feat: add support for validating asar archives on macOS (#30667)

* feat: add support for validating asar archives on macOS * chore: fix lint * chore: update as per feedback * feat: switch implementation to asar integrity hash checks * feat: make ranged requests work with the asar file validator DataSourceFilter * chore: fix lint * chore: fix missing log include on non-darwin * fix: do not pull block size out of missing optional * fix: match ValidateOrDie symbol on non-darwin * chore: fix up asar specs by repacking archives * fix: maintain integrity chain, do not load file integrity if header integrity was not loaded * debug test * Update node-spec.ts * fix: initialize header_validated_ * chore: update PR per feedback * chore: update per feedback * build: use final asar module * Update fuses.json5
2021-09-09 14:49:01 -07:00 · 2021-09-09 14:49:01 -07:00 · 57d088517c
commit 57d088517c
parent fcad531f2e
35 changed files with 705 additions and 43 deletions
--- a/BUILD.gn
+++ b/BUILD.gn
@ -1024,6 +1024,12 @@ if (is_mac) {
    outputs = [ "{{bundle_resources_dir}}/{{source_file_part}}" ]
  }

+  asar_hashed_info_plist("electron_app_plist") {
+    keys = [ "DEFAULT_APP_ASAR_HEADER_SHA" ]
+    hash_targets = [ ":default_app_asar_header_hash" ]
+    plist_file = "shell/browser/resources/mac/Info.plist"
+  }
+
  mac_app_bundle("electron_app") {
    output_name = electron_product_name
    sources = filenames.app_sources
@ -1031,6 +1037,7 @@ if (is_mac) {
    include_dirs = [ "." ]
    deps = [
      ":electron_app_framework_bundle_data",
+      ":electron_app_plist",
      ":electron_app_resources",
      ":electron_fuses",
      "//base",
@ -1039,7 +1046,7 @@ if (is_mac) {
    if (is_mas_build) {
      deps += [ ":electron_login_helper_app" ]
    }
-    info_plist = "shell/browser/resources/mac/Info.plist"
+    info_plist_target = ":electron_app_plist"
    extra_substitutions = [
      "ELECTRON_BUNDLE_ID=$electron_mac_bundle_id",
      "ELECTRON_VERSION=$electron_version",
--- a/build/asar.gni
+++ b/build/asar.gni
@ -57,4 +57,42 @@ template("asar") {
             rebase_path(outputs[0]),
           ]
  }
+
+  node_action(target_name + "_header_hash") {
+    invoker_out = invoker.outputs
+
+    deps = [ ":" + invoker.target_name ]
+    sources = invoker.outputs
+
+    script = "//electron/script/gn-asar-hash.js"
+    outputs = [ "$target_gen_dir/asar_hashes/$target_name.hash" ]
+
+    args = [
+      rebase_path(invoker_out[0]),
+      rebase_path(outputs[0]),
+    ]
+  }
+}
+
+template("asar_hashed_info_plist") {
+  node_action(target_name) {
+    assert(defined(invoker.plist_file),
+           "Need plist_file to add hashed assets to")
+    assert(defined(invoker.keys), "Need keys to replace with asset hash")
+    assert(defined(invoker.hash_targets), "Need hash_targets to read hash from")
+
+    deps = invoker.hash_targets
+
+    script = "//electron/script/gn-plist-but-with-hashes.js"
+    inputs = [ invoker.plist_file ]
+    outputs = [ "$target_gen_dir/hashed_plists/$target_name.plist" ]
+    hash_files = []
+    foreach(hash_target, invoker.hash_targets) {
+      hash_files += get_target_outputs(hash_target)
+    }
+    args = [
+             rebase_path(invoker.plist_file),
+             rebase_path(outputs[0]),
+           ] + invoker.keys + rebase_path(hash_files)
+  }
 }
--- a/build/fuses/fuses.json5
+++ b/build/fuses/fuses.json5
@ -5,5 +5,7 @@
  "run_as_node": "1",
  "cookie_encryption": "0",
  "node_options": "1",
-  "node_cli_inspect": "1"
+  "node_cli_inspect": "1",
+  "embedded_asar_integrity_validation": "0",
+  "only_load_app_from_asar": "0"
 }
--- a/filenames.gni
+++ b/filenames.gni
@ -191,6 +191,7 @@ filenames = {
    "shell/browser/ui/tray_icon_cocoa.mm",
    "shell/common/api/electron_api_clipboard_mac.mm",
    "shell/common/api/electron_api_native_image_mac.mm",
+    "shell/common/asar/archive_mac.mm",
    "shell/common/application_info_mac.mm",
    "shell/common/language_util_mac.mm",
    "shell/common/mac/main_application_bundle.h",
@ -403,6 +404,8 @@ filenames = {
    "shell/browser/native_window.cc",
    "shell/browser/native_window.h",
    "shell/browser/native_window_observer.h",
+    "shell/browser/net/asar/asar_file_validator.cc",
+    "shell/browser/net/asar/asar_file_validator.h",
    "shell/browser/net/asar/asar_url_loader.cc",
    "shell/browser/net/asar/asar_url_loader.h",
    "shell/browser/net/asar/asar_url_loader_factory.cc",
--- a/lib/asar/fs-wrapper.ts
+++ b/lib/asar/fs-wrapper.ts
@ -1,6 +1,7 @@
 import { Buffer } from 'buffer';
 import * as path from 'path';
 import * as util from 'util';
+import type * as Crypto from 'crypto';

 const asar = process._linkedBinding('electron_common_asar');

@ -194,6 +195,20 @@ const overrideAPI = function (module: Record<string, any>, name: string, pathArg
  }
 };

+let crypto: typeof Crypto;
+function validateBufferIntegrity (buffer: Buffer, integrity: NodeJS.AsarFileInfo['integrity']) {
+  if (!integrity) return;
+
+  // Delay load crypto to improve app boot performance
+  // when integrity protection is not enabled
+  crypto = crypto || require('crypto');
+  const actual = crypto.createHash(integrity.algorithm).update(buffer).digest('hex');
+  if (actual !== integrity.hash) {
+    console.error(`ASAR Integrity Violation: got a hash mismatch (${actual} vs ${integrity.hash})`);
+    process.exit(1);
+  }
+}
+
 const makePromiseFunction = function (orig: Function, pathArgumentIndex: number) {
  return function (this: any, ...args: any[]) {
    const pathArgument = args[pathArgumentIndex];
@ -531,7 +546,7 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
      }

      const buffer = Buffer.alloc(info.size);
-      const fd = archive.getFd();
+      const fd = archive.getFdAndValidateIntegrityLater();
      if (!(fd >= 0)) {
        const error = createError(AsarError.NOT_FOUND, { asarPath, filePath });
        nextTick(callback, [error]);
@ -540,6 +555,7 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {

      logASARAccess(asarPath, filePath, info.offset);
      fs.read(fd, buffer, 0, info.size, info.offset, (error: Error) => {
+        validateBufferIntegrity(buffer, info.integrity);
        callback(error, encoding ? buffer.toString(encoding) : buffer);
      });
    }
@ -595,11 +611,12 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {

    const { encoding } = options;
    const buffer = Buffer.alloc(info.size);
-    const fd = archive.getFd();
+    const fd = archive.getFdAndValidateIntegrityLater();
    if (!(fd >= 0)) throw createError(AsarError.NOT_FOUND, { asarPath, filePath });

    logASARAccess(asarPath, filePath, info.offset);
    fs.readSync(fd, buffer, 0, info.size, info.offset);
+    validateBufferIntegrity(buffer, info.integrity);
    return (encoding) ? buffer.toString(encoding) : buffer;
  };

@ -713,11 +730,12 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
    }

    const buffer = Buffer.alloc(info.size);
-    const fd = archive.getFd();
+    const fd = archive.getFdAndValidateIntegrityLater();
    if (!(fd >= 0)) return [];

    logASARAccess(asarPath, filePath, info.offset);
    fs.readSync(fd, buffer, 0, info.size, info.offset);
+    validateBufferIntegrity(buffer, info.integrity);
    const str = buffer.toString('utf8');
    return [str, str.length > 0];
  };
--- a/lib/browser/init.ts
+++ b/lib/browser/init.ts
@ -81,9 +81,10 @@ require('@electron/internal/browser/guest-view-manager');
 require('@electron/internal/browser/guest-window-proxy');

 // Now we try to load app's package.json.
+const v8Util = process._linkedBinding('electron_common_v8_util');
 let packagePath = null;
 let packageJson = null;
-const searchPaths = ['app', 'app.asar', 'default_app.asar'];
+const searchPaths: string[] = v8Util.getHiddenValue(global, 'appSearchPaths');

 if (process.resourcesPath) {
  for (packagePath of searchPaths) {
--- a/package.json
+++ b/package.json
@ -30,7 +30,7 @@
    "@types/webpack-env": "^1.15.2",
    "@typescript-eslint/eslint-plugin": "^4.4.1",
    "@typescript-eslint/parser": "^4.4.1",
-    "asar": "^3.0.3",
+    "asar": "^3.1.0",
    "aws-sdk": "^2.727.1",
    "check-for-leaks": "^1.2.1",
    "colors": "^1.4.0",
--- a/script/gn-asar-hash.js
+++ b/script/gn-asar-hash.js
@ -0,0 +1,9 @@
+const asar = require('asar');
+const crypto = require('crypto');
+const fs = require('fs');
+
+const archive = process.argv[2];
+const hashFile = process.argv[3];
+
+const { headerString } = asar.getRawHeader(archive);
+fs.writeFileSync(hashFile, crypto.createHash('SHA256').update(headerString).digest('hex'));
--- a/script/gn-plist-but-with-hashes.js
+++ b/script/gn-plist-but-with-hashes.js
@ -0,0 +1,16 @@
+const fs = require('fs');
+
+const [,, plistPath, outputPath, ...keySet] = process.argv;
+
+const keyPairs = {};
+for (let i = 0; i * 2 < keySet.length; i++) {
+  keyPairs[keySet[i]] = fs.readFileSync(keySet[(keySet.length / 2) + i], 'utf8');
+}
+
+let plistContents = fs.readFileSync(plistPath, 'utf8');
+
+for (const key of Object.keys(keyPairs)) {
+  plistContents = plistContents.replace(`$\{${key}}`, keyPairs[key]);
+}
+
+fs.writeFileSync(outputPath, plistContents);
--- a/shell/browser/net/asar/asar_file_validator.cc
+++ b/shell/browser/net/asar/asar_file_validator.cc
@ -0,0 +1,150 @@
+// Copyright (c) 2021 Slack Technologies, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "shell/browser/net/asar/asar_file_validator.h"
+
+#include <algorithm>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "base/logging.h"
+#include "base/notreached.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "crypto/sha2.h"
+
+namespace asar {
+
+AsarFileValidator::AsarFileValidator(IntegrityPayload integrity,
+                                     base::File file)
+    : file_(std::move(file)), integrity_(std::move(integrity)) {
+  current_block_ = 0;
+  max_block_ = integrity_.blocks.size() - 1;
+}
+
+void AsarFileValidator::OnRead(base::span<char> buffer,
+                               mojo::FileDataSource::ReadResult* result) {
+  DCHECK(!done_reading_);
+
+  uint64_t buffer_size = result->bytes_read;
+
+  // Compute how many bytes we should hash, and add them to the current hash.
+  uint32_t block_size = integrity_.block_size;
+  uint64_t bytes_added = 0;
+  while (bytes_added < buffer_size) {
+    if (current_block_ > max_block_) {
+      LOG(FATAL)
+          << "Unexpected number of blocks while validating ASAR file stream";
+      return;
+    }
+
+    // Create a hash if we don't have one yet
+    if (!current_hash_) {
+      current_hash_byte_count_ = 0;
+      switch (integrity_.algorithm) {
+        case HashAlgorithm::SHA256:
+          current_hash_ =
+              crypto::SecureHash::Create(crypto::SecureHash::SHA256);
+          break;
+        case HashAlgorithm::NONE:
+          CHECK(false);
+          break;
+      }
+    }
+
+    // Compute how many bytes we should hash, and add them to the current hash.
+    // We need to either add just enough bytes to fill up a block (block_size -
+    // current_bytes) or use every remaining byte (buffer_size - bytes_added)
+    int bytes_to_hash = std::min(block_size - current_hash_byte_count_,
+                                 buffer_size - bytes_added);
+    DCHECK_GT(bytes_to_hash, 0);
+    current_hash_->Update(buffer.data() + bytes_added, bytes_to_hash);
+    bytes_added += bytes_to_hash;
+    current_hash_byte_count_ += bytes_to_hash;
+    total_hash_byte_count_ += bytes_to_hash;
+
+    if (current_hash_byte_count_ == block_size && !FinishBlock()) {
+      LOG(FATAL) << "Failed to validate block while streaming ASAR file: "
+                 << current_block_;
+      return;
+    }
+  }
+}
+
+bool AsarFileValidator::FinishBlock() {
+  if (current_hash_byte_count_ == 0) {
+    if (!done_reading_ || current_block_ > max_block_) {
+      return true;
+    }
+  }
+
+  if (!current_hash_) {
+    // This happens when we fail to read the resource. Compute empty content's
+    // hash in this case.
+    current_hash_ = crypto::SecureHash::Create(crypto::SecureHash::SHA256);
+  }
+
+  uint8_t actual[crypto::kSHA256Length];
+
+  // If the file reader is done we need to make sure we've either read up to the
+  // end of the file (the check below) or up to the end of a block_size byte
+  // boundary. If the below check fails we compute the next block boundary, how
+  // many bytes are needed to get there and then we manually read those bytes
+  // from our own file handle ensuring the data producer is unaware but we can
+  // validate the hash still.
+  if (done_reading_ &&
+      total_hash_byte_count_ - extra_read_ != read_max_ - read_start_) {
+    uint64_t bytes_needed = std::min(
+        integrity_.block_size - current_hash_byte_count_,
+        read_max_ - read_start_ - total_hash_byte_count_ + extra_read_);
+    uint64_t offset = read_start_ + total_hash_byte_count_ - extra_read_;
+    std::vector<uint8_t> abandoned_buffer(bytes_needed);
+    if (!file_.ReadAndCheck(offset, abandoned_buffer)) {
+      LOG(FATAL) << "Failed to read required portion of streamed ASAR archive";
+      return false;
+    }
+
+    current_hash_->Update(&abandoned_buffer.front(), bytes_needed);
+  }
+
+  current_hash_->Finish(actual, sizeof(actual));
+  current_hash_.reset();
+  current_hash_byte_count_ = 0;
+
+  const std::string expected_hash = integrity_.blocks[current_block_];
+  const std::string actual_hex_hash =
+      base::ToLowerASCII(base::HexEncode(actual, sizeof(actual)));
+
+  if (expected_hash != actual_hex_hash) {
+    return false;
+  }
+
+  current_block_++;
+
+  return true;
+}
+
+void AsarFileValidator::OnDone() {
+  DCHECK(!done_reading_);
+  done_reading_ = true;
+  if (!FinishBlock()) {
+    LOG(FATAL) << "Failed to validate block while ending ASAR file stream: "
+               << current_block_;
+  }
+}
+
+void AsarFileValidator::SetRange(uint64_t read_start,
+                                 uint64_t extra_read,
+                                 uint64_t read_max) {
+  read_start_ = read_start;
+  extra_read_ = extra_read;
+  read_max_ = read_max;
+}
+
+void AsarFileValidator::SetCurrentBlock(int current_block) {
+  current_block_ = current_block;
+}
+
+}  // namespace asar
--- a/shell/browser/net/asar/asar_file_validator.h
+++ b/shell/browser/net/asar/asar_file_validator.h
@ -0,0 +1,60 @@
+// Copyright (c) 2021 Slack Technologies, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#ifndef SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_
+#define SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_
+
+#include <algorithm>
+#include <memory>
+
+#include "crypto/secure_hash.h"
+#include "mojo/public/cpp/system/file_data_source.h"
+#include "mojo/public/cpp/system/filtered_data_source.h"
+#include "shell/common/asar/archive.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+
+namespace asar {
+
+class AsarFileValidator : public mojo::FilteredDataSource::Filter {
+ public:
+  AsarFileValidator(IntegrityPayload integrity, base::File file);
+
+  void OnRead(base::span<char> buffer,
+              mojo::FileDataSource::ReadResult* result);
+
+  void OnDone();
+
+  void SetRange(uint64_t read_start, uint64_t extra_read, uint64_t read_max);
+  void SetCurrentBlock(int current_block);
+
+ protected:
+  bool FinishBlock();
+
+ private:
+  base::File file_;
+  IntegrityPayload integrity_;
+
+  // The offset in the file_ that the underlying file reader is starting at
+  uint64_t read_start_ = 0;
+  // The number of bytes this DataSourceFilter will have seen that aren't used
+  // by the DataProducer.  These extra bytes are exclusively for hash validation
+  // but we need to know how many we've used so we know when we're done.
+  uint64_t extra_read_ = 0;
+  // The maximum offset in the file_ that we should read to, used to determine
+  // which bytes we're missing or if we need to read up to a block boundary in
+  // OnDone
+  uint64_t read_max_ = 0;
+  bool done_reading_ = false;
+  int current_block_;
+  int max_block_;
+  uint64_t current_hash_byte_count_ = 0;
+  uint64_t total_hash_byte_count_ = 0;
+  std::unique_ptr<crypto::SecureHash> current_hash_;
+
+  DISALLOW_COPY_AND_ASSIGN(AsarFileValidator);
+};
+
+}  // namespace asar
+
+#endif  // SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_
--- a/shell/browser/net/asar/asar_url_loader.cc
+++ b/shell/browser/net/asar/asar_url_loader.cc
@ -4,6 +4,7 @@

 #include "shell/browser/net/asar/asar_url_loader.h"

+#include <algorithm>
 #include <memory>
 #include <string>
 #include <utility>
@ -13,6 +14,7 @@
 #include "base/task/post_task.h"
 #include "base/task/thread_pool.h"
 #include "content/public/browser/file_url_loader.h"
+#include "electron/fuses.h"
 #include "mojo/public/cpp/bindings/receiver.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "mojo/public/cpp/system/data_pipe_producer.h"
@ -23,6 +25,7 @@
 #include "net/http/http_byte_range.h"
 #include "net/http/http_util.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
+#include "shell/browser/net/asar/asar_file_validator.h"
 #include "shell/common/asar/archive.h"
 #include "shell/common/asar/asar_util.h"

@ -127,6 +130,7 @@ class AsarURLLoader : public network::mojom::URLLoader {
      OnClientComplete(net::ERR_FILE_NOT_FOUND);
      return;
    }
+    bool is_verifying_file = info.integrity.has_value();

    // For unpacked path, read like normal file.
    base::FilePath real_path;
@ -149,12 +153,24 @@ class AsarURLLoader : public network::mojom::URLLoader {
    base::File file(info.unpacked ? real_path : archive->path(),
                    base::File::FLAG_OPEN | base::File::FLAG_READ);
    auto file_data_source =
-        std::make_unique<mojo::FileDataSource>(std::move(file));
-    mojo::DataPipeProducer::DataSource* data_source = file_data_source.get();
+        std::make_unique<mojo::FileDataSource>(file.Duplicate());
+    std::unique_ptr<mojo::DataPipeProducer::DataSource> readable_data_source;
+    mojo::FileDataSource* file_data_source_raw = file_data_source.get();
+    AsarFileValidator* file_validator_raw = nullptr;
+    if (info.integrity.has_value()) {
+      auto asar_validator = std::make_unique<AsarFileValidator>(
+          std::move(info.integrity.value()), std::move(file));
+      file_validator_raw = asar_validator.get();
+      readable_data_source.reset(new mojo::FilteredDataSource(
+          std::move(file_data_source), std::move(asar_validator)));
+    } else {
+      readable_data_source = std::move(file_data_source);
+    }

-    std::vector<char> initial_read_buffer(net::kMaxBytesToSniff);
-    auto read_result =
-        data_source->Read(info.offset, base::span<char>(initial_read_buffer));
+    std::vector<char> initial_read_buffer(
+        std::min(static_cast<uint32_t>(net::kMaxBytesToSniff), info.size));
+    auto read_result = readable_data_source.get()->Read(
+        info.offset, base::span<char>(initial_read_buffer));
    if (read_result.result != MOJO_RESULT_OK) {
      OnClientComplete(ConvertMojoResultToNetError(read_result.result));
      return;
@ -183,6 +199,7 @@ class AsarURLLoader : public network::mojom::URLLoader {
    }

    uint64_t first_byte_to_send = 0;
+    uint64_t total_bytes_dropped_from_head = initial_read_buffer.size();
    uint64_t total_bytes_to_send = info.size;

    if (byte_range.IsValid()) {
@ -214,6 +231,26 @@ class AsarURLLoader : public network::mojom::URLLoader {
      // Discount the bytes we just sent from the total range.
      first_byte_to_send = read_result.bytes_read;
      total_bytes_to_send -= write_size;
+    } else if (is_verifying_file &&
+               first_byte_to_send >=
+                   static_cast<uint64_t>(info.integrity.value().block_size)) {
+      // If validation is active and the range of bytes the request wants starts
+      // beyond the first block we need to read the next 4MB-1KB to validate
+      // that block. Then we can skip ahead to the target block in the SetRange
+      // call below If we hit this case it is assumed that none of the data read
+      // will be needed by the producer
+      uint64_t bytes_to_drop =
+          info.integrity.value().block_size - net::kMaxBytesToSniff;
+      total_bytes_dropped_from_head += bytes_to_drop;
+      std::vector<char> abandoned_buffer(bytes_to_drop);
+      auto abandon_read_result =
+          readable_data_source.get()->Read(info.offset + net::kMaxBytesToSniff,
+                                           base::span<char>(abandoned_buffer));
+      if (abandon_read_result.result != MOJO_RESULT_OK) {
+        OnClientComplete(
+            ConvertMojoResultToNetError(abandon_read_result.result));
+        return;
+      }
    }

    if (!net::GetMimeTypeFromFile(path, &head->mime_type)) {
@ -234,23 +271,68 @@ class AsarURLLoader : public network::mojom::URLLoader {

    if (total_bytes_to_send == 0) {
      // There's definitely no more data, so we're already done.
+      // We provide the range data to the file validator so that
+      // it can validate the tiny amount of data we did send
+      if (file_validator_raw)
+        file_validator_raw->SetRange(info.offset + first_byte_to_send,
+                                     total_bytes_dropped_from_head,
+                                     info.offset + info.size);
      OnFileWritten(MOJO_RESULT_OK);
      return;
    }

+    if (is_verifying_file) {
+      uint32_t block_size = info.integrity.value().block_size;
+      int start_block = first_byte_to_send / block_size;
+
+      // If we're starting from the first block, we might not be starting from
+      // where we sniffed. We might be a few KB into a file so we need to read
+      // the data in the middle so it gets hashed.
+      //
+      // If we're starting from a later block we might be starting half-way
+      // through the block regardless of what was sniffed.  We need to read the
+      // data from the start of our initial block up to the start of our actual
+      // read point so it gets hashed.
+      uint64_t bytes_to_drop =
+          start_block == 0 ? first_byte_to_send - net::kMaxBytesToSniff
+                           : first_byte_to_send - (start_block * block_size);
+      if (file_validator_raw)
+        file_validator_raw->SetCurrentBlock(start_block);
+
+      if (bytes_to_drop > 0) {
+        uint64_t dropped_bytes_offset =
+            info.offset + (start_block * block_size);
+        if (start_block == 0)
+          dropped_bytes_offset += net::kMaxBytesToSniff;
+        total_bytes_dropped_from_head += bytes_to_drop;
+        std::vector<char> abandoned_buffer(bytes_to_drop);
+        auto abandon_read_result = readable_data_source.get()->Read(
+            dropped_bytes_offset, base::span<char>(abandoned_buffer));
+        if (abandon_read_result.result != MOJO_RESULT_OK) {
+          OnClientComplete(
+              ConvertMojoResultToNetError(abandon_read_result.result));
+          return;
+        }
+      }
+    }
+
    // In case of a range request, seek to the appropriate position before
    // sending the remaining bytes asynchronously. Under normal conditions
    // (i.e., no range request) this Seek is effectively a no-op.
    //
    // Note that in Electron we also need to add file offset.
-    file_data_source->SetRange(
+    file_data_source_raw->SetRange(
        first_byte_to_send + info.offset,
        first_byte_to_send + info.offset + total_bytes_to_send);
+    if (file_validator_raw)
+      file_validator_raw->SetRange(info.offset + first_byte_to_send,
+                                   total_bytes_dropped_from_head,
+                                   info.offset + info.size);

    data_producer_ =
        std::make_unique<mojo::DataPipeProducer>(std::move(producer_handle));
    data_producer_->Write(
-        std::move(file_data_source),
+        std::move(readable_data_source),
        base::BindOnce(&AsarURLLoader::OnFileWritten, base::Unretained(this)));
  }

--- a/shell/browser/resources/mac/Info.plist
+++ b/shell/browser/resources/mac/Info.plist
@ -49,5 +49,15 @@
    <string>This app needs access to Bluetooth</string>
    <key>NSBluetoothPeripheralUsageDescription</key>
    <string>This app needs access to Bluetooth</string>
+    <key>ElectronAsarIntegrity</key>
+    <dict>
+      <key>Resources/default_app.asar</key>
+      <dict>
+        <key>algorithm</key>
+        <string>SHA256</string>
+        <key>hash</key>
+        <string>${DEFAULT_APP_ASAR_HEADER_SHA}</string>
+      </dict>
+    </dict>
  </dict>
 </plist>
--- a/shell/common/api/electron_api_asar.cc
+++ b/shell/common/api/electron_api_asar.cc
@ -32,13 +32,12 @@ class Archive : public gin::Wrappable<Archive> {
  gin::ObjectTemplateBuilder GetObjectTemplateBuilder(
      v8::Isolate* isolate) override {
    return gin::ObjectTemplateBuilder(isolate)
-        .SetProperty("path", &Archive::GetPath)
        .SetMethod("getFileInfo", &Archive::GetFileInfo)
        .SetMethod("stat", &Archive::Stat)
        .SetMethod("readdir", &Archive::Readdir)
        .SetMethod("realpath", &Archive::Realpath)
        .SetMethod("copyFileOut", &Archive::CopyFileOut)
-        .SetMethod("getFd", &Archive::GetFD);
+        .SetMethod("getFdAndValidateIntegrityLater", &Archive::GetFD);
  }

  const char* GetTypeName() override { return "Archive"; }
@ -47,9 +46,6 @@ class Archive : public gin::Wrappable<Archive> {
  Archive(v8::Isolate* isolate, std::unique_ptr<asar::Archive> archive)
      : archive_(std::move(archive)) {}

-  // Returns the path of the file.
-  base::FilePath GetPath() { return archive_->path(); }
-
  // Reads the offset and size of file.
  v8::Local<v8::Value> GetFileInfo(v8::Isolate* isolate,
                                   const base::FilePath& path) {
@ -60,6 +56,20 @@ class Archive : public gin::Wrappable<Archive> {
    dict.Set("size", info.size);
    dict.Set("unpacked", info.unpacked);
    dict.Set("offset", info.offset);
+    if (info.integrity.has_value()) {
+      gin_helper::Dictionary integrity(isolate, v8::Object::New(isolate));
+      asar::HashAlgorithm algorithm = info.integrity.value().algorithm;
+      switch (algorithm) {
+        case asar::HashAlgorithm::SHA256:
+          integrity.Set("algorithm", "SHA256");
+          break;
+        case asar::HashAlgorithm::NONE:
+          CHECK(false);
+          break;
+      }
+      integrity.Set("hash", info.integrity.value().hash);
+      dict.Set("integrity", integrity);
+    }
    return dict.GetHandle();
  }

@ -108,7 +118,7 @@ class Archive : public gin::Wrappable<Archive> {
  int GetFD() const {
    if (!archive_)
      return -1;
-    return archive_->GetFD();
+    return archive_->GetUnsafeFD();
  }

 private:
--- a/shell/common/asar/archive.cc
+++ b/shell/common/asar/archive.cc
@ -18,6 +18,8 @@
 #include "base/task/post_task.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
+#include "electron/fuses.h"
+#include "shell/common/asar/asar_util.h"
 #include "shell/common/asar/scoped_temporary_file.h"

 #if defined(OS_WIN)
@ -95,6 +97,7 @@ bool GetNodeFromPath(std::string path,

 bool FillFileInfoWithNode(Archive::FileInfo* info,
                          uint32_t header_size,
+                          bool load_integrity,
                          const base::DictionaryValue* node) {
  int size;
  if (!node->GetInteger("size", &size))
@ -113,6 +116,42 @@ bool FillFileInfoWithNode(Archive::FileInfo* info,

  node->GetBoolean("executable", &info->executable);

+#if defined(OS_MAC)
+  if (load_integrity &&
+      electron::fuses::IsEmbeddedAsarIntegrityValidationEnabled()) {
+    const base::DictionaryValue* integrity;
+    if (node->GetDictionary("integrity", &integrity)) {
+      IntegrityPayload integrity_payload;
+      std::string algorithm;
+      const base::ListValue* blocks;
+      int block_size;
+      if (integrity->GetString("algorithm", &algorithm) &&
+          integrity->GetString("hash", &integrity_payload.hash) &&
+          integrity->GetInteger("blockSize", &block_size) &&
+          integrity->GetList("blocks", &blocks) && block_size > 0) {
+        integrity_payload.block_size = static_cast<uint32_t>(block_size);
+        for (size_t i = 0; i < blocks->GetSize(); i++) {
+          std::string block;
+          if (!blocks->GetString(i, &block)) {
+            LOG(FATAL)
+                << "Invalid block integrity value for file in ASAR archive";
+          }
+          integrity_payload.blocks.push_back(block);
+        }
+        if (algorithm == "SHA256") {
+          integrity_payload.algorithm = HashAlgorithm::SHA256;
+          info->integrity = std::move(integrity_payload);
+        }
+      }
+    }
+
+    if (!info->integrity.has_value()) {
+      LOG(FATAL) << "Failed to read integrity for file in ASAR archive";
+      return false;
+    }
+  }
+#endif
+
  return true;
 }

@ -191,6 +230,32 @@ bool Archive::Init() {
    return false;
  }

+#if defined(OS_MAC)
+  // Validate header signature if required and possible
+  if (electron::fuses::IsEmbeddedAsarIntegrityValidationEnabled() &&
+      RelativePath().has_value()) {
+    absl::optional<IntegrityPayload> integrity = HeaderIntegrity();
+    if (!integrity.has_value()) {
+      LOG(FATAL) << "Failed to get integrity for validatable asar archive: "
+                 << RelativePath().value();
+      return false;
+    }
+
+    // Currently we only support the sha256 algorithm, we can add support for
+    // more below ensure we read them in preference order from most secure to
+    // least
+    if (integrity.value().algorithm != HashAlgorithm::NONE) {
+      ValidateIntegrityOrDie(header.c_str(), header.length(),
+                             integrity.value());
+    } else {
+      LOG(FATAL) << "No eligible hash for validatable asar archive: "
+                 << RelativePath().value();
+    }
+
+    header_validated_ = true;
+  }
+#endif
+
  absl::optional<base::Value> value = base::JSONReader::Read(header);
  if (!value || !value->is_dict()) {
    LOG(ERROR) << "Failed to parse header";
@ -203,6 +268,16 @@ bool Archive::Init() {
  return true;
 }

+#if !defined(OS_MAC)
+absl::optional<IntegrityPayload> Archive::HeaderIntegrity() const {
+  return absl::optional<IntegrityPayload>();
+}
+
+absl::optional<base::FilePath> Archive::RelativePath() const {
+  return absl::optional<base::FilePath>();
+}
+#endif
+
 bool Archive::GetFileInfo(const base::FilePath& path, FileInfo* info) const {
  if (!header_)
    return false;
@ -215,7 +290,7 @@ bool Archive::GetFileInfo(const base::FilePath& path, FileInfo* info) const {
  if (node->GetString("link", &link))
    return GetFileInfo(base::FilePath::FromUTF8Unsafe(link), info);

-  return FillFileInfoWithNode(info, header_size_, node);
+  return FillFileInfoWithNode(info, header_size_, header_validated_, node);
 }

 bool Archive::Stat(const base::FilePath& path, Stats* stats) const {
@ -238,7 +313,7 @@ bool Archive::Stat(const base::FilePath& path, Stats* stats) const {
    return true;
  }

-  return FillFileInfoWithNode(stats, header_size_, node);
+  return FillFileInfoWithNode(stats, header_size_, header_validated_, node);
 }

 bool Archive::Readdir(const base::FilePath& path,
@ -304,7 +379,8 @@ bool Archive::CopyFileOut(const base::FilePath& path, base::FilePath* out) {

  auto temp_file = std::make_unique<ScopedTemporaryFile>();
  base::FilePath::StringType ext = path.Extension();
-  if (!temp_file->InitFromFile(&file_, ext, info.offset, info.size))
+  if (!temp_file->InitFromFile(&file_, ext, info.offset, info.size,
+                               info.integrity))
    return false;

 #if defined(OS_POSIX)
@ -319,7 +395,7 @@ bool Archive::CopyFileOut(const base::FilePath& path, base::FilePath* out) {
  return true;
 }

-int Archive::GetFD() const {
+int Archive::GetUnsafeFD() const {
  return fd_;
 }

--- a/shell/common/asar/archive.h
+++ b/shell/common/asar/archive.h
@ -6,12 +6,14 @@
 #define SHELL_COMMON_ASAR_ARCHIVE_H_

 #include <memory>
+#include <string>
 #include <unordered_map>
 #include <vector>

 #include "base/files/file.h"
 #include "base/files/file_path.h"
 #include "base/synchronization/lock.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"

 namespace base {
 class DictionaryValue;
@ -21,6 +23,19 @@ namespace asar {

 class ScopedTemporaryFile;

+enum HashAlgorithm {
+  SHA256,
+  NONE,
+};
+
+struct IntegrityPayload {
+  IntegrityPayload() : algorithm(HashAlgorithm::NONE), block_size(0) {}
+  HashAlgorithm algorithm;
+  std::string hash;
+  uint32_t block_size;
+  std::vector<std::string> blocks;
+};
+
 // This class represents an asar package, and provides methods to read
 // information from it. It is thread-safe after |Init| has been called.
 class Archive {
@ -31,6 +46,7 @@ class Archive {
    bool executable;
    uint32_t size;
    uint64_t offset;
+    absl::optional<IntegrityPayload> integrity;
  };

  struct Stats : public FileInfo {
@ -46,6 +62,9 @@ class Archive {
  // Read and parse the header.
  bool Init();

+  absl::optional<IntegrityPayload> HeaderIntegrity() const;
+  absl::optional<base::FilePath> RelativePath() const;
+
  // Get the info of a file.
  bool GetFileInfo(const base::FilePath& path, FileInfo* info) const;

@ -64,12 +83,16 @@ class Archive {
  bool CopyFileOut(const base::FilePath& path, base::FilePath* out);

  // Returns the file's fd.
-  int GetFD() const;
+  // Using this fd will not validate the integrity of any files
+  // you read out of the ASAR manually.  Callers are responsible
+  // for integrity validation after this fd is handed over.
+  int GetUnsafeFD() const;

  base::FilePath path() const { return path_; }

 private:
  bool initialized_;
+  bool header_validated_ = false;
  const base::FilePath path_;
  base::File file_;
  int fd_ = -1;
--- a/shell/common/asar/archive_mac.mm
+++ b/shell/common/asar/archive_mac.mm
@ -0,0 +1,65 @@
+// Copyright (c) 2021 Slack Technologies, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "shell/common/asar/archive.h"
+
+#include <CommonCrypto/CommonDigest.h>
+#include <CoreFoundation/CoreFoundation.h>
+#include <Foundation/Foundation.h>
+
+#include <iomanip>
+#include <string>
+
+#include "base/logging.h"
+#include "base/mac/bundle_locations.h"
+#include "base/mac/foundation_util.h"
+#include "base/mac/scoped_cftyperef.h"
+#include "base/strings/sys_string_conversions.h"
+#include "shell/common/asar/asar_util.h"
+
+namespace asar {
+
+absl::optional<base::FilePath> Archive::RelativePath() const {
+  base::FilePath bundle_path = base::mac::MainBundlePath().Append("Contents");
+
+  base::FilePath relative_path;
+  if (!bundle_path.AppendRelativePath(path_, &relative_path))
+    return absl::nullopt;
+
+  return relative_path;
+}
+
+absl::optional<IntegrityPayload> Archive::HeaderIntegrity() const {
+  absl::optional<base::FilePath> relative_path = RelativePath();
+  // Callers should have already asserted this
+  CHECK(relative_path.has_value());
+
+  NSDictionary* integrity = [[NSBundle mainBundle]
+      objectForInfoDictionaryKey:@"ElectronAsarIntegrity"];
+
+  // Integrity not provided
+  if (!integrity)
+    return absl::nullopt;
+
+  NSString* ns_relative_path =
+      base::mac::FilePathToNSString(relative_path.value());
+
+  NSDictionary* integrity_payload = [integrity objectForKey:ns_relative_path];
+
+  if (!integrity_payload)
+    return absl::nullopt;
+
+  NSString* algorithm = [integrity_payload objectForKey:@"algorithm"];
+  NSString* hash = [integrity_payload objectForKey:@"hash"];
+  if (algorithm && hash && [algorithm isEqualToString:@"SHA256"]) {
+    IntegrityPayload header_integrity;
+    header_integrity.algorithm = HashAlgorithm::SHA256;
+    header_integrity.hash = base::SysNSStringToUTF8(hash);
+    return header_integrity;
+  }
+
+  return absl::nullopt;
+}
+
+}  // namespace asar
--- a/shell/common/asar/asar_util.cc
+++ b/shell/common/asar/asar_util.cc
@ -11,11 +11,16 @@
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/lazy_instance.h"
+#include "base/logging.h"
 #include "base/no_destructor.h"
 #include "base/stl_util.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
 #include "base/synchronization/lock.h"
 #include "base/threading/thread_local.h"
 #include "base/threading/thread_restrictions.h"
+#include "crypto/secure_hash.h"
+#include "crypto/sha2.h"
 #include "shell/common/asar/archive.h"

 namespace asar {
@ -130,9 +135,38 @@ bool ReadFileToString(const base::FilePath& path, std::string* contents) {
    return false;

  contents->resize(info.size);
-  return static_cast<int>(info.size) ==
-         src.Read(info.offset, const_cast<char*>(contents->data()),
-                  contents->size());
+  if (static_cast<int>(info.size) !=
+      src.Read(info.offset, const_cast<char*>(contents->data()),
+               contents->size())) {
+    return false;
+  }
+
+  if (info.integrity.has_value()) {
+    ValidateIntegrityOrDie(contents->data(), contents->size(),
+                           info.integrity.value());
+  }
+
+  return true;
+}
+
+void ValidateIntegrityOrDie(const char* data,
+                            size_t size,
+                            const IntegrityPayload& integrity) {
+  if (integrity.algorithm == HashAlgorithm::SHA256) {
+    uint8_t hash[crypto::kSHA256Length];
+    auto hasher = crypto::SecureHash::Create(crypto::SecureHash::SHA256);
+    hasher->Update(data, size);
+    hasher->Finish(hash, sizeof(hash));
+    const std::string hex_hash =
+        base::ToLowerASCII(base::HexEncode(hash, sizeof(hash)));
+
+    if (integrity.hash != hex_hash) {
+      LOG(FATAL) << "Integrity check failed for asar archive ("
+                 << integrity.hash << " vs " << hex_hash << ")";
+    }
+  } else {
+    LOG(FATAL) << "Unsupported hashing algorithm in ValidateIntegrityOrDie";
+  }
 }

 }  // namespace asar
--- a/shell/common/asar/asar_util.h
+++ b/shell/common/asar/asar_util.h
@ -15,6 +15,7 @@ class FilePath;
 namespace asar {

 class Archive;
+struct IntegrityPayload;

 // Gets or creates and caches a new Archive from the path.
 std::shared_ptr<Archive> GetOrCreateAsarArchive(const base::FilePath& path);
@ -31,6 +32,10 @@ bool GetAsarArchivePath(const base::FilePath& full_path,
 // Same with base::ReadFileToString but supports asar Archive.
 bool ReadFileToString(const base::FilePath& path, std::string* contents);

+void ValidateIntegrityOrDie(const char* data,
+                            size_t size,
+                            const IntegrityPayload& integrity);
+
 }  // namespace asar

 #endif  // SHELL_COMMON_ASAR_ASAR_UTIL_H_
--- a/shell/common/asar/scoped_temporary_file.cc
+++ b/shell/common/asar/scoped_temporary_file.cc
@ -7,7 +7,9 @@
 #include <vector>

 #include "base/files/file_util.h"
+#include "base/logging.h"
 #include "base/threading/thread_restrictions.h"
+#include "shell/common/asar/asar_util.h"

 namespace asar {

@ -48,21 +50,28 @@ bool ScopedTemporaryFile::Init(const base::FilePath::StringType& ext) {
  return true;
 }

-bool ScopedTemporaryFile::InitFromFile(base::File* src,
-                                       const base::FilePath::StringType& ext,
-                                       uint64_t offset,
-                                       uint64_t size) {
+bool ScopedTemporaryFile::InitFromFile(
+    base::File* src,
+    const base::FilePath::StringType& ext,
+    uint64_t offset,
+    uint64_t size,
+    const absl::optional<IntegrityPayload>& integrity) {
  if (!src->IsValid())
    return false;

  if (!Init(ext))
    return false;

+  base::ThreadRestrictions::ScopedAllowIO allow_io;
  std::vector<char> buf(size);
  int len = src->Read(offset, buf.data(), buf.size());
  if (len != static_cast<int>(size))
    return false;

+  if (integrity.has_value()) {
+    ValidateIntegrityOrDie(buf.data(), buf.size(), integrity.value());
+  }
+
  base::File dest(path_, base::File::FLAG_OPEN | base::File::FLAG_WRITE);
  if (!dest.IsValid())
    return false;
--- a/shell/common/asar/scoped_temporary_file.h
+++ b/shell/common/asar/scoped_temporary_file.h
@ -6,6 +6,8 @@
 #define SHELL_COMMON_ASAR_SCOPED_TEMPORARY_FILE_H_

 #include "base/files/file_path.h"
+#include "shell/common/asar/archive.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"

 namespace base {
 class File;
@ -31,7 +33,8 @@ class ScopedTemporaryFile {
  bool InitFromFile(base::File* src,
                    const base::FilePath::StringType& ext,
                    uint64_t offset,
-                    uint64_t size);
+                    uint64_t size,
+                    const absl::optional<IntegrityPayload>& integrity);

  base::FilePath path() const { return path_; }

--- a/shell/common/node_bindings.cc
+++ b/shell/common/node_bindings.cc
@ -433,13 +433,29 @@ node::Environment* NodeBindings::CreateEnvironment(
      break;
  }

-  gin_helper::Dictionary global(context->GetIsolate(), context->Global());
+  v8::Isolate* isolate = context->GetIsolate();
+  gin_helper::Dictionary global(isolate, context->Global());
  // Do not set DOM globals for renderer process.
  // We must set this before the node bootstrapper which is run inside
  // CreateEnvironment
  if (browser_env_ != BrowserEnvironment::kBrowser)
    global.Set("_noBrowserGlobals", true);

+  if (browser_env_ == BrowserEnvironment::kBrowser) {
+    const std::vector<std::string> search_paths = {"app.asar", "app",
+                                                   "default_app.asar"};
+    const std::vector<std::string> app_asar_search_paths = {"app.asar"};
+    context->Global()->SetPrivate(
+        context,
+        v8::Private::ForApi(
+            isolate,
+            gin::ConvertToV8(isolate, "appSearchPaths").As<v8::String>()),
+        gin::ConvertToV8(isolate,
+                         electron::fuses::IsOnlyLoadAppFromAsarEnabled()
+                             ? app_asar_search_paths
+                             : search_paths));
+  }
+
  std::vector<std::string> exec_args;
  base::FilePath resources_path = GetResourcesPath();
  std::string init_script = "electron/js2c/" + process_type + "_init";
--- a/spec-main/node-spec.ts
+++ b/spec-main/node-spec.ts
@ -350,7 +350,7 @@ describe('node feature', () => {
  });

  it('Can find a module using a package.json main field', () => {
-    const result = childProcess.spawnSync(process.execPath, [path.resolve(fixtures, 'api', 'electron-main-module', 'app.asar')]);
+    const result = childProcess.spawnSync(process.execPath, [path.resolve(fixtures, 'api', 'electron-main-module', 'app.asar')], { stdio: 'inherit' });
    expect(result.status).to.equal(0);
  });

--- a/spec/asar-spec.js
+++ b/spec/asar-spec.js
@ -1564,7 +1564,7 @@ describe('asar package', function () {
        forked.on('message', function (stats) {
          try {
            expect(stats.isFile).to.be.true();
-            expect(stats.size).to.equal(778);
+            expect(stats.size).to.equal(3458);
            done();
          } catch (e) {
            done(e);
@ -1588,7 +1588,7 @@ describe('asar package', function () {
          try {
            const stats = JSON.parse(output);
            expect(stats.isFile).to.be.true();
-            expect(stats.size).to.equal(778);
+            expect(stats.size).to.equal(3458);
            done();
          } catch (e) {
            done(e);
--- a/spec/fixtures/test.asar/a.asar
+++ b/spec/fixtures/test.asar/a.asar
--- a/spec/fixtures/test.asar/echo.asar
+++ b/spec/fixtures/test.asar/echo.asar
--- a/spec/fixtures/test.asar/empty.asar
+++ b/spec/fixtures/test.asar/empty.asar
--- a/spec/fixtures/test.asar/logo.asar
+++ b/spec/fixtures/test.asar/logo.asar
--- a/spec/fixtures/test.asar/repack.js
+++ b/spec/fixtures/test.asar/repack.js
@ -0,0 +1,22 @@
+// Use this script to regenerate these fixture files
+// using a new version of the asar package
+
+const asar = require('asar');
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+const archives = [];
+for (const child of fs.readdirSync(__dirname)) {
+  if (child.endsWith('.asar')) {
+    archives.push(path.resolve(__dirname, child));
+  }
+}
+
+for (const archive of archives) {
+  const tmp = fs.mkdtempSync(path.resolve(os.tmpdir(), 'asar-spec-'));
+  asar.extractAll(archive, tmp);
+  asar.createPackageWithOptions(tmp, archive, {
+    unpack: fs.existsSync(archive + '.unpacked') ? '*' : undefined
+  });
+}
--- a/spec/fixtures/test.asar/script.asar
+++ b/spec/fixtures/test.asar/script.asar
--- a/spec/fixtures/test.asar/unpack.asar
+++ b/spec/fixtures/test.asar/unpack.asar
--- a/spec/fixtures/test.asar/video.asar
+++ b/spec/fixtures/test.asar/video.asar
--- a/spec/fixtures/test.asar/web.asar
+++ b/spec/fixtures/test.asar/web.asar
--- a/typings/internal-ambient.d.ts
+++ b/typings/internal-ambient.d.ts
@ -63,6 +63,10 @@ declare namespace NodeJS {
    size: number;
    unpacked: boolean;
    offset: number;
+    integrity?: {
+      algorithm: 'SHA256';
+      hash: string;
+    }
  };

  type AsarFileStat = {
@ -74,13 +78,12 @@ declare namespace NodeJS {
  }

  interface AsarArchive {
-    readonly path: string;
    getFileInfo(path: string): AsarFileInfo | false;
    stat(path: string): AsarFileStat | false;
    readdir(path: string): string[] | false;
    realpath(path: string): string | false;
    copyFileOut(path: string): string | false;
-    getFd(): number | -1;
+    getFdAndValidateIntegrityLater(): number | -1;
  }

  interface AsarBinding {
--- a/yarn.lock
+++ b/yarn.lock
@ -1079,10 +1079,10 @@ arrify@^1.0.0:
  resolved "https://registry.yarnpkg.com/arrify/-/arrify-1.0.1.tgz#898508da2226f380df904728456849c1501a4b0d"
  integrity sha1-iYUI2iIm84DfkEcoRWhJwVAaSw0=

-asar@^3.0.3:
-  version "3.0.3"
-  resolved "https://registry.yarnpkg.com/asar/-/asar-3.0.3.tgz#1fef03c2d6d2de0cbad138788e4f7ae03b129c7b"
-  integrity sha512-k7zd+KoR+n8pl71PvgElcoKHrVNiSXtw7odKbyNpmgKe7EGRF9Pnu3uLOukD37EvavKwVFxOUpqXTIZC5B5Pmw==
+asar@^3.1.0:
+  version "3.1.0"
+  resolved "https://registry.yarnpkg.com/asar/-/asar-3.1.0.tgz#70b0509449fe3daccc63beb4d3c7d2e24d3c6473"
+  integrity sha512-vyxPxP5arcAqN4F/ebHd/HhwnAiZtwhglvdmc7BR2f0ywbVNTOpSeyhLDbGXtE/y58hv1oC75TaNIXutnsOZsQ==
  dependencies:
    chromium-pickle-js "^0.2.0"
    commander "^5.0.0"