fix: Allow EnableEmbeddedAsarIntegrityValidation when multiple asars are present in app (#124)

- When an application uses multiple asars (`webapp.asar`, `anything.asar`, etc.), `EnableEmbeddedAsarIntegrityValidation` fuse breaks the application due to not all asars having integrity generated for them. Fixes: #116 - **Also fixes bug** to correctly test `makeUniversalApp no asar mode should shim two different app folders`, (it was not having an asar integrity generated for the shimmed asar) Functionality added: - Moves all asar integrity generation to **after** all app assets have been merged/shimmed/copied. This allows other asars that were provided to also be scanned and have asar integrity generated for them. - Extracted common Integrity logic to a single file `integrity.ts` - Adds unit test for multi-asar apps
2025-02-27 18:03:35 -08:00
parent 740dd4aab3
commit 2b67c905a6
6 changed files with 237 additions and 17 deletions
--- a/src/file-utils.ts
+++ b/src/file-utils.ts
@@ -45,7 +45,7 @@ export const getAllAppFiles = async (appPath: string): Promise<AppFile[]> => {
          throw e;
        }
      }
-      if (p.includes('app.asar')) {
+      if (p.endsWith('.asar')) {
        fileType = AppFileType.APP_CODE;
      } else if (fileOutput.startsWith(MACHO_PREFIX)) {
        fileType = AppFileType.MACHO;
--- a/src/index.ts
+++ b/src/index.ts
@@ -8,9 +8,10 @@ import * as plist from 'plist';
 import * as dircompare from 'dir-compare';

 import { AppFile, AppFileType, getAllAppFiles } from './file-utils';
-import { AsarMode, detectAsarMode, generateAsarIntegrity, mergeASARs } from './asar-utils';
+import { AsarMode, detectAsarMode, mergeASARs } from './asar-utils';
 import { sha } from './sha';
 import { d } from './debug';
+import { computeIntegrityData } from './integrity';

 /**
 * Options to pass into the {@link makeUniversalApp} function.
@@ -251,9 +252,6 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
      }
    }

-    const generatedIntegrity: Record<string, { algorithm: 'SHA256'; hash: string }> = {};
-    let didSplitAsar = false;
-
    /**
     * If we have an ASAR we just need to check if the two "app.asar" files have the same hash,
     * if they are, same as above, we can leave one there and call it a day.  If they're different
@@ -271,8 +269,6 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
        outputAsarPath: output,
        singleArchFiles: opts.singleArchFiles,
      });
-
-      generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(output);
    } else if (x64AsarMode === AsarMode.HAS_ASAR) {
      d('checking if the x64 and arm64 asars are identical');
      const x64AsarSha = await sha(path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'));
@@ -281,7 +277,6 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
      );

      if (x64AsarSha !== arm64AsarSha) {
-        didSplitAsar = true;
        d('x64 and arm64 asars are different');
        const x64AsarPath = path.resolve(tmpApp, 'Contents', 'Resources', 'app-x64.asar');
        await fs.move(path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'), x64AsarPath);
@@ -329,18 +324,13 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
        await fs.writeJson(path.resolve(entryAsar, 'package.json'), pj);
        const asarPath = path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar');
        await asar.createPackage(entryAsar, asarPath);
-
-        generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(asarPath);
-        generatedIntegrity['Resources/app-x64.asar'] = generateAsarIntegrity(x64AsarPath);
-        generatedIntegrity['Resources/app-arm64.asar'] = generateAsarIntegrity(arm64AsarPath);
      } else {
        d('x64 and arm64 asars are the same');
-        generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(
-          path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'),
-        );
      }
    }

+    const generatedIntegrity = await computeIntegrityData(path.join(tmpApp, 'Contents'));
+
    const plistFiles = x64Files.filter((f) => f.type === AppFileType.INFO_PLIST);
    for (const plistFile of plistFiles) {
      const x64PlistPath = path.resolve(opts.x64AppPath, plistFile.relativePath);
--- a/src/integrity.ts
+++ b/src/integrity.ts
@@ -0,0 +1,51 @@
+import * as fs from 'fs-extra';
+import path from 'path';
+import { AppFileType, getAllAppFiles } from './file-utils';
+import { sha } from './sha';
+import { generateAsarIntegrity } from './asar-utils';
+
+type IntegrityMap = {
+  [filepath: string]: string;
+};
+
+export interface HeaderHash {
+  algorithm: 'SHA256';
+  hash: string;
+}
+
+export interface AsarIntegrity {
+  [key: string]: HeaderHash;
+}
+
+export async function computeIntegrityData(contentsPath: string): Promise<AsarIntegrity> {
+  const root = await fs.realpath(contentsPath);
+
+  const resourcesRelativePath = 'Resources';
+  const resourcesPath = path.resolve(root, resourcesRelativePath);
+
+  const resources = await getAllAppFiles(resourcesPath);
+  const resourceAsars = resources
+    .filter((file) => file.type === AppFileType.APP_CODE)
+    .reduce<IntegrityMap>(
+      (prev, file) => ({
+        ...prev,
+        [path.join(resourcesRelativePath, file.relativePath)]: path.join(
+          resourcesPath,
+          file.relativePath,
+        ),
+      }),
+      {},
+    );
+
+  // sort to produce constant result
+  const allAsars = Object.entries(resourceAsars).sort(([name1], [name2]) =>
+    name1.localeCompare(name2),
+  );
+  const hashes = await Promise.all(allAsars.map(async ([, from]) => generateAsarIntegrity(from)));
+  const asarIntegrity: AsarIntegrity = {};
+  for (let i = 0; i < allAsars.length; i++) {
+    const [asar] = allAsars[i];
+    asarIntegrity[asar] = hashes[i];
+  }
+  return asarIntegrity;
+}