fix: use Typescript for files in entry-asar (#83)

* Fix: Run app.setAppPath() with the right path

* Implement feedback <3

* test: Add linting

.circleci/config.yml

@@ -1,46 +1,37 @@
-step-restore-cache: &step-restore-cache
-  restore_cache:
-    keys:
-      - v1-dependencies-{{ arch }}-{{ checksum "yarn.lock" }}
-      - v1-dependencies-{{ arch }}
-
-steps-test: &steps-test
-  steps:
-    - checkout
-    - *step-restore-cache
-    - run: yarn --frozen-lockfile
-    - save_cache:
-        paths:
-          - node_modules
-        key: v1-dependencies-{{ arch }}-{{ checksum "yarn.lock" }}
-    - run: yarn build
-    - run: yarn test
-
 version: 2.1
-jobs:
-  test:
-    macos:
-      xcode: "12.2.0"
-    <<: *steps-test
 
-  release:
+orbs:
-    docker:
+  cfa: continuousauth/npm@1.0.2
-      - image: circleci/node:14.15
+  node: electronjs/node@1.4.1
-    steps:
+
-      - checkout
-      - *step-restore-cache
-      - run: yarn --frozen-lockfile
-      - run: npx semantic-release
 workflows:
-  version: 2
   test_and_release:
+    # Run the test jobs first, then the release only when all the test jobs are successful
     jobs:
-      - test
+      - node/test:
-      - release:
+          executor: node/macos
+          name: test-mac-<< matrix.node-version >>
+          override-ci-command: yarn install --frozen-lockfile --ignore-engines
+          test-steps:
+            - run: yarn build
+            - run: yarn lint
+            - run: yarn test
+          use-test-steps: true
+          matrix:
+            alias: test
+            parameters:
+              node-version:
+                - 20.5.0
+                - 18.17.0
+                - 16.20.1
+                - 14.21.3
+                - 12.22.12
+                - 10.24.1
+      - cfa/release:
           requires:
             - test
           filters:
             branches:
               only:
-                - master
+                - main
-
+          context: cfa-release

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @electron/wg-ecosystem

.github/workflows/add-to-project.yml

@@ -0,0 +1,29 @@
+name: Add to Ecosystem WG Project
+
+on:
+  issues:
+    types:
+      - opened
+  pull_request_target:
+    types:
+      - opened
+
+permissions: {}
+
+jobs:
+  add-to-project:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate GitHub App token
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        id: generate-token
+        with:
+          creds: ${{ secrets.ECOSYSTEM_ISSUE_TRIAGE_GH_APP_CREDS }}
+          org: electron
+      - name: Add to Project
+        uses: dsanders11/project-actions/add-item@3a81985616963f32fae17d1d1b406c631f3201a1 # v1.1.0
+        with:
+          field: Opened
+          field-value: ${{ github.event.pull_request.created_at || github.event.issue.created_at }}
+          project-number: 89
+          token: ${{ steps.generate-token.outputs.token }}

.github/workflows/semantic.yml

@@ -0,0 +1,26 @@
+name: "Check Semantic Commit"
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+permissions:
+  contents: read
+
+jobs:
+  main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
+    name: Validate PR Title
+    runs-on: ubuntu-latest
+    steps:
+      - name: semantic-pull-request
+        uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          validateSingleCommit: false

.gitignore

@@ -1,3 +1,5 @@
 node_modules
 dist
-*.app
+entry-asar/*.js*
+entry-asar/*.ts
+*.app

.husky/pre-commit

@@ -0,0 +1,4 @@
+#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+yarn lint-staged

.releaserc.json

@@ -4,6 +4,7 @@
     "@semantic-release/release-notes-generator",
     "@continuous-auth/semantic-release-npm",
     "@semantic-release/github"
-  ]
+  ],
+  "branches": [ "main" ]
 }
 

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) Contributors to the Electron project
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -2,7 +2,8 @@
 
 > Create universal macOS Electron applications
 
-[![CircleCI](https://circleci.com/gh/electron/universal.svg?style=svg)](https://circleci.com/gh/electron/universal)
+[![CircleCI](https://circleci.com/gh/electron/universal/tree/main.svg?style=shield)](https://circleci.com/gh/electron/universal)
+[![NPM package](https://img.shields.io/npm/v/@electron/universal)](https://npm.im/@electron/universal)
 
 
 ## Usage
@@ -33,4 +34,4 @@ your x64 and arm64 apps work in isolation the Universal app will work as well.
 
 #### How do I build my app for Apple silicon in the first place?
 
-Check out the [Electron Apple silicon blog post](https://www.electronjs.org/blog/apple-silicon)
+Check out the [Electron Apple silicon blog post](https://www.electronjs.org/blog/apple-silicon)

entry-asar/ambient.d.ts

@@ -0,0 +1,19 @@
+declare namespace NodeJS {
+  interface Process extends EventEmitter {
+    // This is an undocumented private API. It exists.
+    _archPath: string;
+  }
+}
+
+declare module 'electron' {
+  const app: Electron.App;
+
+  namespace Electron {
+    interface App {
+      getAppPath: () => string;
+      setAppPath: (p: string) => void;
+    }
+  }
+
+  export { app };
+}

entry-asar/has-asar.js

@@ -1,7 +0,0 @@
-if (process.arch === 'arm64') {
-  process._archPath = require.resolve('../app-arm64.asar');
-} else {
-  process._archPath = require.resolve('../app-x64.asar');
-}
-
-require(process._archPath);

entry-asar/has-asar.ts

@@ -0,0 +1,27 @@
+import { app } from 'electron';
+import path from 'path';
+
+if (process.arch === 'arm64') {
+  setPaths('arm64');
+} else {
+  setPaths('x64');
+}
+
+function setPaths(platform: string) {
+  // This should return the full path, ending in something like
+  // Notion.app/Contents/Resources/app.asar
+  const appPath = app.getAppPath();
+  const asarFile = `app-${platform}.asar`;
+
+  // Maybe we'll handle this in Electron one day
+  if (path.basename(appPath) === 'app.asar') {
+    const platformAppPath = path.join(path.dirname(appPath), asarFile);
+
+    // This is an undocumented API. It exists.
+    app.setAppPath(platformAppPath);
+  }
+
+  process._archPath = require.resolve(`../${asarFile}`);
+}
+
+require(process._archPath);

entry-asar/no-asar.js

@@ -1,7 +0,0 @@
-if (process.arch === 'arm64') {
-  process._archPath = require.resolve('../app-arm64');
-} else {
-  process._archPath = require.resolve('../app-x64');
-}
-
-require(process._archPath);

entry-asar/no-asar.ts

@@ -0,0 +1,27 @@
+import { app } from 'electron';
+import path from 'path';
+
+if (process.arch === 'arm64') {
+  setPaths('arm64');
+} else {
+  setPaths('x64');
+}
+
+function setPaths(platform: string) {
+  // This should return the full path, ending in something like
+  // Notion.app/Contents/Resources/app
+  const appPath = app.getAppPath();
+  const appFolder = `app-${platform}`;
+
+  // Maybe we'll handle this in Electron one day
+  if (path.basename(appPath) === 'app') {
+    const platformAppPath = path.join(path.dirname(appPath), appFolder);
+
+    // This is an undocumented private API. It exists.
+    app.setAppPath(platformAppPath);
+  }
+
+  process._archPath = require.resolve(`../${appFolder}`);
+}
+
+require(process._archPath);

package.json

@@ -10,43 +10,48 @@
     "apple silicon",
     "universal"
   ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/electron/universal.git"
+  },
   "engines": {
     "node": ">=8.6"
   },
   "files": [
     "dist/*",
     "entry-asar/*",
+    "!entry-asar/**/*.ts",
     "README.md"
   ],
   "author": "Samuel Attard",
   "scripts": {
-    "build": "tsc && tsc -p tsconfig.esm.json",
+    "build": "tsc -p tsconfig.cjs.json && tsc -p tsconfig.esm.json && tsc -p tsconfig.entry-asar.json",
-    "lint": "prettier --check \"src/**/*.ts\"",
+    "lint": "prettier --check \"{src,entry-asar}/**/*.ts\"",
+    "prettier:write": "prettier --write \"{src,entry-asar}/**/*.ts\"",
     "prepublishOnly": "npm run build",
-    "test": "exit 0"
+    "test": "exit 0",
+    "prepare": "husky install"
   },
   "devDependencies": {
-    "@continuous-auth/semantic-release-npm": "^2.0.0",
+    "@continuous-auth/semantic-release-npm": "^3.0.0",
     "@types/debug": "^4.1.5",
     "@types/fs-extra": "^9.0.4",
+    "@types/minimatch": "^3.0.5",
     "@types/node": "^14.14.7",
-    "husky": "^4.3.0",
+    "@types/plist": "^3.0.2",
+    "husky": "^8.0.0",
     "lint-staged": "^10.5.1",
     "prettier": "^2.1.2",
-    "semantic-release": "^17.2.2",
     "typescript": "^4.0.5"
   },
   "dependencies": {
+    "@electron/asar": "^3.2.1",
     "@malept/cross-spawn-promise": "^1.1.0",
-    "asar": "^3.0.3",
     "debug": "^4.3.1",
-    "dir-compare": "^2.4.0",
+    "dir-compare": "^3.0.0",
-    "fs-extra": "^9.0.1"
+    "fs-extra": "^9.0.1",
-  },
+    "minimatch": "^3.0.4",
-  "husky": {
+    "plist": "^3.0.4"
-    "hooks": {
-      "pre-commit": "lint-staged"
-    }
   },
   "lint-staged": {
     "*.ts": [

src/asar-utils.ts

@@ -1,12 +1,44 @@
+import * as asar from '@electron/asar';
+import { execFileSync } from 'child_process';
+import * as crypto from 'crypto';
 import * as fs from 'fs-extra';
 import * as path from 'path';
+import * as minimatch from 'minimatch';
+import * as os from 'os';
 import { d } from './debug';
 
+const LIPO = 'lipo';
+
 export enum AsarMode {
   NO_ASAR,
   HAS_ASAR,
 }
 
+export type MergeASARsOptions = {
+  x64AsarPath: string;
+  arm64AsarPath: string;
+  outputAsarPath: string;
+
+  singleArchFiles?: string;
+};
+
+// See: https://github.com/apple-opensource-mirror/llvmCore/blob/0c60489d96c87140db9a6a14c6e82b15f5e5d252/include/llvm/Object/MachOFormat.h#L108-L112
+const MACHO_MAGIC = new Set([
+  // 32-bit Mach-O
+  0xfeedface,
+  0xcefaedfe,
+
+  // 64-bit Mach-O
+  0xfeedfacf,
+  0xcffaedfe,
+]);
+
+const MACHO_UNIVERSAL_MAGIC = new Set([
+  // universal
+  0xcafebabe,
+  0xbebafeca,
+]);
+
 export const detectAsarMode = async (appPath: string) => {
   d('checking asar mode of', appPath);
   const asarPath = path.resolve(appPath, 'Contents', 'Resources', 'app.asar');
@@ -19,3 +51,176 @@ export const detectAsarMode = async (appPath: string) => {
   d('determined has asar');
   return AsarMode.HAS_ASAR;
 };
+
+export const generateAsarIntegrity = (asarPath: string) => {
+  return {
+    algorithm: 'SHA256' as const,
+    hash: crypto
+      .createHash('SHA256')
+      .update(asar.getRawHeader(asarPath).headerString)
+      .digest('hex'),
+  };
+};
+
+function toRelativePath(file: string): string {
+  return file.replace(/^\//, '');
+}
+
+function isDirectory(a: string, file: string): boolean {
+  return Boolean('files' in asar.statFile(a, file));
+}
+
+function checkSingleArch(archive: string, file: string, allowList?: string): void {
+  if (allowList === undefined || !minimatch(file, allowList, { matchBase: true })) {
+    throw new Error(
+      `Detected unique file "${file}" in "${archive}" not covered by ` +
+        `allowList rule: "${allowList}"`,
+    );
+  }
+}
+
+export const mergeASARs = async ({
+  x64AsarPath,
+  arm64AsarPath,
+  outputAsarPath,
+  singleArchFiles,
+}: MergeASARsOptions): Promise<void> => {
+  d(`merging ${x64AsarPath} and ${arm64AsarPath}`);
+
+  const x64Files = new Set(asar.listPackage(x64AsarPath).map(toRelativePath));
+  const arm64Files = new Set(asar.listPackage(arm64AsarPath).map(toRelativePath));
+
+  //
+  // Build set of unpacked directories and files
+  //
+
+  const unpackedFiles = new Set<string>();
+
+  function buildUnpacked(a: string, fileList: Set<string>): void {
+    for (const file of fileList) {
+      const stat = asar.statFile(a, file);
+
+      if (!('unpacked' in stat) || !stat.unpacked) {
+        continue;
+      }
+
+      if ('files' in stat) {
+        continue;
+      }
+      unpackedFiles.add(file);
+    }
+  }
+
+  buildUnpacked(x64AsarPath, x64Files);
+  buildUnpacked(arm64AsarPath, arm64Files);
+
+  //
+  // Build list of files/directories unique to each asar
+  //
+
+  for (const file of x64Files) {
+    if (!arm64Files.has(file)) {
+      checkSingleArch(x64AsarPath, file, singleArchFiles);
+    }
+  }
+  const arm64Unique = [];
+  for (const file of arm64Files) {
+    if (!x64Files.has(file)) {
+      checkSingleArch(arm64AsarPath, file, singleArchFiles);
+      arm64Unique.push(file);
+    }
+  }
+
+  //
+  // Find common bindings with different content
+  //
+
+  const commonBindings = [];
+  for (const file of x64Files) {
+    if (!arm64Files.has(file)) {
+      continue;
+    }
+
+    // Skip directories
+    if (isDirectory(x64AsarPath, file)) {
+      continue;
+    }
+
+    const x64Content = asar.extractFile(x64AsarPath, file);
+    const arm64Content = asar.extractFile(arm64AsarPath, file);
+
+    if (x64Content.compare(arm64Content) === 0) {
+      continue;
+    }
+
+    if (
+      MACHO_UNIVERSAL_MAGIC.has(x64Content.readUInt32LE(0)) &&
+      MACHO_UNIVERSAL_MAGIC.has(arm64Content.readUInt32LE(0))
+    ) {
+      continue;
+    }
+
+    if (!MACHO_MAGIC.has(x64Content.readUInt32LE(0))) {
+      throw new Error(`Can't reconcile two non-macho files ${file}`);
+    }
+
+    commonBindings.push(file);
+  }
+
+  //
+  // Extract both
+  //
+
+  const x64Dir = await fs.mkdtemp(path.join(os.tmpdir(), 'x64-'));
+  const arm64Dir = await fs.mkdtemp(path.join(os.tmpdir(), 'arm64-'));
+
+  try {
+    d(`extracting ${x64AsarPath} to ${x64Dir}`);
+    asar.extractAll(x64AsarPath, x64Dir);
+
+    d(`extracting ${arm64AsarPath} to ${arm64Dir}`);
+    asar.extractAll(arm64AsarPath, arm64Dir);
+
+    for (const file of arm64Unique) {
+      const source = path.resolve(arm64Dir, file);
+      const destination = path.resolve(x64Dir, file);
+
+      if (isDirectory(arm64AsarPath, file)) {
+        d(`creating unique directory: ${file}`);
+        await fs.mkdirp(destination);
+        continue;
+      }
+
+      d(`xopying unique file: ${file}`);
+      await fs.mkdirp(path.dirname(destination));
+      await fs.copy(source, destination);
+    }
+
+    for (const binding of commonBindings) {
+      const source = await fs.realpath(path.resolve(arm64Dir, binding));
+      const destination = await fs.realpath(path.resolve(x64Dir, binding));
+
+      d(`merging binding: ${binding}`);
+      execFileSync(LIPO, [source, destination, '-create', '-output', destination]);
+    }
+
+    d(`creating archive at ${outputAsarPath}`);
+
+    const resolvedUnpack = Array.from(unpackedFiles).map((file) => path.join(x64Dir, file));
+
+    let unpack: string | undefined;
+    if (resolvedUnpack.length > 1) {
+      unpack = `{${resolvedUnpack.join(',')}}`;
+    } else if (resolvedUnpack.length === 1) {
+      unpack = resolvedUnpack[0];
+    }
+
+    await asar.createPackageWithOptions(x64Dir, outputAsarPath, {
+      unpack,
+    });
+
+    d('done merging');
+  } finally {
+    await Promise.all([fs.remove(x64Dir), fs.remove(arm64Dir)]);
+  }
+};

src/file-utils.ts

@@ -1,4 +1,4 @@
-import { spawn } from '@malept/cross-spawn-promise';
+import { spawn, ExitCodeError } from '@malept/cross-spawn-promise';
 import * as fs from 'fs-extra';
 import * as path from 'path';
 
@@ -7,6 +7,7 @@ const MACHO_PREFIX = 'Mach-O ';
 export enum AppFileType {
   MACHO,
   PLAIN,
+  INFO_PLIST,
   SNAPSHOT,
   APP_CODE,
 }
@@ -34,13 +35,24 @@ export const getAllAppFiles = async (appPath: string): Promise<AppFile[]> => {
     if (info.isFile()) {
       let fileType = AppFileType.PLAIN;
 
-      const fileOutput = await spawn('file', ['--brief', '--no-pad', p]);
+      var fileOutput = '';
+      try {
+        fileOutput = await spawn('file', ['--brief', '--no-pad', p]);
+      } catch (e) {
+        if (e instanceof ExitCodeError) {
+          /* silently accept error codes from "file" */
+        } else {
+          throw e;
+        }
+      }
       if (p.includes('app.asar')) {
         fileType = AppFileType.APP_CODE;
       } else if (fileOutput.startsWith(MACHO_PREFIX)) {
         fileType = AppFileType.MACHO;
       } else if (p.endsWith('.bin')) {
         fileType = AppFileType.SNAPSHOT;
+      } else if (path.basename(p) === 'Info.plist') {
+        fileType = AppFileType.INFO_PLIST;
       }
 
       files.push({

src/index.ts

@@ -1,15 +1,19 @@
 import { spawn } from '@malept/cross-spawn-promise';
-import * as asar from 'asar';
+import * as asar from '@electron/asar';
+import * as crypto from 'crypto';
 import * as fs from 'fs-extra';
+import * as minimatch from 'minimatch';
 import * as os from 'os';
 import * as path from 'path';
+import * as plist from 'plist';
 import * as dircompare from 'dir-compare';
+
 import { AppFile, AppFileType, getAllAppFiles } from './file-utils';
-import { AsarMode, detectAsarMode } from './asar-utils';
+import { AsarMode, detectAsarMode, generateAsarIntegrity, mergeASARs } from './asar-utils';
 import { sha } from './sha';
 import { d } from './debug';
 
-type MakeUniversalOpts = {
+export type MakeUniversalOpts = {
   /**
    * Absolute file system path to the x64 version of your application.  E.g. /Foo/bar/MyApp_x64.app
    */
@@ -28,6 +32,22 @@ type MakeUniversalOpts = {
    * Forcefully overwrite any existing files that are in the way of generating the universal application
    */
   force: boolean;
+  /**
+   * Merge x64 and arm64 ASARs into one.
+   */
+  mergeASARs?: boolean;
+  /**
+   * Minimatch pattern of paths that are allowed to be present in one of the ASAR files, but not in the other.
+   */
+  singleArchFiles?: string;
+  /**
+   * Minimatch pattern of binaries that are expected to be the same x64 binary in both of the ASAR files.
+   */
+  x64ArchFiles?: string;
+  /**
+   * Minimatch pattern of paths that should not receive an injected ElectronAsarIntegrity value
+   */
+  infoPlistsToIgnore?: string;
 };
 
 const dupedFiles = (files: AppFile[]) =>
@@ -78,7 +98,7 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
     const uniqueToX64: string[] = [];
     const uniqueToArm64: string[] = [];
     const x64Files = await getAllAppFiles(await fs.realpath(tmpApp));
-    const arm64Files = await getAllAppFiles(opts.arm64AppPath);
+    const arm64Files = await getAllAppFiles(await fs.realpath(opts.arm64AppPath));
 
     for (const file of dupedFiles(x64Files)) {
       if (!arm64Files.some((f) => f.relativePath === file.relativePath))
@@ -104,6 +124,11 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
       const arm64Sha = await sha(path.resolve(opts.arm64AppPath, file.relativePath));
       if (x64Sha !== arm64Sha) {
         d('SHA for file', file.relativePath, `does not match across builds ${x64Sha}!=${arm64Sha}`);
+        // The MainMenu.nib files generated by Xcode13 are deterministic in effect but not deterministic in generated sequence
+        if (path.basename(path.dirname(file.relativePath)) === 'MainMenu.nib') {
+          // The mismatch here is OK so we just move on to the next one
+          continue;
+        }
         throw new Error(
           `Expected all non-binary files to have identical SHAs when creating a universal build but "${file.relativePath}" did not`,
         );
@@ -114,6 +139,27 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
       const first = await fs.realpath(path.resolve(tmpApp, machOFile.relativePath));
       const second = await fs.realpath(path.resolve(opts.arm64AppPath, machOFile.relativePath));
 
+      const x64Sha = await sha(path.resolve(opts.x64AppPath, machOFile.relativePath));
+      const arm64Sha = await sha(path.resolve(opts.arm64AppPath, machOFile.relativePath));
+      if (x64Sha === arm64Sha) {
+        if (
+          opts.x64ArchFiles === undefined ||
+          !minimatch(machOFile.relativePath, opts.x64ArchFiles, { matchBase: true })
+        ) {
+          throw new Error(
+            `Detected file "${machOFile.relativePath}" that's the same in both x64 and arm64 builds and not covered by the ` +
+              `x64ArchFiles rule: "${opts.x64ArchFiles}"`,
+          );
+        }
+
+        d(
+          'SHA for Mach-O file',
+          machOFile.relativePath,
+          `matches across builds ${x64Sha}===${arm64Sha}, skipping lipo`,
+        );
+        continue;
+      }
+
       d('joining two MachO files with lipo', {
         first,
         second,
@@ -172,6 +218,9 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
       }
     }
 
+    const generatedIntegrity: Record<string, { algorithm: 'SHA256'; hash: string }> = {};
+    let didSplitAsar = false;
+
     /**
      * If we have an ASAR we just need to check if the two "app.asar" files have the same hash,
      * if they are, same as above, we can leave one there and call it a day.  If they're different
@@ -180,7 +229,18 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
      * look at codifying that assumption as actual logic.
      */
     // FIXME: Codify the assumption that app.asar.unpacked only contains native modules
-    if (x64AsarMode === AsarMode.HAS_ASAR) {
+    if (x64AsarMode === AsarMode.HAS_ASAR && opts.mergeASARs) {
+      d('merging x64 and arm64 asars');
+      const output = path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar');
+      await mergeASARs({
+        x64AsarPath: path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'),
+        arm64AsarPath: path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app.asar'),
+        outputAsarPath: output,
+        singleArchFiles: opts.singleArchFiles,
+      });
+
+      generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(output);
+    } else if (x64AsarMode === AsarMode.HAS_ASAR) {
       d('checking if the x64 and arm64 asars are identical');
       const x64AsarSha = await sha(path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'));
       const arm64AsarSha = await sha(
@@ -188,11 +248,10 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
       );
 
       if (x64AsarSha !== arm64AsarSha) {
+        didSplitAsar = true;
         d('x64 and arm64 asars are different');
-        await fs.move(
+        const x64AsarPath = path.resolve(tmpApp, 'Contents', 'Resources', 'app-x64.asar');
-          path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'),
+        await fs.move(path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'), x64AsarPath);
-          path.resolve(tmpApp, 'Contents', 'Resources', 'app-x64.asar'),
-        );
         const x64Unpacked = path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar.unpacked');
         if (await fs.pathExists(x64Unpacked)) {
           await fs.move(
@@ -201,9 +260,10 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
           );
         }
 
+        const arm64AsarPath = path.resolve(tmpApp, 'Contents', 'Resources', 'app-arm64.asar');
         await fs.copy(
           path.resolve(opts.arm64AppPath, 'Contents', 'Resources', 'app.asar'),
-          path.resolve(tmpApp, 'Contents', 'Resources', 'app-arm64.asar'),
+          arm64AsarPath,
         );
         const arm64Unpacked = path.resolve(
           opts.arm64AppPath,
@@ -234,15 +294,47 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
         );
         pj.main = 'index.js';
         await fs.writeJson(path.resolve(entryAsar, 'package.json'), pj);
-        await asar.createPackage(
+        const asarPath = path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar');
-          entryAsar,
+        await asar.createPackage(entryAsar, asarPath);
-          path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'),
+
-        );
+        generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(asarPath);
+        generatedIntegrity['Resources/app-x64.asar'] = generateAsarIntegrity(x64AsarPath);
+        generatedIntegrity['Resources/app-arm64.asar'] = generateAsarIntegrity(arm64AsarPath);
       } else {
         d('x64 and arm64 asars are the same');
+        generatedIntegrity['Resources/app.asar'] = generateAsarIntegrity(
+          path.resolve(tmpApp, 'Contents', 'Resources', 'app.asar'),
+        );
       }
     }
 
+    const plistFiles = x64Files.filter((f) => f.type === AppFileType.INFO_PLIST);
+    for (const plistFile of plistFiles) {
+      const x64PlistPath = path.resolve(opts.x64AppPath, plistFile.relativePath);
+      const arm64PlistPath = path.resolve(opts.arm64AppPath, plistFile.relativePath);
+
+      const { ElectronAsarIntegrity: x64Integrity, ...x64Plist } = plist.parse(
+        await fs.readFile(x64PlistPath, 'utf8'),
+      ) as any;
+      const { ElectronAsarIntegrity: arm64Integrity, ...arm64Plist } = plist.parse(
+        await fs.readFile(arm64PlistPath, 'utf8'),
+      ) as any;
+      if (JSON.stringify(x64Plist) !== JSON.stringify(arm64Plist)) {
+        throw new Error(
+          `Expected all Info.plist files to be identical when ignoring integrity when creating a universal build but "${plistFile.relativePath}" was not`,
+        );
+      }
+
+      const injectAsarIntegrity =
+        !opts.infoPlistsToIgnore ||
+        minimatch(plistFile.relativePath, opts.infoPlistsToIgnore, { matchBase: true });
+      const mergedPlist = injectAsarIntegrity
+        ? { ...x64Plist, ElectronAsarIntegrity: generatedIntegrity }
+        : { ...x64Plist };
+
+      await fs.writeFile(path.resolve(tmpApp, plistFile.relativePath), plist.build(mergedPlist));
+    }
+
     for (const snapshotsFile of arm64Files.filter((f) => f.type === AppFileType.SNAPSHOT)) {
       d('copying snapshot file', snapshotsFile.relativePath, 'to target application');
       await fs.copy(
@@ -252,6 +344,7 @@ export const makeUniversalApp = async (opts: MakeUniversalOpts): Promise<void> =
     }
 
     d('moving final universal app to target destination');
+    await fs.mkdirp(path.dirname(opts.outAppPath));
     await spawn('mv', [tmpApp, opts.outAppPath]);
   } catch (err) {
     throw err;

src/sha.ts

@@ -5,11 +5,12 @@ import { d } from './debug';
 export const sha = async (filePath: string) => {
   d('hashing', filePath);
   const hash = crypto.createHash('sha256');
+  hash.setEncoding('hex');
   const fileStream = fs.createReadStream(filePath);
   fileStream.pipe(hash);
   await new Promise((resolve, reject) => {
     fileStream.on('end', () => resolve());
     fileStream.on('error', (err) => reject(err));
   });
-  return hash.digest('hex');
+  return hash.read();
 };

tsconfig.cjs.json

@@ -0,0 +1,4 @@
+{
+  "extends": "./tsconfig.json",
+  "include": ["src"]
+}

tsconfig.entry-asar.json

@@ -0,0 +1,10 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "entry-asar",
+  },
+  "include": [
+    "entry-asar"
+  ],
+  "exclude": []
+}

tsconfig.esm.json

@@ -3,5 +3,6 @@
   "compilerOptions": {
     "module": "esnext",
     "outDir": "dist/esm"
-  }
+  },
-}
+  "include": ["src"]
+}

tsconfig.json

@@ -16,6 +16,7 @@
     "declaration": true
   },
   "include": [
-    "src"
+    "src",
+    "entry-asar"
   ]
 }