b891ced56e9026653e4c1b3aba32a3
 SHA512:
-  metadata.gz: 6ce6b73b6a11d76d91c9ba09ce79e71c09de420f68d0ac52a8d6636c95167b669a6ccea3ad3ae171232db80b6335479240363d9e38042c52b3c0fa806b539a41
-  data.tar.gz: 36334319b2735ff7498cd03f49b85810c2e2a7ea902ec7a9a14a4378e4ec52af56507c551f8d92ee6139883388c91542f1e8c8da0269c0fff4b23660b6472703
+  metadata.gz: ae9bd0453f9219098542daa6e1842004cc8efa29422cd80c52a0b936065f790c994139f775a1c2dd42fe9e3ed274e60741ecfc8721692d4293ee1c9fde70a34f
+  data.tar.gz: e422b2ed09f116891ff82cee0d5ec29125b71c6ead67964249cdcc4ad375aacced7802f07b91ef6d9419986af4ec49c7c3c56f0e22fcf85aa6cd55a62fd238e6

data/CHANGELOG.txt

@@ -1,3 +1,23 @@
+=== 1.3.18
+- Support shipping IRB as .exe File
+- Fix SxS error 14001 when loading native extensions (e.g. openssl.so, date_core.so) at runtime. Each .so file may have a companion *.so-assembly.manifest in archdir defining its private SxS assembly; these manifests are now included alongside the .so files. All files in ruby_builtin_dlls/ (DLLs and manifest) are now included rather than the manifest alone.
+- Support for Ruby 4.0.
+- Include cacert.pem in the exe file to avoid SSL certificate verification issues.
+- Use wide (UTF-16) Win32 APIs throughout system_utils.c (CreateFileW, CreateDirectoryW, DeleteFileW, FindFirstFileW/FindNextFileW, RemoveDirectoryW, GetFileAttributesW, MoveFileExW, GetTempPathW, CreateProcessW) to correctly handle multibyte (UTF-8) file and directory paths in the stub.
+- Add Windows Authenticode code signing support. The stub now detects and skips PE security directory entries when searching for the OCRAN signature, so signed executables unpack correctly. Build time clears invalid security directory entries from PE headers to allow subsequent signing.
+- Fix incorrect buffer size passed to GetModuleFileNameW in LibraryDetector (passed bytesize instead of character count).
+- Fix pointer subtraction underflow in stub unpacker when a tampered offset places head past tail.
+- Add bounds checking for icon file entries in edicon to prevent out-of-bounds reads from malformed .ico files.
+- Support for Ruby 3.2 and above. Drop ruby 3.0 and 3.1 support.
+- Suppress user notifications during stub cleanup and log errors to DEBUG output
+- Fixes issue where two MessageBox dialogs appeared in GUI mode when a signature was not found.
+- No longer create a marker file when the stub fails to delete the installation directory during cleanup.
+- stub: During cleanup, switch to a safer working directory before removing the extraction directory.
+- stub: Truncate error messages originating from the stub to a fixed maximum length.
+- stub: Changed the name of the extraction directory to follow the mkdtemp style. The name is now generated using secure random numbers.
+- stub: Disabled path expansion of template characters for additional options passed to the script.
+- stub: Changed the script’s working directory switch to use Ruby’s `-C` option.
+
 === 1.3.17
 - Modified `rake test` to no longer build stubs during test execution. Use `rake build_stub` when stub generation is necessary.
 - New `rake build` task as a unified build entry point, delegating to `build_stub`.

data/README.md

@@ -12,7 +12,7 @@ executable that contains the Ruby interpreter, your source code and
 any additionally needed ruby libraries or DLL.
 
 OCRAN is a fork of Ocra (https://github.com/larsch/ocra) in order to
-maintain compatibility with newer Ruby versions after 3.0
+maintain compatibility with newer Ruby versions after 3.2
 
 ## Recommended usage
 Most commonly you will needs this, when you want to ship your program to windows servers / users that don't have Ruby installed.
@@ -35,9 +35,11 @@ the issue tracker on GitHub (http://github.com/largo/ocran/issues).
 
 ## Safety
 
-As this gem comes with binaries, we have taken actions to insure your safety.
-The gem releases are built on Github Actions. Feel free verify that it matches the version on rubygems.
-It ships with seb.exe and LZMA.exe in this repository, which come from official sources.
+As this gem comes with binary blobs, we have taken actions to insure your safety.
+The gem releases are securely built on Github Actions. Feel free verify that it matches the version on rubygems.
+This repository ships with LZMA.exe from [The official release of ip7z/7zip](https://github.com/ip7z/7zip/releases): Version 22.01 from lzma2201.7z
+The LZMA.exe is used to compress the executable.
+Other files such as stub.exe, stubw.exe and edicon.exe are built from source code in the repository.
 
 ## Installation
 

data/lib/ocran/direction.rb

@@ -144,10 +144,36 @@ module Ocran
         end
       end
 
-      # Add external manifest files
+      # Add external manifest and builtin DLLs
       if (manifest = ruby_builtin_manifest)
-        say "Adding external manifest #{manifest}"
-        builder.duplicate_to_exec_prefix(manifest)
+        manifest.dirname.each_child do |path|
+          next if path.directory?
+          say "Adding builtin DLL/manifest #{path}"
+          builder.duplicate_to_exec_prefix(path)
+        end
+      end
+
+      # Include SxS assembly manifests for native extensions.
+      # Each .so file may have an embedded manifest referencing a companion
+      # *.so-assembly.manifest file in the same directory. Without these
+      # manifests the SxS activation context fails (error 14001) at runtime.
+      # Scan archdir and the extension dirs of all loaded gems.
+      sxs_manifest_dirs = []
+      archdir = Pathname(RbConfig::CONFIG["archdir"])
+      sxs_manifest_dirs << archdir if archdir.exist? && archdir.subpath?(exec_prefix)
+      if defined?(Gem)
+        Gem.loaded_specs.each_value do |spec|
+          next if spec.extensions.empty?
+          ext_dir = Pathname(spec.extension_dir)
+          sxs_manifest_dirs << ext_dir if ext_dir.exist? && ext_dir.subpath?(exec_prefix)
+        end
+      end
+      sxs_manifest_dirs.each do |dir|
+        dir.each_child do |path|
+          next unless path.extname == ".manifest"
+          say "Adding native extension assembly manifest #{path}"
+          builder.duplicate_to_exec_prefix(path)
+        end
       end
 
       # Add extra DLLs specified on the command line
@@ -209,15 +235,15 @@ module Ocran
       # If requested, add all ruby standard libraries
       if @option.add_all_core?
         say "Will include all ruby core libraries"
-        @pre_env.load_path.each do |load_path|
-          path = Pathname.new(load_path)
+        all_core_dir.each do |path|
           # Match the load path against standard library, site_ruby, and vendor_ruby paths
-          path.to_posix.match(RUBY_LIBRARY_PATH_REGEX) do |m|
-            subdir = m[1]
-            path.find.each do |src|
-              next if src.directory?
-              builder.copy_to_lib(src, Pathname(subdir) / src.relative_path_from(path))
-            end
+          unless (subdir = path.to_posix.match(RUBY_LIBRARY_PATH_REGEX)&.[](1))
+            raise "Unexpected library path format (does not match core dirs): #{path}"
+          end
+          path.find.each do |src|
+            next if src.directory?
+            a = Pathname(subdir) / src.relative_path_from(path)
+            builder.copy_to_lib(src, Pathname(subdir) / src.relative_path_from(path))
           end
         end
       end
@@ -312,6 +338,52 @@ module Ocran
         end
       end
 
+      # Bundle SSL certificates if OpenSSL was loaded (e.g. via net/http HTTPS)
+      if defined?(OpenSSL)
+        cert_file = Pathname(OpenSSL::X509::DEFAULT_CERT_FILE)
+        if cert_file.file? && cert_file.subpath?(exec_prefix)
+          say "Adding SSL certificate file #{cert_file}"
+          builder.duplicate_to_exec_prefix(cert_file)
+          builder.export("SSL_CERT_FILE", File.join(EXTRACT_ROOT, cert_file.relative_path_from(exec_prefix).to_posix))
+        end
+
+        cert_dir = Pathname(OpenSSL::X509::DEFAULT_CERT_DIR)
+        if cert_dir.directory? && cert_dir.subpath?(exec_prefix)
+          say "Adding SSL certificate directory #{cert_dir}"
+          cert_dir.find.each do |path|
+            next if path.directory?
+            builder.duplicate_to_exec_prefix(path)
+          end
+          builder.export("SSL_CERT_DIR", File.join(EXTRACT_ROOT, cert_dir.relative_path_from(exec_prefix).to_posix))
+        end
+      end
+
+      # Bundle Tcl/Tk library scripts if the Tk extension is loaded.
+      # tcl86.dll and tk86.dll are auto-detected by DLL scanning, but the
+      # Tcl/Tk script libraries (init.tcl etc.) must also be bundled so
+      # that Tcl can find them relative to the DLL at runtime.
+      if defined?(TclTkLib)
+        exec_prefix.glob("**/lib/tcl[0-9]*/init.tcl").each do |init_tcl|
+          tcl_lib_dir = init_tcl.dirname
+          next unless tcl_lib_dir.subpath?(exec_prefix)
+          say "Adding Tcl library files #{tcl_lib_dir}"
+          tcl_lib_dir.find.each do |path|
+            next if path.directory?
+            builder.duplicate_to_exec_prefix(path)
+          end
+        end
+
+        exec_prefix.glob("**/lib/tk[0-9]*/pkgIndex.tcl").each do |pkg_index|
+          tk_lib_dir = pkg_index.dirname
+          next unless tk_lib_dir.subpath?(exec_prefix)
+          say "Adding Tk library files #{tk_lib_dir}"
+          tk_lib_dir.find.each do |path|
+            next if path.directory?
+            builder.duplicate_to_exec_prefix(path)
+          end
+        end
+      end
+
       # Set environment variable
       builder.export("RUBYOPT", rubyopt)
       # Add the load path that are required with the correct path after

data/lib/ocran/host_config_helper.rb

@@ -33,5 +33,12 @@ module Ocran
     def ruby_exe
       @ruby_exe ||= (RbConfig::CONFIG["ruby_install_name"] || "ruby") + exe_extname
     end
+
+    def all_core_dir
+      RbConfig::CONFIG
+          .slice("rubylibdir", "sitelibdir", "vendorlibdir")
+          .values
+          .map { |path| Pathname.new(path) }
+    end
   end
 end

data/lib/ocran/library_detector.rb

@@ -49,7 +49,7 @@ module Ocran
                   end
         str = "\x00".encode("UTF-16LE") * MAX_PATH
         handles.map do |handle|
-          length = GetModuleFileNameW(handle, str, str.bytesize)
+          length = GetModuleFileNameW(handle, str, str.bytesize / 2)
           if length == 0
             raise "GetModuleFileNameW failed with error code #{GetLastError()}"
           end

data/lib/ocran/stub_builder.rb

@@ -8,7 +8,7 @@ module Ocran
   # instance of OcranBuilder.
   class StubBuilder
     Signature = [0x41, 0xb6, 0xba, 0x4e].freeze
-    OP_END = 0
+
     OP_CREATE_DIRECTORY = 1
     OP_CREATE_FILE = 2
     OP_SETENV = 3
@@ -28,6 +28,34 @@ module Ocran
 
     attr_reader :data_size
 
+    # Clear invalid security directory entries from PE executables
+    # This is necessary because some linkers may set non-zero values in the
+    # security directory even when there is no actual digital signature
+    def self.clear_invalid_security_entry(file_path)
+      data = File.binread(file_path)
+      return unless data.size > 64 # Minimum PE header size
+
+      # Read DOS header to find PE header offset
+      e_lfanew_offset = 60
+      pe_offset = data[e_lfanew_offset, 4].unpack1("L")
+      return if pe_offset + 160 > data.size # Not enough room for headers
+
+      # Calculate security directory offset
+      # PE signature (4) + FILE_HEADER (20) + partial OPTIONAL_HEADER to DataDirectory
+      security_entry_offset = pe_offset + 4 + 20 + 128
+
+      # Read security directory entry (VirtualAddress and Size)
+      sec_addr = data[security_entry_offset, 4].unpack1("L")
+      sec_size = data[security_entry_offset + 4, 4].unpack1("L")
+
+      # Check if security entry is invalid (points beyond file or size is 0)
+      if sec_size != 0 && (sec_addr == 0 || sec_addr >= data.size || sec_addr + sec_size > data.size)
+        # Clear the invalid security entry
+        data[security_entry_offset, 8] = "\x00" * 8
+        File.binwrite(file_path, data)
+      end
+    end
+
     # chdir_before:
     # When set to true, the working directory is changed to the application's
     # deployment location at runtime.
@@ -65,6 +93,9 @@ module Ocran
       IO.copy_stream(gui_mode ? STUBW_PATH : STUB_PATH, stub)
       stub.close
 
+      # Clear any invalid security directory entries from the stub
+      self.class.clear_invalid_security_entry(stub.path)
+
       if icon_path
         system(EDICON_PATH, stub.path, icon_path.to_s, exception: true)
       end
@@ -77,7 +108,6 @@ module Ocran
 
         b = proc {
           yield(self)
-          write_opcode(OP_END)
         }
 
         if enable_compression
@@ -184,13 +214,23 @@ module Ocran
         raise ArgumentError, "String length #{len} is too large: must be less than or equal to 65535 bytes including null terminator"
       end
 
-      @of << [len, str].pack("vZ*")
-      @data_size += 2 + len
+      write_size(len)
+      @of << [str].pack("Z*")
+      @data_size += len
     end
     private :write_string
 
     def write_string_array(*str_array)
       ary = str_array.map(&:to_s)
+
+      if ary.any?(&:empty?)
+         raise ArgumentError, "Argument list must not contain empty strings"
+      end
+
+      # Append an empty string so that when joined with "\0", the final buffer
+      # ends in two consecutive NUL bytes (double–NUL terminator) to mark end-of-list.
+      ary << ""
+
       size = ary.sum(0) { |s| s.bytesize + 1 }
       write_size(size)
       ary.each_slice(1) { |a| @of << a.pack("Z*") }

data/lib/ocran/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Ocran
-  VERSION = "1.3.17"
+  VERSION = "1.3.18"
 end

metadata

@@ -1,15 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ocran
 version: !ruby/object:Gem::Version
-  version: 1.3.17
+  version: 1.3.18
 platform: ruby
 authors:
 - Andi Idogawa
 - Lars Christensen
-autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-05-02 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fiddle
@@ -29,7 +28,7 @@ description: "OCRAN (One-Click Ruby Application Next) builds Windows executables
   Ruby source code. \n  The executable is a self-extracting, self-running executable
   that contains the Ruby interpreter, your source code and any additionally needed
   ruby libraries or DLL.\n  \n  This is a fork of OCRA that is compatible with ruby
-  version after 3.0.\n  Migration guide: make sure to write ocran instead of ocra
+  version after 3.2.\n  Migration guide: make sure to write ocran instead of ocra
   in your code. For instance: OCRAN_EXECUTABLE\n\n  usage: \n    ocra helloworld.rb\n
   \   helloworld.exe\n\n  See readme at https://github.com/largo/ocran\n  Report problems
   in the github issues. Contributions welcome.\n  This gem contains executables. We
@@ -76,7 +75,6 @@ metadata:
   homepage_uri: https://github.com/largo/ocran
   source_code_uri: https://github.com/largo/ocran
   changelog_uri: https://github.com/largo/ocran/CHANGELOG.txt
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -84,15 +82,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.0.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.3
-signing_key:
+rubygems_version: 4.0.3
 specification_version: 4
 summary: OCRAN (One-Click Ruby Application Next) builds Windows executables from Ruby
   source code.