应用生命周期威胁

Tauri 应用由应用生命周期不同时间点的许多部分组成。以下是我们在此描述经典威胁以及你应该采取的措施。

¥Tauri applications are composed of many pieces at different points in time of the application lifecycle. Here we describe classical threats and what you SHOULD do about them.

所有这些不同的步骤都在以下部分中描述。

¥All of these distinct steps are described in the following sections.

:::note 注意

应用生命周期中最薄弱的环节本质上决定了你的安全性。每个步骤都可能损害所有后续步骤的假设和完整性，因此始终了解全局非常重要。

¥The weakest link in your application lifecycle essentially defines your security. Each step can compromise the assumptions and integrity of all subsequent steps, so it is important to see the whole picture at all times.

:::

上游威胁

¥Upstream Threats

Tauri 直接依赖于你的项目，我们对提交、评论、拉取请求和发布保持严格的作者控制。我们尽最大努力保持最新的依赖，并采取行动进行更新或分叉和修复。其他项目可能维护得不是很好，甚至可能从未被审核过。

¥Tauri is a direct dependency on your project, and we maintain strict authorial control of commits, reviews, pull requests, and releases. We do our best to maintain up-to-date dependencies and take action to either update or fork and fix. Other projects may not be so well maintained, and may not even have ever been audited.

在集成它们时请考虑它们的健康状况，否则，你可能在不知情的情况下采用了架构债务。

¥Please consider their health when integrating them, otherwise, you may have adopted architectural debt without even knowing it.

保持应用最新

¥Keep Your Applications Up-To-Date

在将你的应用发布到外界时，你还会发送一个包含 Tauri 的软件包。影响 Tauri 的漏洞可能会影响你的应用的安全性。通过将 Tauri 更新到最新版本，你可以确保关键漏洞已修补，并且不会在你的应用中被利用。还要确保你的编译器（rustc）和转译器（nodejs）保持最新，因为经常会解决一些安全问题。这通常也适用于你的开发系统。

¥When releasing your app into the wild, you are also shipping a bundle that has Tauri in it. Vulnerabilities affecting Tauri may impact the security of your application. By updating Tauri to the latest version, you ensure that critical vulnerabilities are already patched and cannot be exploited in your application. Also be sure to keep your compiler (rustc) and transpilers (nodejs) up to date, because there are often security issues that are resolved. This also is true for your development system in general.

评估你的依赖

¥Evaluate Your Dependencies

虽然 NPM 和 Crates.io 提供了许多方便的软件包，但你有责任选择值得信赖的第三方库 - 或者用 Rust 重写它们。如果你确实使用了受已知漏洞影响或未维护的过时库，你的应用安全和良好的睡眠可能会受到威胁。

¥While NPM and Crates.io provide many convenient packages, it is your responsibility to choose trustworthy third-party libraries - or rewrite them in Rust. If you do use outdated libraries which are affected by known vulnerabilities or are unmaintained, your application security and good night’s sleep could be in jeopardy.

使用 npm audit 和 cargo audit 等工具来自动化此过程，并依靠安全社区的重要工作。

¥Use tooling like npm audit and cargo audit to automate this process, and lean on the security community’s important work.

Rust 生态系统中的最新趋势（如 cargo-vet 或 cargo crev）可以帮助进一步降低供应链攻击的可能性。要找出你站在谁的肩膀上，你可以使用 cargo supply chain 工具。

¥Recent trends in the rust ecosystem like cargo-vet or cargo crev can help to further reduce likelihood of supply chain attacks. To find out on whose shoulders you stand, you can use the cargo supply chain tool.

我们强烈推荐的一种做法是，仅使用哈希修订版（最好）或命名标签（次优）从 git 中使用关键依赖。这适用于 Rust 和 Node 生态系统。

¥One practice that we highly recommend, is to only ever consume critical dependencies from git using hash revisions at best or named tags as second best. This holds for Rust as well as the Node ecosystem.

开发威胁

¥Development Threats

我们假设你（开发者）关心你的开发环境。你需要确保你的操作系统、构建工具链和相关依赖保持最新并合理安全。

¥We assume that you, the developer, care for your development environment. It is on you to make sure that your operating system, build toolchains, and associated dependencies are kept up to date and reasonable secured.

我们所有人面临的真正风险就是所谓的 “供应链攻击”，通常被认为是对项目直接依赖的攻击。但是，越来越多的攻击直接针对开发机器，你最好正面解决这个问题。

¥A genuine risk all of us face is what is known as “supply-chain attacks”, which are usually considered to be attacks on direct dependencies of your project. However, a growing class of attacks in the wild directly target development machines, and you would be well off to address this head-on.

开发服务器

¥Development Server

Tauri 应用前端可以使用多种 Web 框架进行开发。这些框架中的每一个通常都提供自己的开发服务器，该服务器通过开放端口将前端资源公开到本地系统或网络。这允许在 WebView 或浏览器中热重载和调试前端。

¥Tauri application frontends can be developed using a number of web frameworks. Each of these frameworks usually ship their own development server, which is exposing the frontend assets via an open port to the local system or network. This allows the frontend to be hot-reloaded and debugged in the WebView or Browser.

实际上，默认情况下，此连接通常既不加密也不经过身份验证。内置 Tauri 开发服务器也是如此，它将你的前端和资源暴露给本地网络。此外，这允许攻击者将自己的前端代码推送到与攻击者位于同一网络中的开发设备。根据暴露的功能类型，这可能会导致设备在最坏的情况下受到损害。

¥In practice this connection is often neither encrypted nor authenticated by default. This is also the case for the built-in Tauri development server and exposes your frontend and assets to the local network. Additionally, this allows attackers to push their own frontend code to development devices in the same network as the attacker. Depending on what kind of functionality is exposed this could lead to device compromise in the worst case.

你应该只在可以安全地公开开发设备的受信任网络上进行开发。如果这不可能，你必须确保你的开发服务器使用相互身份验证和加密（例如 mTLS）与你的开发设备进行连接。

¥You should only develop on trusted networks where you can safely expose your development device. If this is not possible you MUST ensure that your development server uses mutual authentication and encryption (e.g. mTLS) for connections with your development devices.

:::note 注意

内置的 Tauri 开发服务器目前不支持相互身份验证和传输加密，不应在不受信任的网络上使用。

¥The built-in Tauri development server does not support mutual authentication and transport encryption at the moment and should not be used on untrusted networks.

:::

强化开发机器

¥Harden Development machines

强化你的开发系统取决于各种因素和你的个人威胁模型，但我们建议你遵循一些通用建议：

¥Hardening your development systems depends on various factors and on your personal threat model but some generic advice we recommend to follow:

• 切勿使用管理账户执行日常任务（如编码）

  ¥Never use administrative accounts for day to day tasks like coding

• 切勿在开发机器上使用生产密钥

  ¥Never use production secrets on development machines

• 防止将密钥签入源代码版本控制

  ¥Prevent secrets to be checked into source code version control

• 使用安全硬件令牌或类似功能来减少受感染系统的影响

  ¥Use security hardware tokens or similar to reduce impact of compromised systems

• 保持系统最新

  ¥Keep your system up to date

• 将你安装的应用保持在最低限度

  ¥Keep your installed applications to a minimum

可以在 超棒的安全强化集合 中找到更实用的程序集合。

¥A more practical collection of procedures can be found in an awesome security hardening collection.

你当然可以虚拟化你的开发环境以阻止攻击者，但这并不能保护你免受针对你的项目而不仅仅是你的机器的攻击。

¥You can of course virtualise your development environment to keep attackers at bay, but this won’t protect you from attacks that target your project rather than just your machine.

确保源代码控制身份验证和授权

¥Ensure Source Control Authentication and Authorization

如果你像大多数开发者一样工作，那么使用源代码版本控制工具和服务提供商是开发过程中必不可少的一步。

¥If you are working like the majority of developers, using source code version control tools and service providers is an essential step during development.

为了确保你的源代码不会被未经授权的参与者修改，了解并正确设置源代码版本控制系统的访问控制非常重要。

¥To ensure that your source code can not be modified by unauthorized actors it is important to understand and correctly set up up access control for your source code version control system.

此外，考虑要求所有（常规）贡献者签署他们的提交，以防止恶意提交被归因于未受损害或非恶意贡献者的情况。

¥Also, consider requiring all (regular) contributors to sign their commits to prevent situations where malicious commits are attributed to non-compromised or non-maliocious contributors.

构建时威胁

¥Buildtime Threats

现代组织使用 CI/CD 来制造二进制工件。

¥Modern organizations use CI/CD to manufacture binary artifacts.

你需要能够完全信任这些远程（和第三方拥有的）系统，因为它们可以访问源代码、密钥，并且能够修改构建，而你无法可验证地证明生成的二进制文件与你的本地代码相同。这意味着你要么信任信誉良好的提供商，要么在你自己的受控硬件上托管这些系统。

¥You need to be able to fully trust these remote (and third party owned) systems, as they have access to source code, secrets and are able to modify builds without you being able to verifiably prove that the produced binaries are the same as your local code. This means either you trust a reputable provider or host these systems on your own and controlled hardware.

在 Tauri，我们提供了一个 GitHub 工作流，用于在多个平台上进行构建。如果你创建自己的 CI/CD 并依赖第三方工具，请警惕你未明确固定版本的操作。

¥At Tauri, we provide a GitHub Workflow for building on multiple platforms. If you create your own CI/CD and depend on third-party tooling, be wary of actions whose versions you have not explicitly pinned.

你应该为要发送到的平台签署二进制文件。虽然这可能很复杂并且设置起来有点昂贵，但终端用户希望你的应用是可验证的。

¥You should sign your binaries for the platform you are shipping to. While this can be complicated and somewhat costly to set up, end users expect that your app is verifiably from you.

如果加密密钥正确存储在硬件令牌上，则受损的构建系统将无法泄露所涉及的签名密钥，但可以使用它们来签署恶意版本。

¥If cryptographic secrets are properly stored on hardware tokens, a compromised build system won’t be able to leak involved signing keys, but could use them to sign malicious releases.

可重现的构建

¥Reproducible Builds

为了在构建时防止后门注入，你需要可重现构建，以便你可以验证构建资源在本地或在另一个独立提供商处构建时是否完全相同。

¥To combat backdoor injection at build time, you need your builds to be reproducible, so that you can verify that the build assets are exactly the same when you build them locally or on another independent provider.

第一个问题是 Rust 默认情况下不能完全可靠地生成可重现的构建。它在理论上支持这一点，但仍然存在错误，而且最近在发布时出现故障。

¥The first problem is that Rust is by default not fully reliably producing reproducible builds. It supports this in theory, but there are still bugs, and it recently broke on a release.

你可以在 rust 项目的 公共错误跟踪器 中跟踪当前状态。

¥You can keep track of the current state in the rust project’s public bug tracker.

你将遇到的下一个问题是许多常见的前端打包器也不会产生可重现的输出，因此打包的资源也可能会破坏可重现的构建。

¥The next problem you will encounter is that many common frontend bundlers do not produce reproducible output either, so the bundled assets may also break reproducible builds.

这意味着你不能完全依赖默认的可重现构建，并且遗憾的是你需要完全信任你的构建系统。

¥This means that you cannot fully rely on reproducible builds by default, and sadly need to fully trust your build systems.

分发威胁

¥Distribution Threats

我们已尽最大努力使向应用发送热更新尽可能简单且安全。但是，如果你失去对清单服务器、构建服务器或二进制托管服务的控制，则所有赌注都将失效。

¥We have done our best to make shipping hot updates to the app as straightforward and secure as possible. However, all bets are off if you lose control of the manifest server, the build server, or the binary hosting service.

如果你构建自己的系统，请咨询专业的 OPS 架构师并正确构建它。

¥If you build your own system, consult a professional OPS architect and build it properly.

如果你正在寻找 Tauri 应用的另一种可信分发解决方案，我们的合作伙伴 CrabNebula 可以提供以下解决方案：https://crabnebula.dev/cloud

¥If you are looking for another trusted distribution solution for Tauri apps our partner CrabNebula has an offering: https://crabnebula.dev/cloud

运行时威胁

¥Runtime Threats

我们假设 webview 不安全，这导致 Tauri 在加载不受信任的用户空间内容的上下文中实现了有关 webview 对系统 API 访问的多项保护措施。

¥We assume the webview is insecure, which has led Tauri to implement several protections regarding webview access to system APIs in the context of loading untrusted userland content.

使用 内容安全策略 将锁定 Webview 可以进行的通信类型。此外，功能 可以防止不受信任的内容或脚本访问 Webview 中的 API。

¥Using the Content Security Policy will lockdown types of communication that the Webview can undertake. Furthermore, Capabilities can prevent untrusted content or scripts from accessing the API within the Webview.

我们还建议设置一种简单且安全的方式来报告类似于 我们的流程 的漏洞。

¥We also recommend to setup an easy and secure way to report vulnerabilities similar to our process.