github patrickjaja/claude-desktop-bin v1.17377.2-2
Claude Desktop 1.17377.2 (patch release 2)

4 hours ago

Claude Desktop 1.17377.2 (patch release 2)

This release provides Claude Desktop version 1.17377.2 pre-patched for Linux.

Installation Options

Arch Linux (AUR)

yay -S claude-desktop-bin

Debian/Ubuntu (APT Repository — recommended)

curl -fsSL https://patrickjaja.github.io/claude-desktop-bin/install.sh | sudo bash
sudo apt install claude-desktop-bin

Debian/Ubuntu (manual .deb)

# x86_64
sudo apt install ./claude-desktop-bin_1.17377.2-2_amd64.deb
# ARM64
sudo apt install ./claude-desktop-bin_1.17377.2-2_arm64.deb

Fedora/RHEL (RPM Repository — recommended)

curl -fsSL https://patrickjaja.github.io/claude-desktop-bin/install-rpm.sh | sudo bash
sudo dnf install claude-desktop-bin

Fedora/RHEL (manual .rpm)

# x86_64
sudo dnf install ./claude-desktop-bin-1.17377.2-2.x86_64.rpm
# ARM64
sudo dnf install ./claude-desktop-bin-1.17377.2-2.aarch64.rpm

NixOS / Nix

nix run github:patrickjaja/claude-desktop-bin

AppImage (Any Distro)

# x86_64
chmod +x Claude_Desktop-1.17377.2-x86_64.AppImage
./Claude_Desktop-1.17377.2-x86_64.AppImage
# ARM64
chmod +x Claude_Desktop-1.17377.2-aarch64.AppImage
./Claude_Desktop-1.17377.2-aarch64.AppImage

Update existing AppImage (delta download — only changed blocks):

appimageupdatetool Claude_Desktop-*-x86_64.AppImage
# Or from within the AppImage:
./Claude_Desktop-*-x86_64.AppImage --appimage-update

Checksums

File SHA256
Tarball (x86_64) 8f8c531dde3881d415de026cce840b5eb2d571134f5b9bfcc89af28c86524e6e
Tarball (aarch64) 162ef40d5231edf878122341379a60bdc36238525b2a5a18dd285e63346458f1
AppImage (x86_64) 8d0c45088241e1d1686fea8d8d73f41379fe351dc6d774425d96bf646badac07
AppImage (aarch64) 1d08d490a9038a7c2f786de073d19598e0b98f6f983146eb6b89221a622516ba
Debian (amd64) 421a8d8ddeb3c9ca1de7ec87afce1265910ba3aab867c82955ac619b2823209c
Debian (arm64) 2d2a9915294d4e638a3a0b4d0bb44d8bad81a9800943b37534cbfe9c0d507c88
RPM (x86_64) 8afd186a5dadb0aacab09bdae74871a096af4a293c454986015b84d0e4e8b378
RPM (aarch64) 48cba2af6ba29da22111e5f6d89f67d5d6a312ef196403382a305d9a519d73fe

Changes since last release

M365 local connector: OAuth browser now opens reliably on KDE (and everywhere else) (#139)

The built-in Microsoft 365 connector's sign-in browser failed to open on KDE even after the env-allowlist fix: with XDG_CURRENT_DESKTOP=KDE but no KDE_SESSION_VERSION, xdg-open falls into its KDE3-era kfmclient exec fallback, which exits 0 without opening anything - a silent no-op that ends in LocalAuthSignInCooldownError after the 300s sign-in ceiling. Fixed twice over:

  • fix_builtin_mcp_browser_env: KDE_SESSION_VERSION added to the forwarded vars, so xdg-open uses kde-open5/kde-open (kde-cli-tools, present on every Plasma install) and real failures exit loud instead of lying.
  • New patch pair fix_office365_mcp_open_url + fix_builtin_mcp_open_url_handler: the connector's browser-open is delegated to the Electron main process. The MCP child posts {type:"open-url", url} over its existing parentPort channel and the host's message handler routes it to shell.openExternal (https-only) - the exact mechanism remote OAuth connectors (Atlassian) already use, which is why those worked on KDE all along. Immune to every xdg-open quirk; the in-child spawn remains as fallback for standalone (non-utilityProcess) runs.

Also re-verified empirically (remove patch -> browser dead, restore -> works) that upstream v1.17377.2 still strips DISPLAY from the MCP host env, so the allowlist patch stays load-bearing; the "official build works on GNOME" report in the issue traces to a cached token, not a working browser launch. Upstream cannot open a sign-in browser for this connector on any Linux DE.

Packaging hygiene: complete dependency declarations + license file shipped in every package

Prompted by a community PKGBUILD comparison (thanks marcelvdh), audited our dependency declarations against the actual ELF linkage of every binary we ship (objdump -p | grep NEEDED on the Electron main binary, crashpad handler, bundled virtiofsd, and node-pty's pty.node) plus the official .deb's control file:

  • AUR: depends grown from 3 packages (alsa-lib gtk3 nss) to the full grounded list of 31. Notable additions most Electron PKGBUILDs miss: libcap-ng + libseccomp (linked by the bundled virtiofsd the official .deb ships), libsecret (dlopened by Chromium's keyring credential storage, invisible to linkage scans), systemd-libs (libudev), and gcc-libs (libstdc++ for pty.node). New optdepends: gnome-keyring and xdg-desktop-portal-gtk. Also added !emptydirs.
  • Our .deb: Depends/Recommends now fully mirror the official control - added the trash-handling alternation (kde-cli-tools | ... | gvfs), the portal backend alternation (xdg-desktop-portal-gtk | -gnome | -kde), and gnome-keyring | kwalletd6 | kwalletd5.
  • RPM: added libsecret, xdg-utils, xdg-desktop-portal (rpm's auto-requires scan catches linked sonames but not dlopen), plus Suggests: gnome-keyring.
  • License file: no package shipped one. The tarball now carries the official .deb's usr/share/doc/claude-desktop/copyright at its root, and every packager installs it: AUR to /usr/share/licenses/claude-desktop-bin/LICENSE, deb to usr/share/doc/claude-desktop-bin/copyright (Debian policy), RPM via %license, AppImage into the AppDir, Nix to $out/share/licenses/ (guarded - the flake may pin an older tarball without the file).
  • Deleted dead packaging/debian/control - the shipped .deb's control file is generated by a heredoc in packaging/debian/build-deb.sh; the standalone file was an unused leftover that invited editing the wrong place.
  • Clarified why the official .deb bundles its own virtiofsd (and corrected a wrong comment in fix_cowork_firmware_paths_linux.nim that claimed a general bundled fallback): the capability probe uses the bundled resources/virtiofsd only on Ubuntu 22.x (os-release check - jammy's apt has no standalone Rust virtiofsd); on every other distro a system virtiofsd is required or Cowork reports "tools missing". Our virtiofsd optdepends (Arch, found via our added /usr/lib/virtiofsd probe path) and Recommends (deb/rpm) are therefore load-bearing and stay.

Upstream version bumps now release fully automatically; manual update flow becomes the failure path

Consequence of the .deb pivot: upstream maintains 1p Linux support and the patch strictness rules make the pipeline itself the arbiter (every sub-patch applies or the build fails loud), so the human-in-the-loop on the green path was removed. version-check.yml now dispatches build-and-release.yml in release mode on a new version (previously auto-PR mode, which needed a human merge plus a second manual dispatch). Green run → packages published, AUR pushed, README versions + Nix hash + .upstream-version committed, and the tracking issue closed automatically (new close-version-issue job). Red run → a new notify-version-issue-failure job comments on the tracking issue with the failed-run link; that comment is the signal to run /update <version>, where the first question per failing patch is now explicit: pattern moved (fix the regex) vs feature natively implemented upstream (remove the patch or convert to a regression guard). The auto_pr mode stays available as a manual conservative alternative. Docs realigned (CLAUDE.md Update Workflow + .upstream-version row, update-prompt.md, UPDATE-PROMPT-CC-INPUT-MANUAL.md, the /update skill, and the new-version issue template - which also lost its stale claude-cowork-service clone instructions). Known limit stated in the docs: a green build proves patches applied, not runtime correctness (#173 was remote-side); the guard is strict counts + positive assertions + smoke test, plus a spot-check after notable bumps.

Full patch sweep vs the official .deb: 43 of 44 patches earn their keep; 1 removed, 2 cleaned up

A 5-agent review of every patch against a fresh unpatched v1.17377.1 bundle (lens: "which patches still assume the old MSIX/Windows build?") confirmed the pivot cleanup is essentially complete. Outcomes:

  • fix_locale_paths_pre removed. The bootstrap bundle (index.pre.js) has zero process.resourcesPath references, so the patch was a byte-identical no-op - deleted under the same delete-pure-no-op-guards policy as yesterday's removals. If upstream ever moves locale resolution into the bootstrap, it needs a new dedicated @patch-target patch (noted in fix_locale_paths).
  • fix_process_argv_renderer simplified. Dropped two dead fallback anchors (one matched a phantom .platform="win32" spoof pattern that no longer exists anywhere); the primary exposeInMainWorld anchor is the only live path and still applies cleanly.
  • fix_tray_icon_theme header rewritten. The comment described the pre-v1.13576 win32-only ternary; it now documents the actual native Linux switch (ere()==="gnome"||shouldUseDarkColors picking TrayIconLinux*.png) and why we deliberately override that heuristic (Linux trays are dark regardless of theme). Code unchanged.
  • Everything else verified KEEP: upstream v1.17377.1 still ships zero Linux Computer-Use backends, still gates browser tools / file dialogs / Visualize behind darwin/win32, and the profile/Quick Entry/theme features remain entirely ours. Two agent claims that patches were "fully upstreamed" (fix_cross_device_rename, fix_utility_process_kill) were refuted by running the patch binaries against the fresh bundle - both still mutate (19 and 1 sites) and stay.
  • A follow-up sweep of the build infrastructure (scripts, CI, launcher) found the pivot equally clean - only ~40 lines of dead weight removed: the disabled cowork-vm-service socket-cleanup block in the launcher and the matching noise filter in smoke-test.sh (both referenced the removed Go daemon), two stale MSIX-era comments, and CLAUDE.md's link to validate_and_fix_claude-setup-x64.md (an MSIX-era scratch file that was never tracked in git). Docs refreshed to match today's patch changes: README rows for enable_local_agent_mode and fix_tray_icon_theme, and the "What We Patch on Linux" section of CLAUDE_FEATURE_FLAGS.md (7-key merger override, Patch 1b as regression guard, removed-spoofs note).
  • The ~15 GrowthBook force-flips in enable_local_agent_mode were considered for removal now that the app reports linux honestly - and ruled out with live evidence. The feature payload a real session fetches from /api/desktop/features (disk cache ~/.config/Claude/fcache, gzip after an 8-byte CLF header) contains all 200 features as null with zero rules, and the post-fix fetch logged 0 changed versus the spoofed-era cache - so honest platform reporting unlocked nothing server-side. Without the force-flips every gated lookup returns null and the features (Code session launch, tool search, skills, Visualize, plugin state, ...) switch off. They stay.

Removed the MSIX-era platform spoofs - fixes Cowork showing "not supported on Windows" on Linux (#173)

enable_local_agent_mode no longer spoofs the platform anywhere: sub-patches 5 (HTTP header anthropic-client-os-platform: darwin), 5b (Macintosh User-Agent), 6 (getSystemInfo IPC returning win32), and 8 (navigator.platform = "Win32" + Windows userAgentFallback injected into every renderer window) were deleted. They date from the repackaged-Windows-build era, when claude.ai had to be tricked into enabling Cowork on Linux. Against the official Linux .deb - which reports linux natively and is supported by claude.ai - they backfired: the renderer's client-side platform check saw Windows and its Cowork gate replied "Cowork is not currently supported on Windows" (the message is remote claude.ai code, so it appeared without any desktop release). The renderer now sees the real platform. Two positive guards replace the spoofs: the header builder must send the raw .platform read, and the old navigator-spoof marker must be absent from the output (catches stale pre-patched inputs).

README: documented Arch Linux ARM's missing edk2-aarch64 package (#170)

Arch Linux ARM (and derivatives like EndeavourOS ARM, Manjaro ARM) doesn't carry edk2-aarch64 in its repos, even though the package is arch=any upstream on archlinux.org - so pacman -S edk2-aarch64 fails with target not found on native aarch64 hosts (e.g. Raspberry Pi 5), even after a full -Syu. Since the package is architecture-independent, the workaround is to grab it directly from an x86_64 Arch mirror and install it locally with pacman -U. Added this note (with the manual-install command) to both Arch Cowork-deps sections in the README.

Removed two no-op regression guards (fix_disable_autoupdate, fix_terminal_shell_linux)

Both patches had become pure no-ops - they mutated nothing and only asserted upstreamed behavior - so they were deleted rather than kept as empty guards. fix_disable_autoupdate used to inject a Linux short-circuit into the Squirrel isInstalled check; the official .deb now bails out of the update manager unless forceInstalled (false on our repackaged app), so auto-update is already off. fix_terminal_shell_linux used to rewrite a hardcoded powershell.exe default into a $SHELL → /bin/bash → /bin/sh ternary; the official .deb ships a proper POSIX shell resolver and the powershell.exe default is gone. Verified against a fresh unpatched v1.17377.1 bundle: both ran to exit 0 with zero byte changes. PLATFORM_GATE_BASELINE.md updated.

Removed fix_claude_code (Claude Code binary resolution is upstream-native on Linux)

The fix_claude_code patch was deleted after verifying against a fresh unpatched v1.17377.1 bundle that the official .deb resolves and downloads the Claude Code CLI natively on Linux. Its two mutating sub-patches did more harm than good: getBinaryPathIfReady()/getStatus() searched /usr/bin/claude, ~/.local/bin/claude, /usr/local/bin/claude, then which claude, and preferred that over the app's own managed binary - bypassing requiredVersion + checksum verification. Anyone with a stale or wrong-major-version claude on PATH (e.g. a global npm install) got it silently substituted, a source of bug reports rather than a fix.

None of it is needed anymore: getHostPlatform() returns linux-x64/linux-arm64 natively, the manifest carries a checksum-verified linux-x64 entry, and prepare() -> prepareForTarget() -> binaryExistsForTarget() -> downloadBinaryForTarget() fetches and verifies the CLI matching requiredVersion with no darwin/win32 gating. Users who genuinely want to pin their own binary use the sanctioned opt-in CLAUDE_CODE_LOCAL_BINARY=/path/to/claude (routed through upstream's initLocalBinary()). The third sub-patch was already just a no-op regression guard asserting the native getHostPlatform() Linux branch, so the whole patch was removed rather than kept as an empty guard. README (patch table, per-distro setup notes, Cowork section), PLATFORM_GATE_BASELINE.md, and the AUR optdepends note updated to drop the "Claude Code CLI required" claim. (Contributor-reported.)

Cowork VM deps recommended (matching upstream); README slimmed (3P, env-vars, Computer-Use deps moved to docs; optional deps inlined per distro)

  • QEMU + UEFI firmware + virtiofsd declared as recommended deps, mirroring Anthropic's official .deb. The official Claude Desktop .deb lists qemu-system-x86, ovmf, virtiofsd in Recommends: (verified by extracting v1.17377), and its docs mention no KVM/QEMU prerequisite at all. We match that: apt/dnf pull the Cowork VM deps by default (so Cowork works out of the box) but they stay soft - never blocking install on minimal/headless/KVM-less or immutable hosts, and no forced ~400 MB of QEMU on Chat/Code-only installs. Package names are architecture- and distro-specific: Arch qemu-system-x86 + edk2-ovmf (x86_64) / qemu-system-aarch64 + edk2-aarch64 (aarch64) as optdepends; Fedora qemu-system-x86 / qemu-system-aarch64 (RHEL uses qemu-kvm, gated with %if 0%{?rhel}) + edk2-ovmf / edk2-aarch64 as Recommends; deb qemu-system-x86 + ovmf (amd64) / qemu-system-arm + qemu-efi-aarch64 (arm64) as Recommends. Corrected two wrong names caught in review: Arch's qemu-base carries no emulator binary (and is x86_64-only), and qemu-system-x86/-aarch64 don't exist on RHEL (it uses qemu-kvm). Using Cowork still needs the kvm group and the Claude Code CLI - a package can't do either. Computer Use tools stay optional; AppImage/Nix can't auto-install system packages, so they keep the manual instructions.
  • README Installation section reworked for a quicker start - each distro subsection (Arch/Debian/Fedora/Nix/AppImage/source) now carries its own "Optional deps" note with the distro-correct Cowork + Computer Use commands, right under the install command. The notes are accurate per package manager: apt Recommends / dnf weak deps pull the VM deps in by default, but pacman does not auto-install optdepends (explicit command given), and AppImage/Nix can't auto-install at all. The two universal setup steps (kvm group + Claude Code CLI) are stated once up top.
  • Third-Party / Enterprise Inference trimmed to a teaser + link. The full content already lived in docs/third-party-inference.md; the README now points there instead of duplicating it.
  • Environment Variables moved to docs/environment-variables.md. The README keeps the four most-reached-for vars inline and links out for the full table.
  • Computer Use dependencies section removed; deps inlined per distro + reference moved to docs/computer-use-dependencies.md. Each Installation subsection now lists the Computer Use packages for that distro (session-broken-out) alongside the Cowork deps; the new doc holds the full matrix, the KDE/GNOME portal behavior notes, COWORK_SCREENSHOT_CMD, and the ydotool v1.0+ setup (incl. the Ubuntu/Debian build script).
  • Computer Use feature section trimmed to a teaser + link → docs/computer-use.md. The README keeps a short USP paragraph; the new doc holds "how it works on Linux," the notes (primary-monitor, app discovery, teach overlay), and the tool-reference link. The #computer-use anchor is preserved so existing cross-links still resolve.
  • Fixed ydotool scope in the install notes: it's needed on Sway/Hyprland/GNOME Wayland; KDE Plasma Wayland needs none (the bundled kwin-portal-bridge handles input). Each distro's Computer Use deps became a per-session copyable command block.

Removed fix_dispatch_linux (Dispatch is upstream-native on Linux)

Dispatch (phone->desktop task orchestration) now works on the official Linux .deb with no patch - live-tested by sending a task from phone to desktop and receiving the rendered response on v1.17377.1. Over several releases upstream shipped everything the patch used to force: the sessions-bridge inits on Linux, the mobile remote-session-control path runs, the platform label returns "Linux", and the terminal MCP server's old pj (darwin||win32) gate was dropped entirely. The patch was deleted; docs (README patch table, PLATFORM_GATE_BASELINE.md, CLAUDE_FEATURE_FLAGS.md, CLAUDE_BUILT_IN_MCP.md) updated to note the upstreamed behavior.

Also re-audited the remaining 47 patches against a fresh unpatched v1.17377 bundle. Every other patch either still mutates the bundle (the bug/gate it fixes is still present) or is already a regression guard - so no further patches were redundant. Dispatch was the only one.

Pivot: repackage the official Claude Desktop Linux .deb

Anthropic shipped an official Claude Desktop Linux beta (docs). This project now repackages that official .deb instead of the Windows MSIX, and the sibling claude-cowork-service daemon is deprecated.

  • New ingest pipeline. The build downloads the official .deb from the apt repo (https://downloads.claude.ai/claude-desktop/apt), verifies GPG + SHA256, extracts and patches its app.asar, and repackages for Arch/Fedora/RHEL/Nix/AppImage plus our own Debian/Ubuntu .deb. version-check.yml now polls the apt Packages index.
  • Dropped the Electron pin and node-pty rebuild. The official .deb bundles Electron 42.5.1 and pre-built node-pty for x86_64 and arm64. Deleted .electron-version, .electron-shasums, and the resolve-electron-version.sh / update-electron-shasums.sh / verify-electron.sh / rebuild-pty-for-arch.sh scripts.
  • Cowork now runs on the official native VM backend. The .deb bundles cowork-linux-helper + virtiofsd + smol-bin + QEMU/OVMF (requires /dev/kvm), so the claude-cowork-service Go daemon is no longer needed or installed. The 7-patch "cowork-wiring" cluster (fix_cowork_linux, fix_cowork_first_bash, fix_cowork_spaces, fix_cowork_error_message, fix_cowork_download_status_linux, fix_cowork_sandbox_refs, fix_vm_session_handlers) was removed; what remained became regression guards asserting the upstreamed native behavior.
  • Dropped the obsolete @ant/claude-native stub (patches/claude-native.js), which fixed "Download failed". The MSIX-era stub overwrote upstream's real Linux NAPI binding and lacked connectUnixSocketSameUid, so the VM capability probe returned virtualization_entitlement_missing. The official .deb ships a real Linux binding; removing the stub lets it through and Cowork starts.
  • New patch fix_cowork_firmware_paths_linux. On non-Debian distros the VM probe only searched the Debian OVMF paths, so firmwarePath was null and Cowork stayed unsupported. The patch adds the Fedora/RHEL and Arch UEFI firmware paths (only those whose OVMF_CODEOVMF_VARS derivation yields a real VARS file) plus Arch's /usr/lib/virtiofsd. openSUSE and generic-qemu symlinks are a known gap.
  • Launcher guarantees a usable $PATH. Menu launches gave systemd --user --scope an empty PATH, so the backend's qemu-system-x86_64 lookup found nothing and reported "VM not supported". The launcher now injects the standard system bindirs via systemd-run --setenv.
  • Cowork runtime dependencies declared (QEMU + OVMF/AAVMF firmware + virtiofsd; not bundled). Cowork needs them plus /dev/kvm and kvm-group membership. Kept soft (recommended, matching the official .deb) - see the "Cowork VM deps recommended (matching upstream)" entry above for the final per-arch/-distro package names.
  • Full patch re-audit vs the official .deb. Three cleanups: enable_local_agent_mode no longer force-marks the Cowork VM features (yukonSilver/yukonSilverGems/coworkKappa/coworkArtifacts) as supported, so support reflects the real native probe; fix_sensitive_dirs_linux tightened its anchor to stop an over-application into an unrelated array; fix_claude_code's getHostPlatform() sub-patch became a regression guard (upstream now returns linux-x64/linux-arm64 natively).
  • glibc floor raised to 2.34 (RHEL 9 / Ubuntu 22.04). Debian 11 (bullseye) is no longer supported.
  • Retained Linux value-adds: Computer Use (our exclusive feature, absent from the official beta), custom themes, multi-profile instances, and Quick Entry.
  • Doc fix: the managed config path is /etc/claude-desktop/managed-settings.json (read natively; top-level key still managedMcpServers), not the old enterprise.json. Updated README, CLAUDE.md, and the /3p reference.
  • .upstream-version bumped to 1.17377.0.

Links

Don't miss a new claude-desktop-bin release

NewReleases is sending notifications on new releases.