ASAR完整性

平台支持

目前只在 macOS 上支持ASAR完整性检查。

要求

Electron Forge / Electron Packager

如果你使用 >= electron-packager@15.4.0>= @electron-forge/core@6.0.0-beta.61 那么将满足所有需求, 你可以直接跳到 Toggling the Fuse 章节

其他构建系统

为了启用ASAR 完整性检查,你需要确保 app.asar 文件是由支持 asar 完整性的 asar npm 软件包生成的。 版本 3.1.0中引入了支持。

Your must then populate a valid ElectronAsarIntegrity dictionary block in your packaged apps Info.plist. An example is included below.

  1. <key>ElectronAsarIntegrity</key>
  2. <dict>
  3.   <key>Resources/app.asar</key>
  4.   <dict>
  5.     <key>algorithm</key>
  6.     <string>SHA256</string>
  7.     <key>hash</key>
  8.     <string>9d1f61ea03c4bb62b4416387a521101b81151da0cfbe18c9f8c8b818c5cebfac</string>
  9.   </dict>
  10. </dict>

Valid algorithm values are currently SHA256 only. The hash is a hash of the ASAR header using the given algorithm. The asar package exposes a getRawHeader method whose result can then be hashed to generate this value.

Toggling the Fuse

ASAR integrity checking is currently disabled by default and can be enabled by toggling a fuse. See Electron Fuses for more information on what Electron Fuses are and how they work. When enabling this fuse you typically also want to enable the onlyLoadAppFromAsar fuse otherwise the validity checking can be bypassed via the Electron app code search path.

  1. require('@electron/fuses').flipFuses(
  2.   // 比如 /a/b/Foo.app
  3.   pathToPackagedApp,
  4.   {
  5.     version: FuseVersion.V1,
  6.     [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
  7.     [FuseV1Options.OnlyLoadAppFromAsar]: true
  8.   }
  9. )