This pull request addresses a startup issue with Fleet Desktop on
openSUSE Leap 16 and similar Linux distributions. The main change is to
adjust how Fleet Desktop and key-escrow dialogs are launched to avoid
environment variable loss caused by login shell profile scripts. The fix
is scoped specifically to openSUSE Leap 16+ to avoid impacting other
distributions.
**Distribution-specific sudo invocation changes:**
* The `-i` (login shell) flag is now omitted from the `sudo` command
when launching Fleet Desktop and key-escrow dialogs on openSUSE Leap 16
and newer, preventing environment variables from being lost due to
profile script interference.
[[1]](diffhunk://#diff-633ab361af6795ef458233819e2806dfba4ca56f684866d956321825b8fd2e91R1)
[[2]](diffhunk://#diff-3e8315d9f12512bce490457c5d20bd7c5aebaa2a8e18b1abf50e504815dd7a9dR178-R193)
* For all other supported distributions, the previous behavior (using
`-i`) is preserved to maintain compatibility and avoid unnecessary
re-testing.
**Detection logic:**
* Introduced a new helper function `isOpenSUSELeap16Plus` in
`execuser_linux.go` to detect if the host is running openSUSE Leap 16 or
newer by parsing `/etc/os-release`. This ensures the workaround is only
applied where necessary.
---
**Related issue:** N/A — surfaced via field investigation on openSUSE
Leap 16 (arm64).
This PR addresses two distinct issues that together prevent Fleet
Desktop from working on openSUSE Leap 16, both validated end-to-end on a
real Leap 16 (arm64) host.
## 1. Launch reliability — drop `sudo -i`
`orbit/pkg/execuser/execuser_linux.go`
On Linux, Orbit launches Fleet Desktop with:
```
sudo -n -i -u <user> -H env WAYLAND_DISPLAY=… … FLEET_DESKTOP_DEVICE_IDENTIFIER_PATH=/opt/orbit/identifier … /…/fleet-desktop
```
The `-i` flag makes sudo "simulate initial login" — it runs the target
user's shell as a login shell and wraps the rest of the command in `bash
--login -c '<escaped>'`. That sources `/etc/profile` and every script in
`/etc/profile.d/*` before our `env KEY=val … fleet-desktop` line runs,
and shell metacharacters (`=`, `:`, `/`, `.`) get backslash-escaped
through the shell layer.
On **openSUSE Leap 16 (arm64)**, that indirection causes the inline
env-var assignments to not reach `fleet-desktop`, which exits
immediately with:
```
FTL missing URL environment FLEET_DESKTOP_DEVICE_IDENTIFIER_PATH
```
Orbit then respawns it every ~15 s in a tight kill-and-respawn loop, so
the tray icon never appears.
**Fix:** drop `-i` from the sudo invocation. We don't need a login
shell:
- `-H` already sets `HOME` to the target user.
- sudo's default `env_reset` sets `USER` / `LOGNAME` / `SHELL` / `MAIL`
and `PATH` to `secure_path`.
- All session vars (`WAYLAND_DISPLAY`, `DISPLAY`,
`DBUS_SESSION_BUS_ADDRESS`, `LD_LIBRARY_PATH`) and every
`FLEET_DESKTOP_*` var are already passed explicitly via `env KEY=val …`.
After the change, sudo `execve()`s `env` directly with no shell layer in
between, so `/etc/profile.d` sourcing and shell-escaping are out of the
picture.
The `runuser -l` /proc/keys-leak regression from PR #32309 does not
apply — that was specific to `runuser -l` creating session keyrings;
sudo without `-i` doesn't.
# Checklist for submitter
- [x] Changes file added:
`orbit/changes/fleet-desktop-linux-no-login-shell`
- [x] Input data is properly validated; untrusted data interpolated into
shell scripts/commands is validated against shell metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops (script's wait loop now bounded at 90s).
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes — N/A.
## Testing
Manual QA needed before merge:
- [x] **openSUSE Leap 16 (arm64)** — Fleet Desktop process starts, stays
running, env vars present, no FTL respawn loop. Done via `sudo` shim.
- [x] **openSUSE Leap 16 (arm64) — extension fallback** — manual tarball
install + schema compilation produces a working tray icon (matching what
the script automates).
- [ ] **Ubuntu 22.04 / 24.04** — regression check: Fleet Desktop tray
icon still appears, key-escrow zenity dialog still renders, AppIndicator
script still installs via the official path.
- [ ] **Fedora (recent)** — regression check: same as above.
- [ ] **Debian** — regression check: same as above.
- [ ] **openSUSE Tumbleweed** — confirm `InstallRemoteExtension` path
still works (no fallback path triggered).
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet —
pure launch-flag change plus a script update; no protocol or schema
impact.
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes — Go change is in
`execuser_linux.go`, only built on Linux. The script is Linux-only by
construction.
- [ ] Verified that fleetd runs on macOS, Linux and Windows — Linux
re-verification pending QA above; macOS/Windows code paths unchanged.
- [ ] Verified auto-update works from the released version of component
to the new version.
## Notes for reviewers
- The tray-icon visibility issue is an OS-side prerequisite (GNOME 3.26+
has no native tray), so the AppIndicator extension is required
regardless. Even after installing it, Wayland requires a logout/login to
pick up new extensions — this is documented behavior and not specific to
the fallback path.
**Related issue:** Resolves#44202.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [X] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [X] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [X] Verified that fleetd runs on macOS, Linux and Windows
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added network quality table for macOS to monitor download and upload
speeds with results formatted in both kilobits and megabits per second
(requires macOS 12+)
* **Chores**
* Updated MacAdmins osquery extension dependency to v1.4.1
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Golang 1.26.2 has been released. It fixes some CVEs:
https://github.com/golang/go/issues?q=milestone%3AGo1.26.2+label%3ACherryPickApproved
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated Go toolchain to 1.26.2 across the repository and build
configs.
* Updated Docker build images to use Go 1.26.2.
* Expanded the set of tracked modules for the Go version update so
additional module files are included in automated updates.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#41379
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added EUA token support to Orbit enrollment workflow
* Introduced `--eua-token` CLI flag for Windows MDM enrollment
* Windows MSI packages now support EUA_TOKEN property (Orbit v1.55.0+)
* **Tests**
* Added tests for EUA token handling in enrollment and Windows packaging
* **Documentation**
* Added changelog entry documenting EUA token inclusion in enrollment
requests
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40809
**Orbit agent: key rotation replaces decrypt-then-re-encrypt:**
- When the disk is already encrypted, orbit now adds a new Fleet-managed
recovery key protector, removes old ones, and escrows the new key. The
disk is never decrypted.
- If key escrow fails, the rotated key is cached in memory and retried
on subsequent ticks without rotating again.
- Removes `DecryptVolume` and `decrypt()` (no longer called from
production code).
**Server: osquery query returns both protection_status and
conversion_status:**
- The `disk_encryption_windows` query now returns both columns instead
of just checking `protection_status = 1`. This lets the server correctly
identify a disk as encrypted via `conversion_status = 1` even when
`protection_status = 0`.
- New `directIngestDiskEncryptionWindows` function parses both values,
handles parse errors, and normalizes `protection_status = 2` (unknown)
to NULL.
**Server: new `bitlocker_protection_status` column and status logic:**
- Adds `bitlocker_protection_status` column to `host_disks` (DB
migration).
- When a disk is encrypted and key is escrowed but protection is off,
the host shows "Action required" with a detail message explaining the
issue, instead of misleadingly showing "Verified."
- `protection_status = 2` (unknown) and `NULL` (older orbit hosts) are
treated as protection on for backward compatibility.
- The `profiles_verified` and `profiles_verifying` branches in the
combined profiles+BitLocker summary now handle
`bitlocker_action_required`, counting those hosts as "pending".
Contributor docs updates: https://github.com/fleetdm/fleet/pull/43241
Public docs updates: https://github.com/fleetdm/fleet/pull/43243/changes
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Fixed Windows BitLocker encryption/decryption request loop on systems
with secondary drives and auto-unlock.
* **New Features**
* Added BitLocker recovery key rotation capability, allowing safe key
updates without full disk re-encryption.
* Enhanced BitLocker protection status tracking to correctly display
"Action required" when protection is disabled.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
**Related issue:** Resolves#33555
Wrap Get-ItemProperty calls in try/catch blocks during registry
enumeration to gracefully handle terminating exceptions (e.g.
System.InvalidCastException) from malformed registry entries, logging
the offending path instead of aborting.
This commit introduces support for Python (.py) scripts on macOS and
Linux, including validation for Python shebangs and updates to
documentation, UI, error messages, and backend validation logic. It also
updates tests and file upload handling to recognize and properly process
Python scripts alongside existing shell (.sh) and PowerShell (.ps1)
scripts.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42092
Renamed the major anonymous functions so that NilAway analyzes them.
Disable whitespace differences when reviewing.
lint-incremental catches issues that were there already. Not a concern.
Main doesn't run lint-incremental, so we can merge with errors.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33529
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41749
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
Resolves#41863
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
Tests performed on the following OSs:
- Windows (arm64)
- macOS (Apple silicon)
- Linux (arm64)
- Linux (amd64)
Features tested on the OSs above:
- "My device".
- Restart fleetd.
- Kill fleet desktop, should re-start.
- Killing stale osqueryd processes on orbit startup.
- Checking if osquery is up and running, exit and start.
- Checking if Fleet Desktop is already running before launching it.
- orbit auto update
- Gracefully shutting down Fleet Desktop before restarting it
---
## fleetd/orbit/Fleet Desktop
- [X] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
**Related issue:** Resolves#36799, Sub-task: #41556
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<img width="924" height="278" alt="Screenshot 2026-03-16 at 10 46 38 AM"
src="https://github.com/user-attachments/assets/313b6650-a849-4bc2-ba14-a62d3d13b60c"
/>
<img width="1441" height="300" alt="Screenshot 2026-03-16 at 10 46
44 AM"
src="https://github.com/user-attachments/assets/915cfd26-168f-4621-bcf5-6c26c40e5faf"
/>
<img width="1923" height="788" alt="Screenshot 2026-03-16 at 10 54
04 AM"
src="https://github.com/user-attachments/assets/62356a3e-84fe-4561-b7ad-0a35c9db3b2a"
/>
<img width="2529" height="483" alt="Screenshot 2026-03-16 at 10 47
02 AM"
src="https://github.com/user-attachments/assets/4dc51073-2c24-4934-bd9d-c5ee648d5ae1"
/>
Tested that with latest released fleetd (1.53.0), we still ingest the
available disk space. There's about 5% difference in the UI vs in the
macOS "Get Info" dialog (expected, since we use the old query, now
called `disk_space_darwin_legacy`):
<img width="267" height="306" alt="Screenshot 2026-03-17 at 8 47 22 AM"
src="https://github.com/user-attachments/assets/73fc1eef-a32c-4d8d-a9ca-13980885f8fe"
/>
<img width="883" height="407" alt="Screenshot 2026-03-17 at 8 47 33 AM"
src="https://github.com/user-attachments/assets/98851b9b-82a8-4ac8-af5c-dbb878f85fad"
/>
<img width="159" height="127" alt="Screenshot 2026-03-17 at 8 47 40 AM"
src="https://github.com/user-attachments/assets/209f784a-29a8-4af5-b95d-0f9bd59917c9"
/>
Also tested running with vanilla osquery by stopping fleetd and then
running osquery manually (adding the `--allow_unsafe` flag). Result is
same as above, `disk_space_darwin_legacy` is used:
<img width="1152" height="418" alt="Screenshot 2026-03-17 at 8 59 23 AM"
src="https://github.com/user-attachments/assets/2b34d23d-61de-4ec1-8d1c-2d3ddb682d11"
/>
<img width="893" height="414" alt="Screenshot 2026-03-17 at 8 59 28 AM"
src="https://github.com/user-attachments/assets/d28ee8fb-08c5-434f-abfa-3825b27ac73b"
/>
## Summary
- Adds a new macOS-only fleetd table `disk_space` that uses
`NSURLVolumeAvailableCapacityForImportantUsageKey` to report available
disk capacity including purgeable storage — matching what macOS shows in
Finder's "Get Info" dialog.
- Adds a new `disk_space_darwin` detail query that uses the new table
(with Discovery, so it only runs on hosts with fleetd ≥ 1.54.0).
- Restricts the existing `disk_space_unix` query to Linux only (darwin
was removed since the new query handles it).
- Adds schema documentation for the new table.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
**Related issue:** Resolves#40138
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
Installed:
```
go install golang.org/x/tools/cmd/goimports@latest
go install golang.org/x/tools/gopls@latest
go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
```
Validated:
```
osquery> SELECT * FROM go_packages;
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| name | version | module_path | import_path | go_version | installed_path |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
| goimports | v0.42.0 | golang.org/x/tools | golang.org/x/tools/cmd/goimports | go1.25.5 | /Users/josh/go/bin/goimports |
| golangci-lint | v1.64.8 | github.com/golangci/golangci-lint | github.com/golangci/golangci-lint/cmd/golangci-lint | go1.25.5 | /Users/josh/go/bin/golangci-lint |
| gopls | v0.21.1 | golang.org/x/tools/gopls | golang.org/x/tools/gopls | go1.25.5 | /Users/josh/go/bin/gopls |
+---------------+---------+-----------------------------------+-----------------------------------------------------+------------+----------------------------------+
```
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#41328
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must rule]
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed an issue where executable hashes failed to compute for macOS app
bundles with emoji or other Unicode characters in executable names,
improving bundle detection and integrity checks.
* **Tests**
* Added comprehensive tests to ensure correct handling of Unicode escape
sequences and emoji in bundle names and executables.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#39252
I couldn't find any other code path that would resolve to automatic
other than the device not being MDM enrolled, and we naively assumed 3
lines for manual migration, so I added the new IsDEPCapable method which
checks if the first line returned by profiles status is No or Yes, to
check if the device was enrolled via ABM/DEP, if not and not MDM
enrolled then show the manual.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
## Summary
- `checkPermFile` in `pkg/secure/secure.go` now self-heals incorrect
file permissions via `os.Chmod` instead of returning a fatal error
- Fixes orbit crash-looping indefinitely when
`/opt/orbit/updates-metadata.json` has mode 755 instead of the expected
600
## Problem
Orbit refuses to start when `updates-metadata.json` has wrong
permissions (e.g. 755 instead of 600), entering an infinite restart loop
(`systemd` restart counter observed at 3447+). The manual workaround is
`chmod 600 /opt/orbit/updates-metadata.json`, but the root cause — an
external process changing file permissions — is intermittent and hard to
track.
The `checkPermFile` function in `pkg/secure/secure.go` was designed as a
security check, but its behavior of fatally erroring on any permission
mismatch causes a denial-of-service on the legitimate user. For
comparison, `checkPermPath` (the directory equivalent) already tolerates
permissions that are less permissive than expected.
## Fix
When `checkPermFile` detects a permission mismatch, it now attempts
`os.Chmod` to correct the permissions before proceeding. It only returns
an error if the chmod itself fails (e.g. insufficient privileges). This
preserves the security intent — files end up with correct permissions —
while making orbit resilient to external permission drift.
## Test plan
- [ ] `go test ./pkg/secure/ -v -run TestOpenFile` — verifies
self-healing behavior
- [ ] `go test ./pkg/secure/ -v -run TestMkdirAll` — unchanged, verifies
directory checks still work
- [ ] Manual: create `/opt/orbit/updates-metadata.json` with mode 755,
start orbit, confirm it self-heals and starts normally
---------
Co-authored-by: Bash Bandicoot <bash-bandicoot@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40630
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows (macOS only)
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
(should not affect updates)
Resolves#36522: Icon mis-sized on KDE
Added new icon artifact to be used on KDE environments due to the fact
that previous icon appeared mis-sized on KDE envs.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38405
See issue for the root cause and fix description.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Resolved BitLocker encryption deadlock on Windows systems during
enforcement operations
* **Refactor**
* Improved osquery version tracking consistency across enrollment flows
* Enhanced BitLocker operations handling on Windows with optimized
threading
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40200
QA done as part of https://github.com/fleetdm/fleet/pull/40142 PR
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Resolves#36024 and #34501.
Main change is about stop using the first user in the `users` command
output [*] and instead use `loginctl` commands to pick the correct
current active GUI user.
[*] `users` was returning empty on some new distributions, and in
multi-sessions we were always picking the first one (even if it wasn't
active).
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **Bug Fixes**
* Fixed Fleet Desktop startup to correctly detect and use the active GUI
session on Linux systems.
* Improved GUI user detection for dialog prompts, ensuring system
dialogs run in the proper user context.
* **Improvements**
* Enhanced error reporting and logging clarity for GUI session detection
failures.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Resolves#39642.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] QA'd all new/changed functionality manually
```sh
fleetd 1.51.1:
osquery> .schema munki_installs
CREATE TABLE munki_installs(`installed_version` TEXT, `installed` TEXT, `name` TEXT, `end_time` TEXT, `display_name` TEXT);
Using this branch:
osquery> .schema munki_installs
CREATE TABLE munki_installs(`installed_version` TEXT, `version_to_install` TEXT, `installed` TEXT, `name` TEXT, `end_time` TEXT, `display_name` TEXT);
```
## fleetd/orbit/Fleet Desktop
- [X] Verified that fleetd runs on macOS
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38393
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows (Linux only)
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
Resolves#37447.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [X] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [X] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [X] Verified that fleetd runs on Linux
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#38322
This PR utilizes the ping/status ticker that sees if the device is
Unmanaged (aka. not enrolled from a Fleet server perspective), if the
Migrate to Fleet flow before had set the `mdm_migration.txt` file, but
somehow not successfully unenrolled the device, we now keep sending it
if you trigger the modal again.
We wait 90seconds after start, so at most the user can go through the
flow every 90s, but the server has a hard limit on at most one webhook
every 3m, but still it means the user can wait a bit and retry and still
see the webhook gets sent now.
_PS: Updated the old migration test to go from 1,5m to ~2s execution
time with parallel and configurable waitForUnenrollment time (to allow
test to set lower values)
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
---------
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Resolves#37220
Added a dummy implementation of the orbit_info table to the orbit shell.
A full implementation is not possible directly in the shell because the
orbit service stores specific instrumentation values in memory. To query
the live orbit_info table, users must connect to the osquery-orbit
extension socket.
If the osquery version is new enough (>= 5.21.0), Orbit will set the
configuration option.
**Related issue:** #38663
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] Verified that fleetd runs on macOS, Linux and Windows (tested on
macOS but functionality is same on each platform)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#35413
Applied the same fix as in
https://github.com/fleetdm/fleet/pull/29186/files:
- Added musl-tools to the container image. This provides musl-gcc, a
compiler that links against musl libc instead of glibc. We use it for
static linking as explained below.
- Added static linking flags (CGO_ENABLED=1 CC=musl-gcc -linkmode
external -extldflags "-static"). This produces a self-contained binary
with all C library code embedded, eliminating runtime dependencies on
the host system's glibc version.
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
Steps:
- Started TUF server for the first time. Generated a Linux x86_64 image.
```
SYSTEMS="linux" \
DEB_FLEET_URL=https://nicofleet.ngrok.io \
DEB_TUF_URL=http://nicotuf.ngrok.io \
GENERATE_DEB=1 \
ENROLL_SECRET=tm2CHBEF1I5BVuM1+4hzRRtpC5ZYV8vb \
FLEET_DESKTOP=1 \
DEBUG=1 \
./tools/tuf/test/main.sh
```
- Installed `fleet-osquery_26.1.46030_amd64.deb` generated by the
previous command on a Kubuntu 20.04 x86_64 VM.
- Ran `sudo journalctl -u orbit` to debug logs and verified that the
GLIBC incompatibility error was raised:
```
tammi 22 15:36:53 nicolas-Standard-PC-i440FX-PIIX-1996 sudo[125623]: pam_unix(sudo:session): session opened for user nicolas by (uid=0)
tammi 22 15:36:53 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125624]: /opt/orbit/bin/desktop/linux/stable/fleet-desktop/fleet-desktop: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by /opt/orbit/bin/desktop/linux/stable/fleet-desktop/fleet-desktop)
tammi 22 15:36:53 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125624]: /opt/orbit/bin/desktop/linux/stable/fleet-desktop/fleet-desktop: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /opt/orbit/bin/desktop/linux/stable/fleet-desktop/fleet-desktop)
tammi 22 15:36:53 nicolas-Standard-PC-i440FX-PIIX-1996 sudo[125623]: pam_unix(sudo:session): session closed for user nicolas
tammi 22 15:37:08 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125199]: 2026-01-22T15:37:08+02:00 INF killing any pre-existing fleet-desktop instances
tammi 22 15:37:09 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125199]: 2026-01-22T15:37:09+02:00 INF attempting to get user session type and display id=1000 user=nicolas
tammi 22 15:37:09 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[125199]: 2026-01-22T15:37:09+02:00 ERR failed to get X11 display, using default :0 error="display not found on who output"
```
- Built a new version of the agent after applying the fixes on this PR
and pushed it to the TUF server:
```
# 1. Hardcode orbit to a higher version
export ORBIT_VERSION=26.1.46099
#2. Generate new package
FLEET_DESKTOP_VERSION=$ORBIT_VERSION make desktop-linux
#3. Update to TUF server
./tools/tuf/test/push_target.sh linux desktop desktop.tar.gz $ORBIT_VERSION
```
<img width="396" height="179" alt="Screenshot 2026-01-22 at 5 18 25 PM"
src="https://github.com/user-attachments/assets/56182580-1d54-4945-af03-98762e7795e9"
/>
- In the VM, verified that an update for fleet desktop was detected by
running `sudo journalctl -u orbit -g "update detected"`:
```
tammi 22 20:33:32 nicolas-Standard-PC-i440FX-PIIX-1996 orbit[4114]: 2026-01-22T20:33:32+02:00 INF update detected target=desktop
```
- Verified the new version is shown both on the desktop icon and the
Fleet UI:
<img width="1373" height="248" alt="Screenshot 2026-01-22 at 5 22 17 PM"
src="https://github.com/user-attachments/assets/9fac73ac-a3a6-49ed-82c7-261abec43798"
/>
<img width="1420" height="496" alt="Screenshot 2026-01-22 at 5 22 46 PM"
src="https://github.com/user-attachments/assets/55321108-9233-4799-b5e5-0713172c0138"
/>
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Resolves#33762 & #38094
Added a new `alternative-browser-host` global config property for Fleet Desktop, if set, Fleet Desktop will use it over the `--fleet-desktop-alternative-browser-host` env variable to open any Fleet Desktop related links (i.e. My Device, etc).
Resolves#35006.
See
https://github.com/fleetdm/fleet/issues/35006#issuecomment-3693239452.
Output when running the dirty check on `main`:
```
make desktop-app-tar-gz
go run ./tools/desktop macos
{"level":"info","command":"/Users/lucas/go/bin/go build -o Fleet Desktop.app/Contents/MacOS/fleet-desktop_amd64 -ldflags -X=main.version= ./orbit/cmd/desktop","time":"2025-12-30T08:38:20-03:00","message":"Build fleet-desktop executable amd64"}
{"level":"info","command":"/Users/lucas/go/bin/go build -o Fleet Desktop.app/Contents/MacOS/fleet-desktop_arm64 -ldflags -X=main.version= ./orbit/cmd/desktop","time":"2025-12-30T08:38:23-03:00","message":"Build fleet-desktop executable arm64"}
{"level":"info","output":"On branch test-branch-dirty\nUntracked files:\n (use \"git add <file>...\" to include in what will be committed)\n\tFleet Desktop.app/\n\nnothing added to commit but untracked files present (use \"git add\" to track)\n","time":"2025-12-30T08:38:26-03:00","message":"git status"}
Error: detected dirty executable: {Path:github.com/fleetdm/fleet/v4 Version:v4.43.5-0.20251230113816-9bae7b475999+dirty Sum: Replace:<nil>}
exit status 1
make: *** [desktop-app-tar-gz] Error 1
```
Output on this branch:
```
make desktop-app-tar-gz
go run ./tools/desktop macos
{"level":"info","command":"/Users/lucas/go/bin/go build -o Fleet Desktop.app/Contents/MacOS/fleet-desktop_amd64 -ldflags -X=main.version= ./orbit/cmd/desktop","time":"2025-12-30T08:39:43-03:00","message":"Build fleet-desktop executable amd64"}
{"level":"info","command":"/Users/lucas/go/bin/go build -o Fleet Desktop.app/Contents/MacOS/fleet-desktop_arm64 -ldflags -X=main.version= ./orbit/cmd/desktop","time":"2025-12-30T08:39:47-03:00","message":"Build fleet-desktop executable arm64"}
Generated desktop.app.tar.gz successfully.
```
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## fleetd/orbit/Fleet Desktop
- [X] Verified that fleetd runs on macOS
- [X] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
