From c2819963d22b2577e3fcf9a16e6b791d5c6bb54d Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 21 Jul 2023 15:34:07 +0200
Subject: [PATCH 01/11] Replace custom actions executing bat files to by quiet
 exec custom actions to surpress shown command prompts

Closes #GHSA-9c9p-c3mg-hpjq

(cherry picked from commit fb1ba6390dfcb7028be0eb051b893b744c0444dc)
---
 dist/win/resources/main.wxs | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/dist/win/resources/main.wxs b/dist/win/resources/main.wxs
index df73b195f..c940b9f9a 100644
--- a/dist/win/resources/main.wxs
+++ b/dist/win/resources/main.wxs
@@ -132,11 +132,17 @@
       <CustomAction Id="JpSetARPURLUPDATEINFO" Property="ARPURLUPDATEINFO" Value="$(var.JpUpdateURL)" />
     <?endif?>
 
+    <Property Id="WixQuietExec64CmdTimeout" Value="20" />
+    <!-- Note for custom actions: Immediate CAs run BEFORE the files are installed, hence if you depend on installed files, the CAs must be deferred.-->
     <!-- WebDAV patches -->
-    <CustomAction Id="PatchWebDAV" Impersonate="no" ExeCommand="[INSTALLDIR]patchWebDAV.bat" Directory="INSTALLDIR" Execute="deferred" Return="asyncWait" />
+    <SetProperty Id="PatchWebDAV" Value="&quot;[INSTALLDIR]patchWebDAV.bat&quot;"
+            Sequence="execute" Before="PatchWebDAV" />
+    <CustomAction Id="PatchWebDAV" BinaryKey="WixCA" DllEntry="WixQuietExec64" Execute="deferred" Return="ignore" Impersonate="no"/>
 
     <!-- Special Settings migration for 1.7.0,. Should be removed eventually, for more info, see ../contrib/version170-migrate-settings.ps1-->
-    <CustomAction Id="V170MigrateSettings" Impersonate="no" ExeCommand="[INSTALLDIR]version170-migrate-settings.bat" Directory="INSTALLDIR" Execute="deferred" Return="asyncWait" />
+    <SetProperty Id="V170MigrateSettings" Value="&quot;[INSTALLDIR]version170-migrate-settings.bat&quot;"
+            Sequence="execute" Before="V170MigrateSettings" />
+    <CustomAction Id="V170MigrateSettings" BinaryKey="WixCA" DllEntry="WixQuietExec64" Execute="deferred" Return="ignore" Impersonate="no"/>
 
     <!-- Running App detection and exit -->
     <Property Id="FOUNDRUNNINGAPP" Admin="yes"/>

From 4e3b2e0be03fd564f465af1a8cfe24fae9efb1b8 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 21 Jul 2023 16:50:27 +0200
Subject: [PATCH 02/11] supress non affecting cve

---
 suppression.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/suppression.xml b/suppression.xml
index e7cc4ea65..b7e99d589 100644
--- a/suppression.xml
+++ b/suppression.xml
@@ -55,4 +55,12 @@
 		<cve>CVE-2022-45688</cve>
 	</suppress>
 
+	<suppress>
+		<notes><![CDATA[
+   		Cryptomator not affected of cve in jackson-databind-2.14.2.jar
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+		<cve>CVE-2023-35116</cve>
+	</suppress>
+
 </suppressions>
\ No newline at end of file

From 8ed1878035be587b5754f8d9e20576107197daef Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 21 Jul 2023 17:07:33 +0200
Subject: [PATCH 03/11] prepare 1.9.2

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 38c917a77..467a40ed3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -3,7 +3,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>cryptomator</artifactId>
-	<version>1.9.1</version>
+	<version>1.9.2</version>
 	<name>Cryptomator Desktop App</name>
 
 	<organization>

From 807e718d13dd96842f149e627664f706f78b8286 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Fri, 21 Jul 2023 16:50:27 +0200
Subject: [PATCH 04/11] supress non affecting cve

(cherry picked from commit 4e3b2e0be03fd564f465af1a8cfe24fae9efb1b8)
---
 suppression.xml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/suppression.xml b/suppression.xml
index e7cc4ea65..b7e99d589 100644
--- a/suppression.xml
+++ b/suppression.xml
@@ -55,4 +55,12 @@
 		<cve>CVE-2022-45688</cve>
 	</suppress>
 
+	<suppress>
+		<notes><![CDATA[
+   		Cryptomator not affected of cve in jackson-databind-2.14.2.jar
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+		<cve>CVE-2023-35116</cve>
+	</suppress>
+
 </suppressions>
\ No newline at end of file

From 164a350e7eab0414c201f0d9ff55b4e60bddf695 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Mon, 24 Jul 2023 16:34:49 +0200
Subject: [PATCH 05/11] finalize 1.9.2

---
 dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml b/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
index 3df3691bc..4fd30d14f 100644
--- a/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
+++ b/dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
@@ -66,6 +66,7 @@
 	</content_rating>
 
 	<releases>
+		<release date="2023-07-24" version="1.9.2"/>
 		<release date="2023-06-07" version="1.9.1"/>
 		<release date="2023-05-30" version="1.9.0"/>
 		<release date="2023-04-25" version="1.8.0"/>

From e41a33d250ee58888752dbb9d813f62762d89863 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 25 Jul 2023 13:07:40 +0200
Subject: [PATCH 06/11] fixes #3030

---
 .github/workflows/mac-dmg.yml | 31 +++++++++++++++++++++----------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index 401f22b87..718e5c170 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -41,21 +41,32 @@ jobs:
       - name: Setup Java
         uses: actions/setup-java@v3
         with:
-          distribution: 'zulu'
+          distribution: 'temurin'
           java-version: ${{ env.JAVA_VERSION }}
-          java-package: 'jdk+fx'
+          java-package: 'jdk'
           architecture: ${{ matrix.architecture }}
           cache: 'maven'
-      - name: Ensure major jfx version in pom equals in jdk
-        if: ${{ !contains(matrix.os, 'self-hosted') }}
-        shell: pwsh
+      - name: Download OpenJFX jmods
+        id: download-jmods
         run: |
-          $jfxPomVersion = (&mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout) -split "\."
-          $jfxJdkVersion = ((Get-Content -path "${env:JAVA_HOME}/lib/javafx.properties" | Where-Object {$_ -like 'javafx.version=*' }) -replace '.*=','') -split "\."
-          if ($jfxPomVersion[0] -ne $jfxJdkVersion[0]) {
-            Write-Error "Major part of JavaFX version in pom($($jfxPomVersion[0])) does not match the version in JDK($($jfxJdkVersion[0])) "
+          curl -L ${{ env.OPENJFX_JMODS_URL }} -o openjfx-jmods.zip
+          mkdir -p openjfx-jmods/
+          unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
+        env:
+          OPENJFX_JMODS_URL: 'https://download2.gluonhq.com/openjfx/20.0.1/openjfx-20.0.1_osx-${{ matrix.architecture }}_bin-jmods.zip'
+      - name: Ensure major jfx version in pom and in jmods is the same
+        run: |
+          JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
+          JMOD_VERSION=${JMOD_VERSION#*@}
+          JMOD_VERSION=${JMOD_VERSION%%.*}
+          POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+          POM_JFX_VERSION=${POM_JFX_VERSION#*@}
+          POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
+
+          if [ $POM_JFX_VERSION -ne $JMOD_VERSION ]; then
+            >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION_AMD64})"
             exit 1
-          }
+          fi
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven

From a415e3b0a993bb36a474a53c8b33edb81cbc6115 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 25 Jul 2023 13:08:19 +0200
Subject: [PATCH 07/11] update local build script to download jfx jmods

---
 dist/mac/dmg/build.sh | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/dist/mac/dmg/build.sh b/dist/mac/dmg/build.sh
index ef652ec7d..4ec829808 100755
--- a/dist/mac/dmg/build.sh
+++ b/dist/mac/dmg/build.sh
@@ -29,6 +29,14 @@ REVISION_NO=`git rev-list --count HEAD`
 VERSION_NO=`mvn -f../../../pom.xml help:evaluate -Dexpression=project.version -q -DforceStdout | sed -rn 's/.*([0-9]+\.[0-9]+\.[0-9]+).*/\1/p'`
 FUSE_LIB="FUSE-T"
 
+ARCH="undefined"
+if [ "$(machine)" = "arm64e" ]; then
+    ARCH="aarch64"
+else
+    ARCH="x64"
+fi
+OPENJFX_JMODS="https://download2.gluonhq.com/openjfx/20.0.1/openjfx-20.0.1_linux-${ARCH}_bin-jmods.zip"
+
 # check preconditions
 if [ -z "${JAVA_HOME}" ]; then echo "JAVA_HOME not set. Run using JAVA_HOME=/path/to/jdk ./build.sh"; exit 1; fi
 command -v mvn >/dev/null 2>&1 || { echo >&2 "mvn not found. Fix by 'brew install maven'."; exit 1; }
@@ -38,6 +46,22 @@ if [ -n "${CODESIGN_IDENTITY}" ]; then
     if [[ ! `security find-identity -v -p codesigning | grep -w "${CODESIGN_IDENTITY}"` ]]; then echo "Given codesign identity is invalid."; exit 1; fi
 fi
 
+# download and check jmods
+curl -L ${{ env.OPENJFX_JMODS }} -o openjfx.zip
+mkdir -p openjfx-jmods/
+unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods/
+JMOD_VERSION=$(jmod describe jmods/amd64/javafx.base.jmod | head -1)
+JMOD_VERSION=${JMOD_VERSION#*@}
+JMOD_VERSION=${JMOD_VERSION%%.*}
+POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+POM_JFX_VERSION=${POM_JFX_VERSION#*@}
+POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
+
+if [ $POM_JFX_VERSION -ne $JMOD_VERSION ]; then
+>&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
+exit 1
+fi
+
 # compile
 mvn -B -f../../../pom.xml clean package -DskipTests -Pmac
 cp ../../../target/${MAIN_JAR_GLOB} ../../../target/mods
@@ -45,8 +69,8 @@ cp ../../../target/${MAIN_JAR_GLOB} ../../../target/mods
 # add runtime
 ${JAVA_HOME}/bin/jlink \
     --output runtime \
-    --module-path "${JAVA_HOME}/jmods" \
-    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr \
+    --module-path "${JAVA_HOME}/jmods:openjfx-jmods" \
+    --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.crypto.ec,jdk.security.auth,jdk.accessibility,jdk.management.jfr \
     --strip-native-commands \
     --no-header-files \
     --no-man-pages \

From b73993c3757486de602cd9fd370f83531e828487 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 25 Jul 2023 14:43:29 +0200
Subject: [PATCH 08/11] add jfx to module path

---
 .github/workflows/mac-dmg.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index 718e5c170..11d532a50 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -80,7 +80,7 @@ jobs:
           ${JAVA_HOME}/bin/jlink
           --verbose
           --output runtime
-          --module-path "${JAVA_HOME}/jmods"
+          --module-path "${JAVA_HOME}/jmods:openjfx-jmods"
           --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
           --strip-native-commands
           --no-header-files

From 83e91d361f9c7d7fa5dc3a95796444ca4b3bf9d9 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 25 Jul 2023 17:29:34 +0200
Subject: [PATCH 09/11] fix errors in build script

---
 dist/mac/dmg/build.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dist/mac/dmg/build.sh b/dist/mac/dmg/build.sh
index 4ec829808..1fad663e1 100755
--- a/dist/mac/dmg/build.sh
+++ b/dist/mac/dmg/build.sh
@@ -47,10 +47,10 @@ if [ -n "${CODESIGN_IDENTITY}" ]; then
 fi
 
 # download and check jmods
-curl -L ${{ env.OPENJFX_JMODS }} -o openjfx.zip
+curl -L ${OPENJFX_JMODS} -o openjfx-jmods.zip
 mkdir -p openjfx-jmods/
 unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods/
-JMOD_VERSION=$(jmod describe jmods/amd64/javafx.base.jmod | head -1)
+JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
 JMOD_VERSION=${JMOD_VERSION#*@}
 JMOD_VERSION=${JMOD_VERSION%%.*}
 POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)

From ad3d36e06a021595a9d12f16feac591d467449ed Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 26 Jul 2023 11:37:05 +0200
Subject: [PATCH 10/11] check sha256 sum of downloaded artifact in ci

---
 .github/workflows/mac-dmg.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index 11d532a50..61879094f 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -31,11 +31,15 @@ jobs:
           output-suffix: x64
           xcode-path: '/Applications/Xcode_13.2.1.app'
           fuse-lib: macFUSE
+          openjfx-url: https://download2.gluonhq.com/openjfx/20.0.1/openjfx-20.0.1_osx-aarch64_bin-jmods.zip
+          openjfx-sha: 4fcd4bc3cd0edeb899108109e42a0c5a2d87d14a195d11199060862eb6d887b5
         - os: [self-hosted, macOS, ARM64]
           architecture: aarch64
           output-suffix: arm64
           xcode-path: '/Applications/Xcode_13.2.1.app'
           fuse-lib: FUSE-T
+          openjfx-url: https://download2.gluonhq.com/openjfx/20.0.1/openjfx-20.0.1_osx-aarch64_bin-jmods.zip
+          openjfx-sha: e7e99e6dc3d091e7e1c6940d8e1acc282f22b82b234a20ae7cbec4b93a6acabe
     steps:
       - uses: actions/checkout@v3
       - name: Setup Java
@@ -49,11 +53,10 @@ jobs:
       - name: Download OpenJFX jmods
         id: download-jmods
         run: |
-          curl -L ${{ env.OPENJFX_JMODS_URL }} -o openjfx-jmods.zip
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          echo "${{ matrix.openjfx-sha }} openjfx-jmods.zip" | sha256sum --check
           mkdir -p openjfx-jmods/
           unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
-        env:
-          OPENJFX_JMODS_URL: 'https://download2.gluonhq.com/openjfx/20.0.1/openjfx-20.0.1_osx-${{ matrix.architecture }}_bin-jmods.zip'
       - name: Ensure major jfx version in pom and in jmods is the same
         run: |
           JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)

From 27ca6591ea03b08a571f135fb7cfc329bd0828e2 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 26 Jul 2023 13:01:14 +0200
Subject: [PATCH 11/11] Apply suggestions from code review

Co-authored-by: Sebastian Stenzel <overheadhunter@users.noreply.github.com>
---
 .github/workflows/mac-dmg.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml
index 61879094f..1b3b4f0b9 100644
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -31,7 +31,7 @@ jobs:
           output-suffix: x64
           xcode-path: '/Applications/Xcode_13.2.1.app'
           fuse-lib: macFUSE
-          openjfx-url: https://download2.gluonhq.com/openjfx/20.0.1/openjfx-20.0.1_osx-aarch64_bin-jmods.zip
+          openjfx-url: https://download2.gluonhq.com/openjfx/20.0.1/openjfx-20.0.1_osx-x64_bin-jmods.zip
           openjfx-sha: 4fcd4bc3cd0edeb899108109e42a0c5a2d87d14a195d11199060862eb6d887b5
         - os: [self-hosted, macOS, ARM64]
           architecture: aarch64
@@ -54,7 +54,7 @@ jobs:
         id: download-jmods
         run: |
           curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
-          echo "${{ matrix.openjfx-sha }} openjfx-jmods.zip" | sha256sum --check
+          echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
           mkdir -p openjfx-jmods/
           unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
       - name: Ensure major jfx version in pom and in jmods is the same