[Request] Support the Electron Fuse: "EnableEmbeddedAsarIntegrityValidation"

[Nantris]

See here for more info: electron/fuses#7 (comment)

[kevinlinv]

+1, I think support for electron/fuses would be a great addition.

FYI, there was also a closed #6365 issue that request support.

[mmaietta]

Closing this one and reopening the other ticket.

[Nantris]

@mmaietta all the other fuses can be used without necessitating changes to Electron Builder itself. This one cannot. I think this should remain open because of that distinction.

[Nantris]

From electron/fuses#7 (comment):

We're using Electron-Builder to package our app.

That would be your problem 😅. If you look at the official @electron/asar package, there is a module dedicated to generating these hashes. electron-builder, however, rolled their own ASAR creation code which doesn't have support for creating these hashes.

[rafaberaldo]

Would love to see this on electron-builder, Electron@30 added support for Windows machines as well.

[osztenkurden]

Is this currently on the roadmap? Given added support for Windows its kinda a big feature.

[mmaietta]

The only way to support this is by migrating to @electron/asar package. Unfortunately, I've tried to do so several times over the past few years and still haven't gotten to a solution that works. There's a lot of additional functionality that electron-builder relies on, such as transforming file data instead of copying a file directly. I can try and investigate this again, but can't promise anything. I'm the only maintainer on this project that remains (community contributions welcome!), so there's not really an "official" roadmap tbh, just trying to keep my head above the water with the combo of work+life outside of this project.

[mmaietta]

Quick update, this should officially be supported in an upcoming release once these two PRs are merged in for an alpha release
#8570 - electron/asar migration (what a PITA that was lol)
#8588 - electron/fuses integration

[mmaietta]

Released in v26.0.0-alpha.2. Please give it a shot!

Verified it locally (on mac build machine) that it launches with that fuse set:

npx @electron/fuses read --app dist/mac-universal/electron-quick-start-typescript.app
Analyzing app: electron-quick-start-typescript.app
Fuse Version: v1
  RunAsNode is Enabled
  EnableCookieEncryption is Disabled
  EnableNodeOptionsEnvironmentVariable is Enabled
  EnableNodeCliInspectArguments is Enabled
  EnableEmbeddedAsarIntegrityValidation is Enabled
  OnlyLoadAppFromAsar is Disabled
  LoadBrowserProcessSpecificV8Snapshot is Disabled

[osztenkurden]

Gonna test in a few hours, doing the gods work here, thank you! @mmaietta

[osztenkurden]

Hmm, while packaging works fine, I'm getting Integrity check failed for asar archive when trying to run the app

Edit: it seems like adding afterPack script with asarmor breaks, but also not cleaning the dist directory

[mmaietta]

Hmmm yeah, from a quick read of asarmor, it's modifying the asar, which then causes the integrity generated/recorded by electron/asar to no longer be valid.

Can you try force setting resetAdHocDarwinSignature in electronFuses config to true?

Alternatively, you can play around with @electron/fuses in your afterPack via a convenience method I opened up as part of the integration for those that want to leverage strictlyRequireAllFuses: true to make sure their fuse config stays up to date. This approach replaces usage of electronFuses (so set it undefined/null)

const { FuseConfig, FuseVersion, FuseV1Options } = require("@electron/fuses")

exports.default = function (context: AfterPackContext) {
   // asarmor logic

  const fuses: FuseConfig = {
    version: FuseVersion.V1,
    resetAdHocDarwinSignature: true
    [FuseV1Options. EnableEmbeddedAsarIntegrityValidation]: true,
    ... // all other flags must be specified if `strictlyRequireAllFuses = true`
  }
  await context.packager.addElectronFuses(context, fuses)
}

I'm wondering if you need the resetAdHocDarwinSignature flag set.

[osztenkurden]

@mmaietta That doesnt do the trick, maybe because Im on windows, but its not huge deal

[mmaietta]

Dam. Well it looks like asarmor is the issue as it manipulates the asar post electron/asar integrity generation since asarmor is injecting random bytes into the asar to prevent extraction.

An alternative approach could be using bytenode to obfuscate your code. It doesn't disable extraction like asarmor, but it doesn't require any asar manipulation either.

[osztenkurden]

Ill take a look, thanks!