feat: write asar integrity resource on windows (#8245)

Electron 30-x-y added support for ASAR integrity fuse on Windows. When enabled the app would fetch the ELECTRONASAR resource out of the executable file and use it to verify the integrity of the ASAR when reading the data from it.

Author: indutny-signal

.changeset/thick-flies-carry.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+write asar integrity resource on windows

packages/app-builder-lib/package.json

@@ -70,6 +70,7 @@
     "lazy-val": "^1.0.5",
     "minimatch": "^5.1.1",
     "read-config-file": "6.4.0",
+    "resedit": "^1.7.0",
     "sanitize-filename": "^1.6.3",
     "semver": "^7.3.8",
     "tar": "^6.1.12",

packages/app-builder-lib/src/electron/ElectronFramework.ts

@@ -10,6 +10,7 @@ import { LinuxPackager } from "../linuxPackager"
 import { MacPackager } from "../macPackager"
 import { getTemplatePath } from "../util/pathManager"
 import { createMacApp } from "./electronMac"
+import { addWinAsarIntegrity } from "./electronWin"
 import { computeElectronVersion, getElectronVersionFromInstalled } from "./electronVersion"
 import * as fs from "fs/promises"
 import injectFFMPEG from "./injectFFMPEG"
@@ -78,6 +79,9 @@ async function beforeCopyExtraFiles(options: BeforeCopyExtraFilesOptions) {
   } else if (packager.platform === Platform.WINDOWS) {
     const executable = path.join(appOutDir, `${packager.appInfo.productFilename}.exe`)
     await rename(path.join(appOutDir, `${electronBranding.projectName}.exe`), executable)
+    if (options.asarIntegrity) {
+      await addWinAsarIntegrity(executable, options.asarIntegrity)
+    }
   } else {
     await createMacApp(packager as MacPackager, appOutDir, options.asarIntegrity, (options.platformName as ElectronPlatformName) === "mas")
   }

packages/app-builder-lib/src/electron/electronWin.ts

@@ -0,0 +1,41 @@
+import { readFile, writeFile } from "fs/promises"
+import { log } from "builder-util"
+import { NtExecutable, NtExecutableResource, Resource } from "resedit"
+import { AsarIntegrity } from "../asar/integrity"
+
+/** @internal */
+export async function addWinAsarIntegrity(executablePath: string, asarIntegrity: AsarIntegrity) {
+  const buffer = await readFile(executablePath)
+  const executable = NtExecutable.from(buffer)
+  const resource = NtExecutableResource.from(executable)
+
+  const versionInfo = Resource.VersionInfo.fromEntries(resource.entries)
+  if (versionInfo.length !== 1) {
+    throw new Error(`Failed to parse version info in ${executablePath}`)
+  }
+
+  const languages = versionInfo[0].getAllLanguagesForStringValues()
+  if (languages.length !== 1) {
+    throw new Error(`Failed to locate languages in ${executablePath}`)
+  }
+
+  // See: https://github.com/electron/packager/blob/00d20b99cf4aa4621103dbbd09ff7de7d2f7f539/src/resedit.ts#L124
+  const integrityList = Array.from(Object.entries(asarIntegrity)).map(([file, { algorithm: alg, hash: value }]) => ({
+    file,
+    alg,
+    value,
+  }))
+
+  resource.entries.push({
+    type: "INTEGRITY",
+    id: "ELECTRONASAR",
+    bin: Buffer.from(JSON.stringify(integrityList)),
+    lang: languages[0].lang,
+    codepage: languages[0].codepage,
+  })
+
+  resource.outputResource(executable)
+
+  await writeFile(executablePath, Buffer.from(executable.generate()))
+  log.info({ executablePath }, "updating asar integrity executable resource")
+}