Saltar al contenido principal

ASAR Integrity

Plataformas soportadas

Currently ASAR integrity checking is only supported on macOS.

Requisitos

Electron Forge / Electron Packager

If you are using >= electron-packager@15.4.0 or >= @electron-forge/core@6.0.0-beta.61 then all these requirements are met for you automatically and you can skip to Toggling the Fuse.

Otros sistemas de construcción

Para habilitar la comprobación de Integridad ASAR necesitas asegurarte que tu archivo app.asar fue generado por una versión del paquete npm asar que soporta la integridad asar. El soporte fue introducido en la versión 3.1.0.

Your must then populate a valid ElectronAsarIntegrity dictionary block in your packaged apps Info.plist. An example is included below.

<key>ElectronAsarIntegrity</key>
<dict>
<key>Resources/app.asar</key>
<dict>
<key>algorithm</key>
<string>SHA256</string>
<key>hash</key>
<string>9d1f61ea03c4bb62b4416387a521101b81151da0cfbe18c9f8c8b818c5cebfac</string>
</dict>
</dict>

Valid algorithm values are currently SHA256 only. The hash is a hash of the ASAR header using the given algorithm. The asar package exposes a getRawHeader method whose result can then be hashed to generate this value.

Toggling the Fuse

ASAR integrity checking is currently disabled by default and can be enabled by toggling a fuse. See Electron Fuses for more information on what Electron Fuses are and how they work. When enabling this fuse you typically also want to enable the onlyLoadAppFromAsar fuse otherwise the validity checking can be bypassed via the Electron app code search path.

require('@electron/fuses').flipFuses(
//p. ej. /a/b/Foo.app
pathToPackagedApp,
{
version: FuseVersion.V1,
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
[FuseV1Options.OnlyLoadAppFromAsar]: true
}
)