ASAR Integrity

Platform Support

Currently ASAR integrity checking is only supported on macOS.

Requirements

Electron Forge / Electron Packager

If you are using >= electron-packager@15.4.0 or >= @electron-forge/core@6.0.0-beta.61 then all these requirements are met for you automatically and you can skip to Toggling the Fuse.

Other build systems

In order to enable ASAR integrity checking you need to ensure that your app.asar file was generated by a version of the asar npm package that supports asar integrity. Support was introduced in version 3.1.0.

Your must then populate a valid ElectronAsarIntegrity dictionary block in your packaged apps Info.plist. An example is included below.

  1. <key>ElectronAsarIntegrity</key>
  2. <dict>
  3.   <key>Resources/app.asar</key>
  4.   <dict>
  5.     <key>algorithm</key>
  6.     <string>SHA256</string>
  7.     <key>hash</key>
  8.     <string>9d1f61ea03c4bb62b4416387a521101b81151da0cfbe18c9f8c8b818c5cebfac</string>
  9.   </dict>
  10. </dict>

Valid algorithm values are currently SHA256 only. The hash is a hash of the ASAR header using the given algorithm. The asar package exposes a getRawHeader method whose result can then be hashed to generate this value.

Toggling the Fuse

ASAR integrity checking is currently disabled by default and can be enabled by toggling a fuse. See Electron Fuses for more information on what Electron Fuses are and how they work. When enabling this fuse you typically also want to enable the onlyLoadAppFromAsar fuse otherwise the validity checking can be bypassed via the Electron app code search path.

  1. const { flipFuses, FuseVersion, FuseV1Options } = require('@electron/fuses')
  3. flipFuses(
  4.   // E.g. /a/b/Foo.app
  5.   pathToPackagedApp,
  6.   {
  7.     version: FuseVersion.V1,
  8.     [FuseV1Options.EnableEmbeddedAsarIntegrityValidation]: true,
  9.     [FuseV1Options.OnlyLoadAppFromAsar]: true
  10.   }
  11. )