ASAR完整性

平台支持

目前只在 macOS 上支持ASAR完整性检查。

要求

Electron Forge / Electron Packager

If you are using >= @electron/packager, >= electron-packager@15.4.0 or >= @electron-forge/core@6.0.0-beta.61 then all these requirements are met for you automatically and you can skip to Toggling the Fuse.

其他构建系统

为了启用ASAR 完整性检查，你需要确保 app.asar 文件是由支持 asar 完整性的 asar npm 软件包生成的。 版本 3.1.0中引入了支持。

Your must then populate a valid ElectronAsarIntegrity dictionary block in your packaged apps Info.plist. 下面是一个例子。

<key>ElectronAsarIntegrity</key>
<dict>
  <key>Resources/app.asar</key>
  <dict>
    <key>algorithm</key>
    <string>SHA256</string>
    <key>hash</key>
    <string>9d1f61ea03c4bb62b4416387a521101b81151da0cfbe18c9f8c8b818c5cebfac</string>
  </dict>
</dict>

有效的 algorithm 值当前是 SHA256。 The hash is a hash of the ASAR header using the given algorithm. The asar package exposes a getRawHeader method whose result can then be hashed to generate this value.

Toggling the Fuse

ASAR 完整性检查目前默认被禁用，可以通过修改 Fuse 来启用。 See Electron Fuses for more information on what Electron Fuses are and how they work. When enabling this fuse you typically also want to enable the onlyLoadAppFromAsar fuse otherwise the validity checking can be bypassed via the Electron app code search path.

const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses')

flipFuses(
  // E.g. /a/b/Foo.app
  pathToPackagedApp,
  {
    version: FuseVersion.V1,
    [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
    [FuseV1Options.OnlyLoadAppFromAsar]: true
  }
)