feat: add infoPlistsToIgnore prop to prevent modification (#72)

Refs https://github.com/electron/electron/pull/33857.

Since this repo uses CFA releases, enforce semantic commit messages.

.circleci/config.yml

@@ -1,13 +1,10 @@
-step-restore-cache: &step-restore-cache
-  restore_cache:
-    keys:
-      - v1-dependencies-{{ arch }}-{{ checksum "yarn.lock" }}
-      - v1-dependencies-{{ arch }}
-
 steps-test: &steps-test
   steps:
     - checkout
-    - *step-restore-cache
+    - restore_cache:
+        keys:
+          - v1-dependencies-{{ arch }}-{{ checksum "yarn.lock" }}
+          - v1-dependencies-{{ arch }}
     - run: yarn --frozen-lockfile
     - save_cache:
         paths:
@@ -17,30 +14,28 @@ steps-test: &steps-test
     - run: yarn test
 
 version: 2.1
+
+orbs:
+  cfa: continuousauth/npm@1.0.2
+
 jobs:
   test:
     macos:
-      xcode: "12.2.0"
+      xcode: "13.4.1"
+    resource_class: macos.x86.medium.gen2
     <<: *steps-test
 
-  release:
-    docker:
-      - image: circleci/node:14.15
-    steps:
-      - checkout
-      - *step-restore-cache
-      - run: yarn --frozen-lockfile
-      - run: npx semantic-release
 workflows:
   version: 2
   test_and_release:
     jobs:
       - test
-      - release:
+      - cfa/release:
           requires:
             - test
           filters:
             branches:
               only:
-                - master
+                - main
+          context: cfa-release
 

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @electron/wg-ecosystem

.github/workflows/semantic.yml

@@ -0,0 +1,26 @@
+name: "Check Semantic Commit"
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
+    name: Validate PR Title
+    runs-on: ubuntu-latest
+    steps:
+      - name: semantic-pull-request
+        uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          validateSingleCommit: false

.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+yarn lint-staged

.releaserc.json

@@ -4,6 +4,7 @@
     "@semantic-release/release-notes-generator",
     "@continuous-auth/semantic-release-npm",
     "@semantic-release/github"
-  ]
+  ],
+  "branches": [ "main" ]
 }
 

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Contributors to the Electron project
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -2,7 +2,8 @@
 
 > Create universal macOS Electron applications
 
-[![CircleCI](https://circleci.com/gh/electron/universal.svg?style=svg)](https://circleci.com/gh/electron/universal)
+[![CircleCI](https://circleci.com/gh/electron/universal/tree/main.svg?style=shield)](https://circleci.com/gh/electron/universal)
+[![NPM package](https://img.shields.io/npm/v/@electron/universal)](https://npm.im/@electron/universal)
 
 
 ## Usage
@@ -30,3 +31,7 @@ because it contains two apps in one.
 The way `@electron/universal` works today means you don't need to worry about
 things like building universal versions of your native modules.  As long as
 your x64 and arm64 apps work in isolation the Universal app will work as well.
+
+#### How do I build my app for Apple silicon in the first place?
+
+Check out the [Electron Apple silicon blog post](https://www.electronjs.org/blog/apple-silicon)

entry-asar/has-asar.js

@@ -0,0 +1,7 @@
+if (process.arch === 'arm64') {
+  process._archPath = require.resolve('../app-arm64.asar');
+} else {
+  process._archPath = require.resolve('../app-x64.asar');
+}
+
+require(process._archPath);

entry-asar/index.js

@@ -1,7 +0,0 @@
-if (process.arch === 'arm64') {
-  process._asarPath = require.resolve('../arm64.app.asar');
-} else {
-  process._asarPath = require.resolve('../x64.app.asar');
-}
-
-require(process._asarPath);

entry-asar/no-asar.js

@@ -0,0 +1,7 @@
+if (process.arch === 'arm64') {
+  process._archPath = require.resolve('../app-arm64');
+} else {
+  process._archPath = require.resolve('../app-x64');
+}
+
+require(process._archPath);

package.json

@@ -10,11 +10,16 @@
     "apple silicon",
     "universal"
   ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/electron/universal.git"
+  },
   "engines": {
     "node": ">=8.6"
   },
   "files": [
     "dist/*",
+    "entry-asar/*",
     "README.md"
   ],
   "author": "Samuel Attard",
@@ -22,21 +27,33 @@
     "build": "tsc && tsc -p tsconfig.esm.json",
     "lint": "prettier --check \"src/**/*.ts\"",
     "prepublishOnly": "npm run build",
-    "test": "exit 0"
+    "test": "exit 0",
+    "prepare": "husky install"
   },
   "devDependencies": {
-    "@continuous-auth/semantic-release-npm": "^2.0.0",
+    "@continuous-auth/semantic-release-npm": "^3.0.0",
+    "@types/debug": "^4.1.5",
     "@types/fs-extra": "^9.0.4",
+    "@types/minimatch": "^3.0.5",
     "@types/node": "^14.14.7",
-    "husky": "^4.3.0",
+    "@types/plist": "^3.0.2",
+    "husky": "^8.0.0",
     "lint-staged": "^10.5.1",
     "prettier": "^2.1.2",
-    "semantic-release": "^17.2.2",
     "typescript": "^4.0.5"
   },
   "dependencies": {
+    "@electron/asar": "^3.2.1",
     "@malept/cross-spawn-promise": "^1.1.0",
-    "asar": "^3.0.3",
+    "debug": "^4.3.1",
-    "fs-extra": "^9.0.1"
+    "dir-compare": "^3.0.0",
+    "fs-extra": "^9.0.1",
+    "minimatch": "^3.0.4",
+    "plist": "^3.0.4"
+  },
+  "lint-staged": {
+    "*.ts": [
+      "prettier --write"
+    ]
   }
 }

src/asar-utils.ts

@@ -0,0 +1,213 @@
+import * as asar from '@electron/asar';
+import { execFileSync } from 'child_process';
+import * as crypto from 'crypto';
+import * as fs from 'fs-extra';
+import * as path from 'path';
+import * as minimatch from 'minimatch';
+import * as os from 'os';
+import { d } from './debug';
+
+const LIPO = 'lipo';
+
+export enum AsarMode {
+  NO_ASAR,
+  HAS_ASAR,
+}
+
+export type MergeASARsOptions = {
+  x64AsarPath: string;
+  arm64AsarPath: string;
+  outputAsarPath: string;
+
+  singleArchFiles?: string;
+};
+
+// See: https://github.com/apple-opensource-mirror/llvmCore/blob/0c60489d96c87140db9a6a14c6e82b15f5e5d252/include/llvm/Object/MachOFormat.h#L108-L112
+const MACHO_MAGIC = new Set([
+  // 32-bit Mach-O
+  0xfeedface,
+  0xcefaedfe,
+
+  // 64-bit Mach-O
+  0xfeedfacf,
+  0xcffaedfe,
+]);
+
+export const detectAsarMode = async (appPath: string) => {
+  d('checking asar mode of', appPath);
+  const asarPath = path.resolve(appPath, 'Contents', 'Resources', 'app.asar');
+
+  if (!(await fs.pathExists(asarPath))) {
+    d('determined no asar');
+    return AsarMode.NO_ASAR;
+  }
+
+  d('determined has asar');
+  return AsarMode.HAS_ASAR;
+};
+
+export const generateAsarIntegrity = (asarPath: string) => {
+  return {
+    algorithm: 'SHA256' as const,
+    hash: crypto
+      .createHash('SHA256')
+      .update(asar.getRawHeader(asarPath).headerString)
+      .digest('hex'),
+  };
+};
+
+function toRelativePath(file: string): string {
+  return file.replace(/^\//, '');
+}
+
+function isDirectory(a: string, file: string): boolean {
+  return Boolean('files' in asar.statFile(a, file));
+}
+
+function checkSingleArch(archive: string, file: string, allowList?: string): void {
+  if (allowList === undefined || !minimatch(file, allowList, { matchBase: true })) {
+    throw new Error(
+      `Detected unique file "${file}" in "${archive}" not covered by ` +
+        `allowList rule: "${allowList}"`,
+    );
+  }
+}
+
+export const mergeASARs = async ({
+  x64AsarPath,
+  arm64AsarPath,
+  outputAsarPath,
+  singleArchFiles,
+}: MergeASARsOptions): Promise<void> => {
+  d(`merging ${x64AsarPath} and ${arm64AsarPath}`);
+
+  const x64Files = new Set(asar.listPackage(x64AsarPath).map(toRelativePath));
+  const arm64Files = new Set(asar.listPackage(arm64AsarPath).map(toRelativePath));
+
+  //
+  // Build set of unpacked directories and files
+  //
+
+  const unpackedFiles = new Set<string>();
+
+  function buildUnpacked(a: string, fileList: Set<string>): void {
+    for (const file of fileList) {
+      const stat = asar.statFile(a, file);
+
+      if (!('unpacked' in stat) || !stat.unpacked) {
+        continue;
+      }
+
+      if ('files' in stat) {
+        continue;
+      }
+      unpackedFiles.add(file);
+    }
+  }
+
+  buildUnpacked(x64AsarPath, x64Files);
+  buildUnpacked(arm64AsarPath, arm64Files);
+
+  //
+  // Build list of files/directories unique to each asar
+  //
+
+  for (const file of x64Files) {
+    if (!arm64Files.has(file)) {
+      checkSingleArch(x64AsarPath, file, singleArchFiles);
+    }
+  }
+  const arm64Unique = [];
+  for (const file of arm64Files) {
+    if (!x64Files.has(file)) {
+      checkSingleArch(arm64AsarPath, file, singleArchFiles);
+      arm64Unique.push(file);
+    }
+  }
+
+  //
+  // Find common bindings with different content
+  //
+
+  const commonBindings = [];
+  for (const file of x64Files) {
+    if (!arm64Files.has(file)) {
+      continue;
+    }
+
+    // Skip directories
+    if (isDirectory(x64AsarPath, file)) {
+      continue;
+    }
+
+    const x64Content = asar.extractFile(x64AsarPath, file);
+    const arm64Content = asar.extractFile(arm64AsarPath, file);
+
+    if (x64Content.compare(arm64Content) === 0) {
+      continue;
+    }
+
+    if (!MACHO_MAGIC.has(x64Content.readUInt32LE(0))) {
+      throw new Error(`Can't reconcile two non-macho files ${file}`);
+    }
+
+    commonBindings.push(file);
+  }
+
+  //
+  // Extract both
+  //
+
+  const x64Dir = await fs.mkdtemp(path.join(os.tmpdir(), 'x64-'));
+  const arm64Dir = await fs.mkdtemp(path.join(os.tmpdir(), 'arm64-'));
+
+  try {
+    d(`extracting ${x64AsarPath} to ${x64Dir}`);
+    asar.extractAll(x64AsarPath, x64Dir);
+
+    d(`extracting ${arm64AsarPath} to ${arm64Dir}`);
+    asar.extractAll(arm64AsarPath, arm64Dir);
+
+    for (const file of arm64Unique) {
+      const source = path.resolve(arm64Dir, file);
+      const destination = path.resolve(x64Dir, file);
+
+      if (isDirectory(arm64AsarPath, file)) {
+        d(`creating unique directory: ${file}`);
+        await fs.mkdirp(destination);
+        continue;
+      }
+
+      d(`xopying unique file: ${file}`);
+      await fs.mkdirp(path.dirname(destination));
+      await fs.copy(source, destination);
+    }
+
+    for (const binding of commonBindings) {
+      const source = await fs.realpath(path.resolve(arm64Dir, binding));
+      const destination = await fs.realpath(path.resolve(x64Dir, binding));
+
+      d(`merging binding: ${binding}`);
+      execFileSync(LIPO, [source, destination, '-create', '-output', destination]);
+    }
+
+    d(`creating archive at ${outputAsarPath}`);
+
+    const resolvedUnpack = Array.from(unpackedFiles).map((file) => path.join(x64Dir, file));
+
+    let unpack: string | undefined;
+    if (resolvedUnpack.length > 1) {
+      unpack = `{${resolvedUnpack.join(',')}}`;
+    } else if (resolvedUnpack.length === 1) {
+      unpack = resolvedUnpack[0];
+    }
+
+    await asar.createPackageWithOptions(x64Dir, outputAsarPath, {
+      unpack,
+    });
+
+    d('done merging');
+  } finally {
+    await Promise.all([fs.remove(x64Dir), fs.remove(arm64Dir)]);
+  }
+};

src/debug.ts

@@ -0,0 +1,3 @@
+import * as debug from 'debug';
+
+export const d = debug('electron-universal');

src/file-utils.ts

@@ -0,0 +1,73 @@
+import { spawn, ExitCodeError } from '@malept/cross-spawn-promise';
+import * as fs from 'fs-extra';
+import * as path from 'path';
+
+const MACHO_PREFIX = 'Mach-O ';
+
+export enum AppFileType {
+  MACHO,
+  PLAIN,
+  INFO_PLIST,
+  SNAPSHOT,
+  APP_CODE,
+}
+
+export type AppFile = {
+  relativePath: string;
+  type: AppFileType;
+};
+
+/**
+ *
+ * @param appPath Path to the application
+ */
+export const getAllAppFiles = async (appPath: string): Promise<AppFile[]> => {
+  const files: AppFile[] = [];
+
+  const visited = new Set<string>();
+  const traverse = async (p: string) => {
+    p = await fs.realpath(p);
+    if (visited.has(p)) return;
+    visited.add(p);
+
+    const info = await fs.stat(p);
+    if (info.isSymbolicLink()) return;
+    if (info.isFile()) {
+      let fileType = AppFileType.PLAIN;
+
+      var fileOutput = '';
+      try {
+        fileOutput = await spawn('file', ['--brief', '--no-pad', p]);
+      } catch (e) {
+        if (e instanceof ExitCodeError) {
+          /* silently accept error codes from "file" */
+        } else {
+          throw e;
+        }
+      }
+      if (p.includes('app.asar')) {
+        fileType = AppFileType.APP_CODE;
+      } else if (fileOutput.startsWith(MACHO_PREFIX)) {
+        fileType = AppFileType.MACHO;
+      } else if (p.endsWith('.bin')) {
+        fileType = AppFileType.SNAPSHOT;
+      } else if (path.basename(p) === 'Info.plist') {
+        fileType = AppFileType.INFO_PLIST;
+      }
+
+      files.push({
+        relativePath: path.relative(appPath, p),
+        type: fileType,
+      });
+    }
+
+    if (info.isDirectory()) {
+      for (const child of await fs.readdir(p)) {
+        await traverse(path.resolve(p, child));
+      }
+    }
+  };
+  await traverse(appPath);
+
+  return files;
+};

src/index.ts

@@ -1,13 +1,19 @@
 import { spawn } from '@malept/cross-spawn-promise';
-import * as asar from 'asar';
+import * as asar from '@electron/asar';
 import * as crypto from 'crypto';
 import * as fs from 'fs-extra';
+import * as minimatch from 'minimatch';
 import * as os from 'os';
 import * as path from 'path';
+import * as plist from 'plist';
+import * as dircompare from 'dir-compare';
 
-const MACHO_PREFIX = 'Mach-O ';
+import { AppFile, AppFileType, getAllAppFiles } from './file-utils';
+import { AsarMode, detectAsarMode, generateAsarIntegrity, mergeASARs } from './asar-utils';
+import { sha } from './sha';
+import { d } from './debug';
 
-type MakeUniversalOpts = {
+export type MakeUniversalOpts = {
   /**
    * Absolute file system path to the x64 version of your application.  E.g. /Foo/bar/MyApp_x64.app
    */
@@ -26,80 +32,30 @@ type MakeUniversalOpts = {
    * Forcefully overwrite any existing files that are in the way of generating the universal application
    */
   force: boolean;
+  /**
+   * Merge x64 and arm64 ASARs into one.
+   */
+  mergeASARs?: boolean;
+  /**
+   * Minimatch pattern of paths that are allowed to be present in one of the ASAR files, but not in the other.
+   */
+  singleArchFiles?: string;
+  /**
+   * Minimatch pattern of binaries that are expected to be the same x64 binary in both of the ASAR files.
+   */
+  x64ArchFiles?: string;
+  /**
+   * Minimatch pattern of paths that should not receive an injected ElectronAsarIntegrity value
+   */
+  infoPlistsToIgnore?: string;
 };
 
-enum AsarMode {
+const dupedFiles = (files: AppFile[]) =>
-  NO_ASAR,
+  files.filter((f) => f.type !== AppFileType.SNAPSHOT && f.type !== AppFileType.APP_CODE);
-  HAS_ASAR,
-}
-
-export const detectAsarMode = async (appPath: string) => {
-  const asarPath = path.resolve(appPath, 'Contents', 'Resources', 'app.asar');
-
-  if (!(await fs.pathExists(asarPath))) return AsarMode.NO_ASAR;
-  
-  return AsarMode.HAS_ASAR;
-};
-
-enum AppFileType {
-  MACHO,
-  PLAIN,
-  SNAPSHOT,
-  APP_CODE,
-}
-
-type AppFile = {
-  relativePath: string;
-  type: AppFileType;
-}
-
-const getAllFiles = async (appPath: string): Promise<AppFile[]> => {
-  const files: AppFile[] = [];
-
-  const visited = new Set<string>();
-  const traverse = async (p: string) => {
-    p = await fs.realpath(p);
-    if (visited.has(p)) return;
-    visited.add(p);
-
-    const info = await fs.stat(p);
-    if (info.isSymbolicLink()) return;
-    if (info.isFile()) {
-      let fileType = AppFileType.PLAIN;
-
-      const fileOutput = await spawn('file', ['--brief', '--no-pad', p]);
-      if (p.includes('app.asar')) {
-        fileType = AppFileType.APP_CODE;
-      } else if (fileOutput.startsWith(MACHO_PREFIX)) {
-        fileType = AppFileType.MACHO;
-      } else if (p.endsWith('.bin')) {
-        fileType = AppFileType.SNAPSHOT;
-      }
-
-      files.push({
-        relativePath: path.relative(appPath, p),
-        type: fileType,
-      });
-    }
-
-    if (info.isDirectory()) {
-      for (const child of await fs.readdir(p)) {
-        await traverse(path.resolve(p, child));
-      }
-    }
-  };
-  await traverse(appPath);
-
-  return files;
-};
-
-const dupedFiles = (files: AppFile[]) => files.filter(f => f.type !== AppFileType.SNAPSHOT && f.type !== AppFileType.APP_CODE);
-
-const sha = async (filePath: string) => {
-  return crypto.createHash('sha256').update(fs.readFileSync(filePath)).digest('hex');
-}
 
 export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> => {
+  d('making a universal app with options', opts);
+
   if (process.platform !== 'darwin')
     throw new Error('@electron/universal is only supported on darwin platforms');
   if (!opts.x64AppPath || !path.isAbsolute(opts.x64AppPath))
@@ -110,17 +66,21 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
     throw new Error('Expected opts.outAppPath to be an absolute path but it was not');
 
   if (await fs.pathExists(opts.outAppPath)) {
+    d('output path exists already');
     if (!opts.force) {
       throw new Error(
         `The out path "${opts.outAppPath}" already exists and force is not set to true`,
       );
     } else {
+      d('overwriting existing application because force == true');
       await fs.remove(opts.outAppPath);
     }
   }
 
   const x64AsarMode = await detectAsarMode(opts.x64AppPath);
   const arm64AsarMode = await detectAsarMode(opts.arm64AppPath);
+  d('detected x64AsarMode =', x64AsarMode);
+  d('detected arm64AsarMode =', arm64AsarMode);
 
   if (x64AsarMode !== arm64AsarMode)
     throw new Error(
@@ -128,23 +88,28 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
     );
 
   const tmpDir = await fs.mkdtemp(path.resolve(os.tmpdir(), 'electron-universal-'));
+  d('building universal app in', tmpDir);
 
   try {
+    d('copying x64 app as starter template');
     const tmpApp = path.resolve(tmpDir, 'Tmp.app');
     await spawn('cp', ['-R', opts.x64AppPath, tmpApp]);
 
     const uniqueToX64: string[] = [];
     const uniqueToArm64: string[] = [];
-    const x64Files = await getAllFiles(await fs.realpath(tmpApp));
+    const x64Files = await getAllAppFiles(await fs.realpath(tmpApp));
-    const arm64Files = await getAllFiles(opts.arm64AppPath);
+    const arm64Files = await getAllAppFiles(await fs.realpath(opts.arm64AppPath));
 
     for (const file of dupedFiles(x64Files)) {
-      if (!arm64Files.some(f => f.relativePath === file.relativePath)) uniqueToX64.push(file.relativePath);
+      if (!arm64Files.some((f) => f.relativePath === file.relativePath))
+        uniqueToX64.push(file.relativePath);
     }
     for (const file of dupedFiles(arm64Files)) {
-      if (!x64Files.some(f => f.relativePath === file.relativePath)) uniqueToArm64.push(file.relativePath);
+      if (!x64Files.some((f) => f.relativePath === file.relativePath))
+        uniqueToArm64.push(file.relativePath);
     }
     if (uniqueToX64.length !== 0 || uniqueToArm64.length !== 0) {
+      d('some files were not in both builds, aborting');
       console.error({
         uniqueToX64,
         uniqueToArm64,
@@ -154,59 +119,232 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
       );
     }
 
-    for (const file of x64Files.filter(f => f.type === AppFileType.PLAIN)) {
+    for (const file of x64Files.filter((f) => f.type === AppFileType.PLAIN)) {
       const x64Sha = await sha(path.resolve(opts.x64AppPath, file.relativePath));
       const arm64Sha = await sha(path.resolve(opts.arm64AppPath, file.relativePath));
       if (x64Sha !== arm64Sha) {
-        console.error(`${x64Sha} !== ${arm64Sha}`);
+        d('SHA for file', file.relativePath, `does not match across builds ${x64Sha}!=${arm64Sha}`);
-        throw new Error(`Expected all non-binary files to have identical SHAs when creating a universal build but "${file.relativePath}" did not`);
+        // The MainMenu.nib files generated by Xcode13 are deterministic in effect but not deterministic in generated sequence
+        if (path.basename(path.dirname(file.relativePath)) === 'MainMenu.nib') {
+          // The mismatch here is OK so we just move on to the next one
+          continue;
+        }
+        throw new Error(
+          `Expected all non-binary files to have identical SHAs when creating a universal build but "${file.relativePath}" did not`,
+        );
       }
     }
 
-    for (const machOFile of x64Files.filter(f => f.type === AppFileType.MACHO)) {
+    for (const machOFile of x64Files.filter((f) => f.type === AppFileType.MACHO)) {
+      const first = await fs.realpath(path.resolve(tmpApp, machOFile.relativePath));
+      const second = await fs.realpath(path.resolve(opts.arm64AppPath, machOFile.relativePath));
+
+      const x64Sha = await sha(path.resolve(opts.x64AppPath, machOFile.relativePath));
+      const arm64Sha = await sha(path.resolve(opts.arm64AppPath, machOFile.relativePath));
+      if (x64Sha === arm64Sha) {
+        if (
+          opts.x64ArchFiles === undefined ||
+          !minimatch(machOFile.relativePath, opts.x64ArchFiles, { matchBase: true })
+        ) {
+          throw new Error(
+            `Detected file "${machOFile.relativePath}" that's the same in both x64 and arm64 builds and not covered by the ` +
+              `x64ArchFiles rule: "${opts.x64ArchFiles}"`,
+          );
+        }
+
+        d(
+          'SHA for Mach-O file',
+          machOFile.relativePath,
+          `matches across builds ${x64Sha}===${arm64Sha}, skipping lipo`,
+        );
+        continue;
+      }
+
+      d('joining two MachO files with lipo', {
+        first,
+        second,
+      });
       await spawn('lipo', [
-        await fs.realpath(path.resolve(tmpApp, machOFile.relativePath)),
+        first,
-        await fs.realpath(path.resolve(opts.arm64AppPath, machOFile.relativePath)),
+        second,
         '-create',
         '-output',
         await fs.realpath(path.resolve(tmpApp, machOFile.relativePath)),
       ]);
     }
 
+    /**
+     * If we don't have an ASAR we need to check if the two "app" folders are identical, if
+     * they are then we can just leave one there and call it a day.  If the app folders for x64
+     * and arm64 are different though we need to rename each folder and create a new fake "app"
+     * entrypoint to dynamically load the correct app folder
+     */
     if (x64AsarMode === AsarMode.NO_ASAR) {
-      await fs.move(path.resolve(tmpApp, 'Contents', 'Resources', 'app'), path.resolve(tmpApp, 'Contents', 'Resources', 'x64.app'));
+      d('checking if the x64 and arm64 app folders are identical');
-      await fs.copy(path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app'), path.resolve(tmpApp, 'Contents', 'Resources', 'arm64.app'));
+      const comparison = await dircompare.compare(
-    } else {
+        path.resolve(tmpApp, 'Contents', 'Resources', 'app'),
-      await fs.move(path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'), path.resolve(tmpApp, 'Contents', 'Resources', 'x64.app.asar'));
+        path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app'),
-      const x64Unpacked = path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar.unpacked');
+        { compareSize: true, compareContent: true },
-      if (await fs.pathExists(x64Unpacked)) {
+      );
-        await fs.move(x64Unpacked, path.resolve(tmpApp, 'Contents', 'Resources', 'x64.app.asar.unpacked'));
-      }
 
-      await fs.copy(path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app.asar'), path.resolve(tmpApp, 'Contents', 'Resources', 'arm64.app.asar'));
+      if (!comparison.same) {
-      const arm64Unpacked = path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app.asar.unpacked');
+        d('x64 and arm64 app folders are different, creating dynamic entry ASAR');
-      if (await fs.pathExists(arm64Unpacked)) {
+        await fs.move(
-        await fs.copy(arm64Unpacked, path.resolve(tmpApp, 'Contents', 'Resources', 'arm64.app.asar.unpacked'));
+          path.resolve(tmpApp, 'Contents', 'Resources', 'app'),
+          path.resolve(tmpApp, 'Contents', 'Resources', 'app-x64'),
+        );
+        await fs.copy(
+          path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app'),
+          path.resolve(tmpApp, 'Contents', 'Resources', 'app-arm64'),
+        );
+
+        const entryAsar = path.resolve(tmpDir, 'entry-asar');
+        await fs.mkdir(entryAsar);
+        await fs.copy(
+          path.resolve(__dirname, '..', '..', 'entry-asar', 'no-asar.js'),
+          path.resolve(entryAsar, 'index.js'),
+        );
+        let pj = await fs.readJson(
+          path.resolve(opts.x64AppPath, 'Contents', 'Resources', 'app', 'package.json'),
+        );
+        pj.main = 'index.js';
+        await fs.writeJson(path.resolve(entryAsar, 'package.json'), pj);
+        await asar.createPackage(
+          entryAsar,
+          path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'),
+        );
+      } else {
+        d('x64 and arm64 app folders are the same');
       }
     }
 
-    const entryAsar = path.resolve(tmpDir, 'entry-asar');
+    const generatedIntegrity: Record<string, { algorithm: 'SHA256'; hash: string }> = {};
-    await fs.mkdir(entryAsar);
+    let didSplitAsar = false;
-    await fs.copy(path.resolve(__dirname, '..', '..', 'entry-asar', 'index.js'), path.resolve(entryAsar, 'index.js'));
-    let pj: any;
-    if (x64AsarMode === AsarMode.NO_ASAR) {
-      pj = await fs.readJson(path.resolve(opts.x64AppPath, 'Contents', 'Resources', 'app', 'package.json'));
-    } else {
-      pj = JSON.parse((await asar.extractFile(path.resolve(opts.x64AppPath, 'Contents', 'Resources', 'app.asar'), 'package.json')).toString('utf8'));
-    }
-    pj.main = 'index.js';
-    await fs.writeJson(path.resolve(entryAsar, 'package.json'), pj);
-    await asar.createPackage(entryAsar, path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'));
 
-    for (const snapshotsFile of arm64Files.filter(f => f.type === AppFileType.SNAPSHOT)) {
+    /**
-      await fs.copy(path.resolve(opts.arm64AppPath, snapshotsFile.relativePath), path.resolve(tmpApp, snapshotsFile.relativePath));
+     * If we have an ASAR we just need to check if the two "app.asar" files have the same hash,
+     * if they are, same as above, we can leave one there and call it a day.  If they're different
+     * we have to make a dynamic entrypoint.  There is an assumption made here that every file in
+     * app.asar.unpacked is a native node module.  This assumption _may_ not be true so we should
+     * look at codifying that assumption as actual logic.
+     */
+    // FIXME: Codify the assumption that app.asar.unpacked only contains native modules
+    if (x64AsarMode === AsarMode.HAS_ASAR && opts.mergeASARs) {
+      d('merging x64 and arm64 asars');
+      const output = path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar');
+      await mergeASARs({
+        x64AsarPath: path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'),
+        arm64AsarPath: path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app.asar'),
+        outputAsarPath: output,
+        singleArchFiles: opts.singleArchFiles,
+      });
+
+      generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(output);
+    } else if (x64AsarMode === AsarMode.HAS_ASAR) {
+      d('checking if the x64 and arm64 asars are identical');
+      const x64AsarSha = await sha(path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'));
+      const arm64AsarSha = await sha(
+        path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app.asar'),
+      );
+
+      if (x64AsarSha !== arm64AsarSha) {
+        didSplitAsar = true;
+        d('x64 and arm64 asars are different');
+        const x64AsarPath = path.resolve(tmpApp, 'Contents', 'Resources', 'app-x64.asar');
+        await fs.move(path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'), x64AsarPath);
+        const x64Unpacked = path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar.unpacked');
+        if (await fs.pathExists(x64Unpacked)) {
+          await fs.move(
+            x64Unpacked,
+            path.resolve(tmpApp, 'Contents', 'Resources', 'app-x64.asar.unpacked'),
+          );
+        }
+
+        const arm64AsarPath = path.resolve(tmpApp, 'Contents', 'Resources', 'app-arm64.asar');
+        await fs.copy(
+          path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app.asar'),
+          arm64AsarPath,
+        );
+        const arm64Unpacked = path.resolve(
+          opts.arm64AppPath,
+          'Contents',
+          'Resources',
+          'app.asar.unpacked',
+        );
+        if (await fs.pathExists(arm64Unpacked)) {
+          await fs.copy(
+            arm64Unpacked,
+            path.resolve(tmpApp, 'Contents', 'Resources', 'app-arm64.asar.unpacked'),
+          );
+        }
+
+        const entryAsar = path.resolve(tmpDir, 'entry-asar');
+        await fs.mkdir(entryAsar);
+        await fs.copy(
+          path.resolve(__dirname, '..', '..', 'entry-asar', 'has-asar.js'),
+          path.resolve(entryAsar, 'index.js'),
+        );
+        let pj = JSON.parse(
+          (
+            await asar.extractFile(
+              path.resolve(opts.x64AppPath, 'Contents', 'Resources', 'app.asar'),
+              'package.json',
+            )
+          ).toString('utf8'),
+        );
+        pj.main = 'index.js';
+        await fs.writeJson(path.resolve(entryAsar, 'package.json'), pj);
+        const asarPath = path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar');
+        await asar.createPackage(entryAsar, asarPath);
+
+        generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(asarPath);
+        generatedIntegrity['Resources/app-x64.asar'] = generateAsarIntegrity(x64AsarPath);
+        generatedIntegrity['Resources/app-arm64.asar'] = generateAsarIntegrity(arm64AsarPath);
+      } else {
+        d('x64 and arm64 asars are the same');
+        generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(
+          path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'),
+        );
+      }
     }
 
+    const plistFiles = x64Files.filter((f) => f.type === AppFileType.INFO_PLIST);
+    for (const plistFile of plistFiles) {
+      const x64PlistPath = path.resolve(opts.x64AppPath, plistFile.relativePath);
+      const arm64PlistPath = path.resolve(opts.arm64AppPath, plistFile.relativePath);
+
+      const { ElectronAsarIntegrity: x64Integrity, ...x64Plist } = plist.parse(
+        await fs.readFile(x64PlistPath, 'utf8'),
+      ) as any;
+      const { ElectronAsarIntegrity: arm64Integrity, ...arm64Plist } = plist.parse(
+        await fs.readFile(arm64PlistPath, 'utf8'),
+      ) as any;
+      if (JSON.stringify(x64Plist) !== JSON.stringify(arm64Plist)) {
+        throw new Error(
+          `Expected all Info.plist files to be identical when ignoring integrity when creating a universal build but "${plistFile.relativePath}" was not`,
+        );
+      }
+
+      const injectAsarIntegrity =
+        !opts.infoPlistsToIgnore ||
+        minimatch(plistFile.relativePath, opts.infoPlistsToIgnore, { matchBase: true });
+      const mergedPlist = injectAsarIntegrity
+        ? { ...x64Plist, ElectronAsarIntegrity: generatedIntegrity }
+        : { ...x64Plist };
+
+      await fs.writeFile(path.resolve(tmpApp, plistFile.relativePath), plist.build(mergedPlist));
+    }
+
+    for (const snapshotsFile of arm64Files.filter((f) => f.type === AppFileType.SNAPSHOT)) {
+      d('copying snapshot file', snapshotsFile.relativePath, 'to target application');
+      await fs.copy(
+        path.resolve(opts.arm64AppPath, snapshotsFile.relativePath),
+        path.resolve(tmpApp, snapshotsFile.relativePath),
+      );
+    }
+
+    d('moving final universal app to target destination');
+    await fs.mkdirp(path.dirname(opts.outAppPath));
     await spawn('mv', [tmpApp, opts.outAppPath]);
   } catch (err) {
     throw err;

src/sha.ts

@@ -0,0 +1,16 @@
+import * as fs from 'fs-extra';
+import * as crypto from 'crypto';
+import { d } from './debug';
+
+export const sha = async (filePath: string) => {
+  d('hashing', filePath);
+  const hash = crypto.createHash('sha256');
+  hash.setEncoding('hex');
+  const fileStream = fs.createReadStream(filePath);
+  fileStream.pipe(hash);
+  await new Promise((resolve, reject) => {
+    fileStream.on('end', () => resolve());
+    fileStream.on('error', (err) => reject(err));
+  });
+  return hash.read();
+};