ASAR完整性
平台支持
目前只在 macOS 上支持ASAR完整性检查。
要求
Electron Forge / Electron Packager
If you are using >= @electron/packager
, >= electron-packager@15.4.0
or >= @electron-forge/core@6.0.0-beta.61
then all these requirements are met for you automatically and you can skip to Toggling the Fuse.
其他构建系统
为了启用ASAR 完整性检查,你需要确保 app.asar
文件是由支持 asar 完整性的 asar
npm 软件包生成的。 版本 3.1.0
中引入了支持。
Your must then populate a valid ElectronAsarIntegrity
dictionary block in your packaged apps Info.plist
. 下面是一个例子。
<key>ElectronAsarIntegrity</key>
<dict>
<key>Resources/app.asar</key>
<dict>
<key>algorithm</key>
<string>SHA256</string>
<key>hash</key>
<string>9d1f61ea03c4bb62b4416387a521101b81151da0cfbe18c9f8c8b818c5cebfac</string>
</dict>
</dict>
有效的 algorithm
值当前是 SHA256
。 The hash
is a hash of the ASAR header using the given algorithm. The asar
package exposes a getRawHeader
method whose result can then be hashed to generate this value.
Toggling the Fuse
ASAR 完整性检查目前默认被禁用,可以通过修改 Fuse 来启用。 See Electron Fuses for more information on what Electron Fuses are and how they work. When enabling this fuse you typically also want to enable the onlyLoadAppFromAsar
fuse otherwise the validity checking can be bypassed via the Electron app code search path.
const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses')
flipFuses(
// E.g. /a/b/Foo.app
pathToPackagedApp,
{
version: FuseVersion.V1,
[FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
[FuseV1Options.OnlyLoadAppFromAsar]: true
}
)