feat: add support for validating asar archives on macOS (#30667)

* feat: add support for validating asar archives on macOS * chore: fix lint * chore: update as per feedback * feat: switch implementation to asar integrity hash checks * feat: make ranged requests work with the asar file validator DataSourceFilter * chore: fix lint * chore: fix missing log include on non-darwin * fix: do not pull block size out of missing optional * fix: match ValidateOrDie symbol on non-darwin * chore: fix up asar specs by repacking archives * fix: maintain integrity chain, do not load file integrity if header integrity was not loaded * debug test * Update node-spec.ts * fix: initialize header_validated_ * chore: update PR per feedback * chore: update per feedback * build: use final asar module * Update fuses.json5
2021-09-09 14:49:01 -07:00 · 2021-09-09 14:49:01 -07:00 · 57d088517c
commit 57d088517c
parent fcad531f2e
35 changed files with 705 additions and 43 deletions
--- a/BUILD.gn
+++ b/BUILD.gn
@ -1024,6 +1024,12 @@ if (is_mac) {
    outputs = [ "{{bundle_resources_dir}}/{{source_file_part}}" ]
  }
  asar_hashed_info_plist("electron_app_plist") {
    keys = [ "DEFAULT_APP_ASAR_HEADER_SHA" ]
    hash_targets = [ ":default_app_asar_header_hash" ]
    plist_file = "shell/browser/resources/mac/Info.plist"
  }
  mac_app_bundle("electron_app") {
    output_name = electron_product_name
    sources = filenames.app_sources
@ -1031,6 +1037,7 @@ if (is_mac) {
    include_dirs = [ "." ]
    deps = [
      ":electron_app_framework_bundle_data",
      ":electron_app_plist",
      ":electron_app_resources",
      ":electron_fuses",
      "//base",
@ -1039,7 +1046,7 @@ if (is_mac) {
    if (is_mas_build) {
      deps += [ ":electron_login_helper_app" ]
    }
-    info_plist = "shell/browser/resources/mac/Info.plist"
+    info_plist_target = ":electron_app_plist"
    extra_substitutions = [
      "ELECTRON_BUNDLE_ID=$electron_mac_bundle_id",
      "ELECTRON_VERSION=$electron_version",
--- a/build/asar.gni
+++ b/build/asar.gni
@ -57,4 +57,42 @@ template("asar") {
             rebase_path(outputs[0]),
           ]
  }
  node_action(target_name + "_header_hash") {
    invoker_out = invoker.outputs
    deps = [ ":" + invoker.target_name ]
    sources = invoker.outputs
    script = "//electron/script/gn-asar-hash.js"
    outputs = [ "$target_gen_dir/asar_hashes/$target_name.hash" ]
    args = [
      rebase_path(invoker_out[0]),
      rebase_path(outputs[0]),
    ]
  }
 }
 template("asar_hashed_info_plist") {
  node_action(target_name) {
    assert(defined(invoker.plist_file),
           "Need plist_file to add hashed assets to")
    assert(defined(invoker.keys), "Need keys to replace with asset hash")
    assert(defined(invoker.hash_targets), "Need hash_targets to read hash from")
    deps = invoker.hash_targets
    script = "//electron/script/gn-plist-but-with-hashes.js"
    inputs = [ invoker.plist_file ]
    outputs = [ "$target_gen_dir/hashed_plists/$target_name.plist" ]
    hash_files = []
    foreach(hash_target, invoker.hash_targets) {
      hash_files += get_target_outputs(hash_target)
    }
    args = [
             rebase_path(invoker.plist_file),
             rebase_path(outputs[0]),
           ] + invoker.keys + rebase_path(hash_files)
  }
 }
--- a/build/fuses/fuses.json5
+++ b/build/fuses/fuses.json5
@ -5,5 +5,7 @@
  "run_as_node": "1",
  "cookie_encryption": "0",
  "node_options": "1",
-  "node_cli_inspect": "1"
+  "node_cli_inspect": "1",
  "embedded_asar_integrity_validation": "0",
  "only_load_app_from_asar": "0"
 }
--- a/filenames.gni
+++ b/filenames.gni
@ -191,6 +191,7 @@ filenames = {
    "shell/browser/ui/tray_icon_cocoa.mm",
    "shell/common/api/electron_api_clipboard_mac.mm",
    "shell/common/api/electron_api_native_image_mac.mm",
    "shell/common/asar/archive_mac.mm",
    "shell/common/application_info_mac.mm",
    "shell/common/language_util_mac.mm",
    "shell/common/mac/main_application_bundle.h",
@ -403,6 +404,8 @@ filenames = {
    "shell/browser/native_window.cc",
    "shell/browser/native_window.h",
    "shell/browser/native_window_observer.h",
    "shell/browser/net/asar/asar_file_validator.cc",
    "shell/browser/net/asar/asar_file_validator.h",
    "shell/browser/net/asar/asar_url_loader.cc",
    "shell/browser/net/asar/asar_url_loader.h",
    "shell/browser/net/asar/asar_url_loader_factory.cc",
--- a/lib/asar/fs-wrapper.ts
+++ b/lib/asar/fs-wrapper.ts
@ -1,6 +1,7 @@
 import { Buffer } from 'buffer';
 import * as path from 'path';
 import * as util from 'util';
 import type * as Crypto from 'crypto';
 const asar = process._linkedBinding('electron_common_asar');
@ -194,6 +195,20 @@ const overrideAPI = function (module: Record<string, any>, name: string, pathArg
  }
 };
 let crypto: typeof Crypto;
 function validateBufferIntegrity (buffer: Buffer, integrity: NodeJS.AsarFileInfo['integrity']) {
  if (!integrity) return;
  // Delay load crypto to improve app boot performance
  // when integrity protection is not enabled
  crypto = crypto || require('crypto');
  const actual = crypto.createHash(integrity.algorithm).update(buffer).digest('hex');
  if (actual !== integrity.hash) {
    console.error(`ASAR Integrity Violation: got a hash mismatch (${actual} vs ${integrity.hash})`);
    process.exit(1);
  }
 }
 const makePromiseFunction = function (orig: Function, pathArgumentIndex: number) {
  return function (this: any, ...args: any[]) {
    const pathArgument = args[pathArgumentIndex];
@ -531,7 +546,7 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
      }
      const buffer = Buffer.alloc(info.size);
-      const fd = archive.getFd();
+      const fd = archive.getFdAndValidateIntegrityLater();
      if (!(fd >= 0)) {
        const error = createError(AsarError.NOT_FOUND, { asarPath, filePath });
        nextTick(callback, [error]);
@ -540,6 +555,7 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
      logASARAccess(asarPath, filePath, info.offset);
      fs.read(fd, buffer, 0, info.size, info.offset, (error: Error) => {
        validateBufferIntegrity(buffer, info.integrity);
        callback(error, encoding ? buffer.toString(encoding) : buffer);
      });
    }
@ -595,11 +611,12 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
    const { encoding } = options;
    const buffer = Buffer.alloc(info.size);
-    const fd = archive.getFd();
+    const fd = archive.getFdAndValidateIntegrityLater();
    if (!(fd >= 0)) throw createError(AsarError.NOT_FOUND, { asarPath, filePath });
    logASARAccess(asarPath, filePath, info.offset);
    fs.readSync(fd, buffer, 0, info.size, info.offset);
    validateBufferIntegrity(buffer, info.integrity);
    return (encoding) ? buffer.toString(encoding) : buffer;
  };
@ -713,11 +730,12 @@ export const wrapFsWithAsar = (fs: Record<string, any>) => {
    }
    const buffer = Buffer.alloc(info.size);
-    const fd = archive.getFd();
+    const fd = archive.getFdAndValidateIntegrityLater();
    if (!(fd >= 0)) return [];
    logASARAccess(asarPath, filePath, info.offset);
    fs.readSync(fd, buffer, 0, info.size, info.offset);
    validateBufferIntegrity(buffer, info.integrity);
    const str = buffer.toString('utf8');
    return [str, str.length > 0];
  };
--- a/lib/browser/init.ts
+++ b/lib/browser/init.ts
@ -81,9 +81,10 @@ require('@electron/internal/browser/guest-view-manager');
 require('@electron/internal/browser/guest-window-proxy');
 // Now we try to load app's package.json.
 const v8Util = process._linkedBinding('electron_common_v8_util');
 let packagePath = null;
 let packageJson = null;
-const searchPaths = ['app', 'app.asar', 'default_app.asar'];
+const searchPaths: string[] = v8Util.getHiddenValue(global, 'appSearchPaths');
 if (process.resourcesPath) {
  for (packagePath of searchPaths) {
--- a/package.json
+++ b/package.json
@ -30,7 +30,7 @@
    "@types/webpack-env": "^1.15.2",
    "@typescript-eslint/eslint-plugin": "^4.4.1",
    "@typescript-eslint/parser": "^4.4.1",
-    "asar": "^3.0.3",
+    "asar": "^3.1.0",
    "aws-sdk": "^2.727.1",
    "check-for-leaks": "^1.2.1",
    "colors": "^1.4.0",
--- a/script/gn-asar-hash.js
+++ b/script/gn-asar-hash.js
@ -0,0 +1,9 @@
 const asar = require('asar');
 const crypto = require('crypto');
 const fs = require('fs');
 const archive = process.argv[2];
 const hashFile = process.argv[3];
 const { headerString } = asar.getRawHeader(archive);
 fs.writeFileSync(hashFile, crypto.createHash('SHA256').update(headerString).digest('hex'));
--- a/script/gn-plist-but-with-hashes.js
+++ b/script/gn-plist-but-with-hashes.js
@ -0,0 +1,16 @@
 const fs = require('fs');
 const [,, plistPath, outputPath, ...keySet] = process.argv;
 const keyPairs = {};
 for (let i = 0; i * 2 < keySet.length; i++) {
  keyPairs[keySet[i]] = fs.readFileSync(keySet[(keySet.length / 2) + i], 'utf8');
 }
 let plistContents = fs.readFileSync(plistPath, 'utf8');
 for (const key of Object.keys(keyPairs)) {
  plistContents = plistContents.replace(`$\{${key}}`, keyPairs[key]);
 }
 fs.writeFileSync(outputPath, plistContents);
--- a/shell/browser/net/asar/asar_file_validator.cc
+++ b/shell/browser/net/asar/asar_file_validator.cc
@ -0,0 +1,150 @@
 // Copyright (c) 2021 Slack Technologies, Inc.
 // Use of this source code is governed by the MIT license that can be
 // found in the LICENSE file.
 #include "shell/browser/net/asar/asar_file_validator.h"
 #include <algorithm>
 #include <string>
 #include <utility>
 #include <vector>
 #include "base/logging.h"
 #include "base/notreached.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "crypto/sha2.h"
 namespace asar {
 AsarFileValidator::AsarFileValidator(IntegrityPayload integrity,
                                     base::File file)
    : file_(std::move(file)), integrity_(std::move(integrity)) {
  current_block_ = 0;
  max_block_ = integrity_.blocks.size() - 1;
 }
 void AsarFileValidator::OnRead(base::span<char> buffer,
                               mojo::FileDataSource::ReadResult* result) {
  DCHECK(!done_reading_);
  uint64_t buffer_size = result->bytes_read;
  // Compute how many bytes we should hash, and add them to the current hash.
  uint32_t block_size = integrity_.block_size;
  uint64_t bytes_added = 0;
  while (bytes_added < buffer_size) {
    if (current_block_ > max_block_) {
      LOG(FATAL)
          << "Unexpected number of blocks while validating ASAR file stream";
      return;
    }
    // Create a hash if we don't have one yet
    if (!current_hash_) {
      current_hash_byte_count_ = 0;
      switch (integrity_.algorithm) {
        case HashAlgorithm::SHA256:
          current_hash_ =
              crypto::SecureHash::Create(crypto::SecureHash::SHA256);
          break;
        case HashAlgorithm::NONE:
          CHECK(false);
          break;
      }
    }
    // Compute how many bytes we should hash, and add them to the current hash.
    // We need to either add just enough bytes to fill up a block (block_size -
    // current_bytes) or use every remaining byte (buffer_size - bytes_added)
    int bytes_to_hash = std::min(block_size - current_hash_byte_count_,
                                 buffer_size - bytes_added);
    DCHECK_GT(bytes_to_hash, 0);
    current_hash_->Update(buffer.data() + bytes_added, bytes_to_hash);
    bytes_added += bytes_to_hash;
    current_hash_byte_count_ += bytes_to_hash;
    total_hash_byte_count_ += bytes_to_hash;
    if (current_hash_byte_count_ == block_size && !FinishBlock()) {
      LOG(FATAL) << "Failed to validate block while streaming ASAR file: "
                 << current_block_;
      return;
    }
  }
 }
 bool AsarFileValidator::FinishBlock() {
  if (current_hash_byte_count_ == 0) {
    if (!done_reading_ || current_block_ > max_block_) {
      return true;
    }
  }
  if (!current_hash_) {
    // This happens when we fail to read the resource. Compute empty content's
    // hash in this case.
    current_hash_ = crypto::SecureHash::Create(crypto::SecureHash::SHA256);
  }
  uint8_t actual[crypto::kSHA256Length];
  // If the file reader is done we need to make sure we've either read up to the
  // end of the file (the check below) or up to the end of a block_size byte
  // boundary. If the below check fails we compute the next block boundary, how
  // many bytes are needed to get there and then we manually read those bytes
  // from our own file handle ensuring the data producer is unaware but we can
  // validate the hash still.
  if (done_reading_ &&
      total_hash_byte_count_ - extra_read_ != read_max_ - read_start_) {
    uint64_t bytes_needed = std::min(
        integrity_.block_size - current_hash_byte_count_,
        read_max_ - read_start_ - total_hash_byte_count_ + extra_read_);
    uint64_t offset = read_start_ + total_hash_byte_count_ - extra_read_;
    std::vector<uint8_t> abandoned_buffer(bytes_needed);
    if (!file_.ReadAndCheck(offset, abandoned_buffer)) {
      LOG(FATAL) << "Failed to read required portion of streamed ASAR archive";
      return false;
    }
    current_hash_->Update(&abandoned_buffer.front(), bytes_needed);
  }
  current_hash_->Finish(actual, sizeof(actual));
  current_hash_.reset();
  current_hash_byte_count_ = 0;
  const std::string expected_hash = integrity_.blocks[current_block_];
  const std::string actual_hex_hash =
      base::ToLowerASCII(base::HexEncode(actual, sizeof(actual)));
  if (expected_hash != actual_hex_hash) {
    return false;
  }
  current_block_++;
  return true;
 }
 void AsarFileValidator::OnDone() {
  DCHECK(!done_reading_);
  done_reading_ = true;
  if (!FinishBlock()) {
    LOG(FATAL) << "Failed to validate block while ending ASAR file stream: "
               << current_block_;
  }
 }
 void AsarFileValidator::SetRange(uint64_t read_start,
                                 uint64_t extra_read,
                                 uint64_t read_max) {
  read_start_ = read_start;
  extra_read_ = extra_read;
  read_max_ = read_max;
 }
 void AsarFileValidator::SetCurrentBlock(int current_block) {
  current_block_ = current_block;
 }
 }  // namespace asar
--- a/shell/browser/net/asar/asar_file_validator.h
+++ b/shell/browser/net/asar/asar_file_validator.h
@ -0,0 +1,60 @@
 // Copyright (c) 2021 Slack Technologies, Inc.
 // Use of this source code is governed by the MIT license that can be
 // found in the LICENSE file.
 #ifndef SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_
 #define SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_
 #include <algorithm>
 #include <memory>
 #include "crypto/secure_hash.h"
 #include "mojo/public/cpp/system/file_data_source.h"
 #include "mojo/public/cpp/system/filtered_data_source.h"
 #include "shell/common/asar/archive.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 namespace asar {
 class AsarFileValidator : public mojo::FilteredDataSource::Filter {
 public:
  AsarFileValidator(IntegrityPayload integrity, base::File file);
  void OnRead(base::span<char> buffer,
              mojo::FileDataSource::ReadResult* result);
  void OnDone();
  void SetRange(uint64_t read_start, uint64_t extra_read, uint64_t read_max);
  void SetCurrentBlock(int current_block);
 protected:
  bool FinishBlock();
 private:
  base::File file_;
  IntegrityPayload integrity_;
  // The offset in the file_ that the underlying file reader is starting at
  uint64_t read_start_ = 0;
  // The number of bytes this DataSourceFilter will have seen that aren't used
  // by the DataProducer.  These extra bytes are exclusively for hash validation
  // but we need to know how many we've used so we know when we're done.
  uint64_t extra_read_ = 0;
  // The maximum offset in the file_ that we should read to, used to determine
  // which bytes we're missing or if we need to read up to a block boundary in
  // OnDone
  uint64_t read_max_ = 0;
  bool done_reading_ = false;
  int current_block_;
  int max_block_;
  uint64_t current_hash_byte_count_ = 0;
  uint64_t total_hash_byte_count_ = 0;
  std::unique_ptr<crypto::SecureHash> current_hash_;
  DISALLOW_COPY_AND_ASSIGN(AsarFileValidator);
 };
 }  // namespace asar
 #endif  // SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_
--- a/shell/browser/net/asar/asar_url_loader.cc
+++ b/shell/browser/net/asar/asar_url_loader.cc
@ -4,6 +4,7 @@
 #include "shell/browser/net/asar/asar_url_loader.h"
 #include <algorithm>
 #include <memory>
 #include <string>
 #include <utility>
@ -13,6 +14,7 @@
 #include "base/task/post_task.h"
 #include "base/task/thread_pool.h"
 #include "content/public/browser/file_url_loader.h"
 #include "electron/fuses.h"
 #include "mojo/public/cpp/bindings/receiver.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "mojo/public/cpp/system/data_pipe_producer.h"
@ -23,6 +25,7 @@
 #include "net/http/http_byte_range.h"
 #include "net/http/http_util.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
 #include "shell/browser/net/asar/asar_file_validator.h"
 #include "shell/common/asar/archive.h"
 #include "shell/common/asar/asar_util.h"
@ -127,6 +130,7 @@ class AsarURLLoader : public network::mojom::URLLoader {
      OnClientComplete(net::ERR_FILE_NOT_FOUND);
      return;
    }
    bool is_verifying_file = info.integrity.has_value();
    // For unpacked path, read like normal file.
    base::FilePath real_path;
@ -149,12 +153,24 @@ class AsarURLLoader : public network::mojom::URLLoader {
    base::File file(info.unpacked ? real_path : archive->path(),
                    base::File::FLAG_OPEN | base::File::FLAG_READ);
    auto file_data_source =
-        std::make_unique<mojo::FileDataSource>(std::move(file));
+        std::make_unique<mojo::FileDataSource>(file.Duplicate());
-    mojo::DataPipeProducer::DataSource* data_source = file_data_source.get();
+    std::unique_ptr<mojo::DataPipeProducer::DataSource> readable_data_source;
    mojo::FileDataSource* file_data_source_raw = file_data_source.get();
    AsarFileValidator* file_validator_raw = nullptr;
    if (info.integrity.has_value()) {
      auto asar_validator = std::make_unique<AsarFileValidator>(
          std::move(info.integrity.value()), std::move(file));
      file_validator_raw = asar_validator.get();
      readable_data_source.reset(new mojo::FilteredDataSource(
          std::move(file_data_source), std::move(asar_validator)));
    } else {
      readable_data_source = std::move(file_data_source);
    }
-    std::vector<char> initial_read_buffer(net::kMaxBytesToSniff);
+    std::vector<char> initial_read_buffer(
-    auto read_result =
+        std::min(static_cast<uint32_t>(net::kMaxBytesToSniff), info.size));
-        data_source->Read(info.offset, base::span<char>(initial_read_buffer));
+    auto read_result = readable_data_source.get()->Read(
        info.offset, base::span<char>(initial_read_buffer));
    if (read_result.result != MOJO_RESULT_OK) {
      OnClientComplete(ConvertMojoResultToNetError(read_result.result));
      return;
@ -183,6 +199,7 @@ class AsarURLLoader : public network::mojom::URLLoader {
    }
    uint64_t first_byte_to_send = 0;
    uint64_t total_bytes_dropped_from_head = initial_read_buffer.size();
    uint64_t total_bytes_to_send = info.size;
    if (byte_range.IsValid()) {
@ -214,6 +231,26 @@ class AsarURLLoader : public network::mojom::URLLoader {
      // Discount the bytes we just sent from the total range.
      first_byte_to_send = read_result.bytes_read;
      total_bytes_to_send -= write_size;
    } else if (is_verifying_file &&
               first_byte_to_send >=
                   static_cast<uint64_t>(info.integrity.value().block_size)) {
      // If validation is active and the range of bytes the request wants starts
      // beyond the first block we need to read the next 4MB-1KB to validate
      // that block. Then we can skip ahead to the target block in the SetRange
      // call below If we hit this case it is assumed that none of the data read
      // will be needed by the producer
      uint64_t bytes_to_drop =
          info.integrity.value().block_size - net::kMaxBytesToSniff;
      total_bytes_dropped_from_head += bytes_to_drop;
      std::vector<char> abandoned_buffer(bytes_to_drop);
      auto abandon_read_result =
          readable_data_source.get()->Read(info.offset + net::kMaxBytesToSniff,
                                           base::span<char>(abandoned_buffer));
      if (abandon_read_result.result != MOJO_RESULT_OK) {
        OnClientComplete(
            ConvertMojoResultToNetError(abandon_read_result.result));
        return;
      }
    }
    if (!net::GetMimeTypeFromFile(path, &head->mime_type)) {
@ -234,23 +271,68 @@ class AsarURLLoader : public network::mojom::URLLoader {
    if (total_bytes_to_send == 0) {
      // There's definitely no more data, so we're already done.
      // We provide the range data to the file validator so that
      // it can validate the tiny amount of data we did send
      if (file_validator_raw)
        file_validator_raw->SetRange(info.offset + first_byte_to_send,
                                     total_bytes_dropped_from_head,
                                     info.offset + info.size);
      OnFileWritten(MOJO_RESULT_OK);
      return;
    }
    if (is_verifying_file) {
      uint32_t block_size = info.integrity.value().block_size;
      int start_block = first_byte_to_send / block_size;
      // If we're starting from the first block, we might not be starting from
      // where we sniffed. We might be a few KB into a file so we need to read
      // the data in the middle so it gets hashed.
      //
      // If we're starting from a later block we might be starting half-way
      // through the block regardless of what was sniffed.  We need to read the
      // data from the start of our initial block up to the start of our actual
      // read point so it gets hashed.
      uint64_t bytes_to_drop =
          start_block == 0 ? first_byte_to_send - net::kMaxBytesToSniff
                           : first_byte_to_send - (start_block * block_size);
      if (file_validator_raw)
        file_validator_raw->SetCurrentBlock(start_block);
      if (bytes_to_drop > 0) {
        uint64_t dropped_bytes_offset =
            info.offset + (start_block * block_size);
        if (start_block == 0)
          dropped_bytes_offset += net::kMaxBytesToSniff;
        total_bytes_dropped_from_head += bytes_to_drop;
        std::vector<char> abandoned_buffer(bytes_to_drop);
        auto abandon_read_result = readable_data_source.get()->Read(
            dropped_bytes_offset, base::span<char>(abandoned_buffer));
        if (abandon_read_result.result != MOJO_RESULT_OK) {
          OnClientComplete(
              ConvertMojoResultToNetError(abandon_read_result.result));
          return;
        }
      }
    }
    // In case of a range request, seek to the appropriate position before
    // sending the remaining bytes asynchronously. Under normal conditions
    // (i.e., no range request) this Seek is effectively a no-op.
    //
    // Note that in Electron we also need to add file offset.
-    file_data_source->SetRange(
+    file_data_source_raw->SetRange(
        first_byte_to_send + info.offset,
        first_byte_to_send + info.offset + total_bytes_to_send);
    if (file_validator_raw)
      file_validator_raw->SetRange(info.offset + first_byte_to_send,
                                   total_bytes_dropped_from_head,
                                   info.offset + info.size);
    data_producer_ =
        std::make_unique<mojo::DataPipeProducer>(std::move(producer_handle));
    data_producer_->Write(
-        std::move(file_data_source),
+        std::move(readable_data_source),
        base::BindOnce(&AsarURLLoader::OnFileWritten, base::Unretained(this)));
  }
--- a/shell/browser/resources/mac/Info.plist
+++ b/shell/browser/resources/mac/Info.plist
@ -49,5 +49,15 @@
    <string>This app needs access to Bluetooth</string>
    <key>NSBluetoothPeripheralUsageDescription</key>
    <string>This app needs access to Bluetooth</string>
    <key>ElectronAsarIntegrity</key>
    <dict>
      <key>Resources/default_app.asar</key>
      <dict>
        <key>algorithm</key>
        <string>SHA256</string>
        <key>hash</key>
        <string>${DEFAULT_APP_ASAR_HEADER_SHA}</string>
      </dict>
    </dict>
  </dict>
 </plist>
--- a/shell/common/api/electron_api_asar.cc
+++ b/shell/common/api/electron_api_asar.cc
@ -32,13 +32,12 @@ class Archive : public gin::Wrappable<Archive> {
  gin::ObjectTemplateBuilder GetObjectTemplateBuilder(
      v8::Isolate* isolate) override {
    return gin::ObjectTemplateBuilder(isolate)
        .SetProperty("path", &Archive::GetPath)
        .SetMethod("getFileInfo", &Archive::GetFileInfo)
        .SetMethod("stat", &Archive::Stat)
        .SetMethod("readdir", &Archive::Readdir)
        .SetMethod("realpath", &Archive::Realpath)
        .SetMethod("copyFileOut", &Archive::CopyFileOut)
-        .SetMethod("getFd", &Archive::GetFD);
+        .SetMethod("getFdAndValidateIntegrityLater", &Archive::GetFD);
  }
  const char* GetTypeName() override { return "Archive"; }
@ -47,9 +46,6 @@ class Archive : public gin::Wrappable<Archive> {
  Archive(v8::Isolate* isolate, std::unique_ptr<asar::Archive> archive)
      : archive_(std::move(archive)) {}
  // Returns the path of the file.
  base::FilePath GetPath() { return archive_->path(); }
  // Reads the offset and size of file.
  v8::Local<v8::Value> GetFileInfo(v8::Isolate* isolate,
                                   const base::FilePath& path) {
@ -60,6 +56,20 @@ class Archive : public gin::Wrappable<Archive> {
    dict.Set("size", info.size);
    dict.Set("unpacked", info.unpacked);
    dict.Set("offset", info.offset);
    if (info.integrity.has_value()) {
      gin_helper::Dictionary integrity(isolate, v8::Object::New(isolate));
      asar::HashAlgorithm algorithm = info.integrity.value().algorithm;
      switch (algorithm) {
        case asar::HashAlgorithm::SHA256:
          integrity.Set("algorithm", "SHA256");
          break;
        case asar::HashAlgorithm::NONE:
          CHECK(false);
          break;
      }
      integrity.Set("hash", info.integrity.value().hash);
      dict.Set("integrity", integrity);
    }
    return dict.GetHandle();
  }
@ -108,7 +118,7 @@ class Archive : public gin::Wrappable<Archive> {
  int GetFD() const {
    if (!archive_)
      return -1;
-    return archive_->GetFD();
+    return archive_->GetUnsafeFD();
  }
 private:
--- a/shell/common/asar/archive.cc
+++ b/shell/common/asar/archive.cc
@ -18,6 +18,8 @@
 #include "base/task/post_task.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
 #include "electron/fuses.h"
 #include "shell/common/asar/asar_util.h"
 #include "shell/common/asar/scoped_temporary_file.h"
 #if defined(OS_WIN)
@ -95,6 +97,7 @@ bool GetNodeFromPath(std::string path,
 bool FillFileInfoWithNode(Archive::FileInfo* info,
                          uint32_t header_size,
                          bool load_integrity,
                          const base::DictionaryValue* node) {
  int size;
  if (!node->GetInteger("size", &size))
@ -113,6 +116,42 @@ bool FillFileInfoWithNode(Archive::FileInfo* info,
  node->GetBoolean("executable", &info->executable);
 #if defined(OS_MAC)
  if (load_integrity &&
      electron::fuses::IsEmbeddedAsarIntegrityValidationEnabled()) {
    const base::DictionaryValue* integrity;
    if (node->GetDictionary("integrity", &integrity)) {
      IntegrityPayload integrity_payload;
      std::string algorithm;
      const base::ListValue* blocks;
      int block_size;
      if (integrity->GetString("algorithm", &algorithm) &&
          integrity->GetString("hash", &integrity_payload.hash) &&
          integrity->GetInteger("blockSize", &block_size) &&
          integrity->GetList("blocks", &blocks) && block_size > 0) {
        integrity_payload.block_size = static_cast<uint32_t>(block_size);
        for (size_t i = 0; i < blocks->GetSize(); i++) {
          std::string block;
          if (!blocks->GetString(i, &block)) {
            LOG(FATAL)
                << "Invalid block integrity value for file in ASAR archive";
          }
          integrity_payload.blocks.push_back(block);
        }
        if (algorithm == "SHA256") {
          integrity_payload.algorithm = HashAlgorithm::SHA256;
          info->integrity = std::move(integrity_payload);
        }
      }
    }
    if (!info->integrity.has_value()) {
      LOG(FATAL) << "Failed to read integrity for file in ASAR archive";
      return false;
    }
  }
 #endif
  return true;
 }
@ -191,6 +230,32 @@ bool Archive::Init() {
    return false;
  }
 #if defined(OS_MAC)
  // Validate header signature if required and possible
  if (electron::fuses::IsEmbeddedAsarIntegrityValidationEnabled() &&
      RelativePath().has_value()) {
    absl::optional<IntegrityPayload> integrity = HeaderIntegrity();
    if (!integrity.has_value()) {
      LOG(FATAL) << "Failed to get integrity for validatable asar archive: "
                 << RelativePath().value();
      return false;
    }
    // Currently we only support the sha256 algorithm, we can add support for
    // more below ensure we read them in preference order from most secure to
    // least
    if (integrity.value().algorithm != HashAlgorithm::NONE) {
      ValidateIntegrityOrDie(header.c_str(), header.length(),
                             integrity.value());
    } else {
      LOG(FATAL) << "No eligible hash for validatable asar archive: "
                 << RelativePath().value();
    }
    header_validated_ = true;
  }
 #endif
  absl::optional<base::Value> value = base::JSONReader::Read(header);
  if (!value || !value->is_dict()) {
    LOG(ERROR) << "Failed to parse header";
@ -203,6 +268,16 @@ bool Archive::Init() {
  return true;
 }
 #if !defined(OS_MAC)
 absl::optional<IntegrityPayload> Archive::HeaderIntegrity() const {
  return absl::optional<IntegrityPayload>();
 }
 absl::optional<base::FilePath> Archive::RelativePath() const {
  return absl::optional<base::FilePath>();
 }
 #endif
 bool Archive::GetFileInfo(const base::FilePath& path, FileInfo* info) const {
  if (!header_)
    return false;
@ -215,7 +290,7 @@ bool Archive::GetFileInfo(const base::FilePath& path, FileInfo* info) const {
  if (node->GetString("link", &link))
    return GetFileInfo(base::FilePath::FromUTF8Unsafe(link), info);
-  return FillFileInfoWithNode(info, header_size_, node);
+  return FillFileInfoWithNode(info, header_size_, header_validated_, node);
 }
 bool Archive::Stat(const base::FilePath& path, Stats* stats) const {
@ -238,7 +313,7 @@ bool Archive::Stat(const base::FilePath& path, Stats* stats) const {
    return true;
  }
-  return FillFileInfoWithNode(stats, header_size_, node);
+  return FillFileInfoWithNode(stats, header_size_, header_validated_, node);
 }
 bool Archive::Readdir(const base::FilePath& path,
@ -304,7 +379,8 @@ bool Archive::CopyFileOut(const base::FilePath& path, base::FilePath* out) {
  auto temp_file = std::make_unique<ScopedTemporaryFile>();
  base::FilePath::StringType ext = path.Extension();
-  if (!temp_file->InitFromFile(&file_, ext, info.offset, info.size))
+  if (!temp_file->InitFromFile(&file_, ext, info.offset, info.size,
                               info.integrity))
    return false;
 #if defined(OS_POSIX)
@ -319,7 +395,7 @@ bool Archive::CopyFileOut(const base::FilePath& path, base::FilePath* out) {
  return true;
 }
-int Archive::GetFD() const {
+int Archive::GetUnsafeFD() const {
  return fd_;
 }
--- a/shell/common/asar/archive.h
+++ b/shell/common/asar/archive.h
@ -6,12 +6,14 @@
 #define SHELL_COMMON_ASAR_ARCHIVE_H_
 #include <memory>
 #include <string>
 #include <unordered_map>
 #include <vector>
 #include "base/files/file.h"
 #include "base/files/file_path.h"
 #include "base/synchronization/lock.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 namespace base {
 class DictionaryValue;
@ -21,6 +23,19 @@ namespace asar {
 class ScopedTemporaryFile;
 enum HashAlgorithm {
  SHA256,
  NONE,
 };
 struct IntegrityPayload {
  IntegrityPayload() : algorithm(HashAlgorithm::NONE), block_size(0) {}
  HashAlgorithm algorithm;
  std::string hash;
  uint32_t block_size;
  std::vector<std::string> blocks;
 };
 // This class represents an asar package, and provides methods to read
 // information from it. It is thread-safe after |Init| has been called.
 class Archive {
@ -31,6 +46,7 @@ class Archive {
    bool executable;
    uint32_t size;
    uint64_t offset;
    absl::optional<IntegrityPayload> integrity;
  };
  struct Stats : public FileInfo {
@ -46,6 +62,9 @@ class Archive {
  // Read and parse the header.
  bool Init();
  absl::optional<IntegrityPayload> HeaderIntegrity() const;
  absl::optional<base::FilePath> RelativePath() const;
  // Get the info of a file.
  bool GetFileInfo(const base::FilePath& path, FileInfo* info) const;
@ -64,12 +83,16 @@ class Archive {
  bool CopyFileOut(const base::FilePath& path, base::FilePath* out);
  // Returns the file's fd.
-  int GetFD() const;
+  // Using this fd will not validate the integrity of any files
  // you read out of the ASAR manually.  Callers are responsible
  // for integrity validation after this fd is handed over.
  int GetUnsafeFD() const;
  base::FilePath path() const { return path_; }
 private:
  bool initialized_;
  bool header_validated_ = false;
  const base::FilePath path_;
  base::File file_;
  int fd_ = -1;
--- a/shell/common/asar/archive_mac.mm
+++ b/shell/common/asar/archive_mac.mm
@ -0,0 +1,65 @@
 // Copyright (c) 2021 Slack Technologies, Inc.
 // Use of this source code is governed by the MIT license that can be
 // found in the LICENSE file.
 #include "shell/common/asar/archive.h"
 #include <CommonCrypto/CommonDigest.h>
 #include <CoreFoundation/CoreFoundation.h>
 #include <Foundation/Foundation.h>
 #include <iomanip>
 #include <string>
 #include "base/logging.h"
 #include "base/mac/bundle_locations.h"
 #include "base/mac/foundation_util.h"
 #include "base/mac/scoped_cftyperef.h"
 #include "base/strings/sys_string_conversions.h"
 #include "shell/common/asar/asar_util.h"
 namespace asar {
 absl::optional<base::FilePath> Archive::RelativePath() const {
  base::FilePath bundle_path = base::mac::MainBundlePath().Append("Contents");
  base::FilePath relative_path;
  if (!bundle_path.AppendRelativePath(path_, &relative_path))
    return absl::nullopt;
  return relative_path;
 }
 absl::optional<IntegrityPayload> Archive::HeaderIntegrity() const {
  absl::optional<base::FilePath> relative_path = RelativePath();
  // Callers should have already asserted this
  CHECK(relative_path.has_value());
  NSDictionary* integrity = [[NSBundle mainBundle]
      objectForInfoDictionaryKey:@"ElectronAsarIntegrity"];
  // Integrity not provided
  if (!integrity)
    return absl::nullopt;
  NSString* ns_relative_path =
      base::mac::FilePathToNSString(relative_path.value());
  NSDictionary* integrity_payload = [integrity objectForKey:ns_relative_path];
  if (!integrity_payload)
    return absl::nullopt;
  NSString* algorithm = [integrity_payload objectForKey:@"algorithm"];
  NSString* hash = [integrity_payload objectForKey:@"hash"];
  if (algorithm && hash && [algorithm isEqualToString:@"SHA256"]) {
    IntegrityPayload header_integrity;
    header_integrity.algorithm = HashAlgorithm::SHA256;
    header_integrity.hash = base::SysNSStringToUTF8(hash);
    return header_integrity;
  }
  return absl::nullopt;
 }
 }  // namespace asar
--- a/shell/common/asar/asar_util.cc
+++ b/shell/common/asar/asar_util.cc
@ -11,11 +11,16 @@
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/no_destructor.h"
 #include "base/stl_util.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/synchronization/lock.h"
 #include "base/threading/thread_local.h"
 #include "base/threading/thread_restrictions.h"
 #include "crypto/secure_hash.h"
 #include "crypto/sha2.h"
 #include "shell/common/asar/archive.h"
 namespace asar {
@ -130,9 +135,38 @@ bool ReadFileToString(const base::FilePath& path, std::string* contents) {
    return false;
  contents->resize(info.size);
-  return static_cast<int>(info.size) ==
+  if (static_cast<int>(info.size) !=
-         src.Read(info.offset, const_cast<char*>(contents->data()),
+      src.Read(info.offset, const_cast<char*>(contents->data()),
-                  contents->size());
+               contents->size())) {
    return false;
  }
  if (info.integrity.has_value()) {
    ValidateIntegrityOrDie(contents->data(), contents->size(),
                           info.integrity.value());
  }
  return true;
 }
 void ValidateIntegrityOrDie(const char* data,
                            size_t size,
                            const IntegrityPayload& integrity) {
  if (integrity.algorithm == HashAlgorithm::SHA256) {
    uint8_t hash[crypto::kSHA256Length];
    auto hasher = crypto::SecureHash::Create(crypto::SecureHash::SHA256);
    hasher->Update(data, size);
    hasher->Finish(hash, sizeof(hash));
    const std::string hex_hash =
        base::ToLowerASCII(base::HexEncode(hash, sizeof(hash)));
    if (integrity.hash != hex_hash) {
      LOG(FATAL) << "Integrity check failed for asar archive ("
                 << integrity.hash << " vs " << hex_hash << ")";
    }
  } else {
    LOG(FATAL) << "Unsupported hashing algorithm in ValidateIntegrityOrDie";
  }
 }
 }  // namespace asar
--- a/shell/common/asar/asar_util.h
+++ b/shell/common/asar/asar_util.h
@ -15,6 +15,7 @@ class FilePath;
 namespace asar {
 class Archive;
 struct IntegrityPayload;
 // Gets or creates and caches a new Archive from the path.
 std::shared_ptr<Archive> GetOrCreateAsarArchive(const base::FilePath& path);
@ -31,6 +32,10 @@ bool GetAsarArchivePath(const base::FilePath& full_path,
 // Same with base::ReadFileToString but supports asar Archive.
 bool ReadFileToString(const base::FilePath& path, std::string* contents);
 void ValidateIntegrityOrDie(const char* data,
                            size_t size,
                            const IntegrityPayload& integrity);
 }  // namespace asar
 #endif  // SHELL_COMMON_ASAR_ASAR_UTIL_H_
--- a/shell/common/asar/scoped_temporary_file.cc
+++ b/shell/common/asar/scoped_temporary_file.cc
@ -7,7 +7,9 @@
 #include <vector>
 #include "base/files/file_util.h"
 #include "base/logging.h"
 #include "base/threading/thread_restrictions.h"
 #include "shell/common/asar/asar_util.h"
 namespace asar {
@ -48,21 +50,28 @@ bool ScopedTemporaryFile::Init(const base::FilePath::StringType& ext) {
  return true;
 }
-bool ScopedTemporaryFile::InitFromFile(base::File* src,
+bool ScopedTemporaryFile::InitFromFile(
-                                       const base::FilePath::StringType& ext,
+    base::File* src,
-                                       uint64_t offset,
+    const base::FilePath::StringType& ext,
-                                       uint64_t size) {
+    uint64_t offset,
    uint64_t size,
    const absl::optional<IntegrityPayload>& integrity) {
  if (!src->IsValid())
    return false;
  if (!Init(ext))
    return false;
  base::ThreadRestrictions::ScopedAllowIO allow_io;
  std::vector<char> buf(size);
  int len = src->Read(offset, buf.data(), buf.size());
  if (len != static_cast<int>(size))
    return false;
  if (integrity.has_value()) {
    ValidateIntegrityOrDie(buf.data(), buf.size(), integrity.value());
  }
  base::File dest(path_, base::File::FLAG_OPEN | base::File::FLAG_WRITE);
  if (!dest.IsValid())
    return false;
--- a/shell/common/asar/scoped_temporary_file.h
+++ b/shell/common/asar/scoped_temporary_file.h
@ -6,6 +6,8 @@
 #define SHELL_COMMON_ASAR_SCOPED_TEMPORARY_FILE_H_
 #include "base/files/file_path.h"
 #include "shell/common/asar/archive.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 namespace base {
 class File;
@ -31,7 +33,8 @@ class ScopedTemporaryFile {
  bool InitFromFile(base::File* src,
                    const base::FilePath::StringType& ext,
                    uint64_t offset,
-                    uint64_t size);
+                    uint64_t size,
                    const absl::optional<IntegrityPayload>& integrity);
  base::FilePath path() const { return path_; }
--- a/shell/common/node_bindings.cc
+++ b/shell/common/node_bindings.cc
@ -433,13 +433,29 @@ node::Environment* NodeBindings::CreateEnvironment(
      break;
  }
-  gin_helper::Dictionary global(context->GetIsolate(), context->Global());
+  v8::Isolate* isolate = context->GetIsolate();
  gin_helper::Dictionary global(isolate, context->Global());
  // Do not set DOM globals for renderer process.
  // We must set this before the node bootstrapper which is run inside
  // CreateEnvironment
  if (browser_env_ != BrowserEnvironment::kBrowser)
    global.Set("_noBrowserGlobals", true);
  if (browser_env_ == BrowserEnvironment::kBrowser) {
    const std::vector<std::string> search_paths = {"app.asar", "app",
                                                   "default_app.asar"};
    const std::vector<std::string> app_asar_search_paths = {"app.asar"};
    context->Global()->SetPrivate(
        context,
        v8::Private::ForApi(
            isolate,
            gin::ConvertToV8(isolate, "appSearchPaths").As<v8::String>()),
        gin::ConvertToV8(isolate,
                         electron::fuses::IsOnlyLoadAppFromAsarEnabled()
                             ? app_asar_search_paths
                             : search_paths));
  }
  std::vector<std::string> exec_args;
  base::FilePath resources_path = GetResourcesPath();
  std::string init_script = "electron/js2c/" + process_type + "_init";
--- a/spec-main/node-spec.ts
+++ b/spec-main/node-spec.ts
@ -350,7 +350,7 @@ describe('node feature', () => {
  });
  it('Can find a module using a package.json main field', () => {
-    const result = childProcess.spawnSync(process.execPath, [path.resolve(fixtures, 'api', 'electron-main-module', 'app.asar')]);
+    const result = childProcess.spawnSync(process.execPath, [path.resolve(fixtures, 'api', 'electron-main-module', 'app.asar')], { stdio: 'inherit' });
    expect(result.status).to.equal(0);
  });
--- a/spec/asar-spec.js
+++ b/spec/asar-spec.js
@ -1564,7 +1564,7 @@ describe('asar package', function () {
        forked.on('message', function (stats) {
          try {
            expect(stats.isFile).to.be.true();
-            expect(stats.size).to.equal(778);
+            expect(stats.size).to.equal(3458);
            done();
          } catch (e) {
            done(e);
@ -1588,7 +1588,7 @@ describe('asar package', function () {
          try {
            const stats = JSON.parse(output);
            expect(stats.isFile).to.be.true();
-            expect(stats.size).to.equal(778);
+            expect(stats.size).to.equal(3458);
            done();
          } catch (e) {
            done(e);
--- a/spec/fixtures/test.asar/a.asar
+++ b/spec/fixtures/test.asar/a.asar
--- a/spec/fixtures/test.asar/echo.asar
+++ b/spec/fixtures/test.asar/echo.asar
--- a/spec/fixtures/test.asar/empty.asar
+++ b/spec/fixtures/test.asar/empty.asar
--- a/spec/fixtures/test.asar/logo.asar
+++ b/spec/fixtures/test.asar/logo.asar
--- a/spec/fixtures/test.asar/repack.js
+++ b/spec/fixtures/test.asar/repack.js
@ -0,0 +1,22 @@
 // Use this script to regenerate these fixture files
 // using a new version of the asar package
 const asar = require('asar');
 const fs = require('fs');
 const os = require('os');
 const path = require('path');
 const archives = [];
 for (const child of fs.readdirSync(__dirname)) {
  if (child.endsWith('.asar')) {
    archives.push(path.resolve(__dirname, child));
  }
 }
 for (const archive of archives) {
  const tmp = fs.mkdtempSync(path.resolve(os.tmpdir(), 'asar-spec-'));
  asar.extractAll(archive, tmp);
  asar.createPackageWithOptions(tmp, archive, {
    unpack: fs.existsSync(archive + '.unpacked') ? '*' : undefined
  });
 }
--- a/spec/fixtures/test.asar/script.asar
+++ b/spec/fixtures/test.asar/script.asar
--- a/spec/fixtures/test.asar/unpack.asar
+++ b/spec/fixtures/test.asar/unpack.asar
--- a/spec/fixtures/test.asar/video.asar
+++ b/spec/fixtures/test.asar/video.asar
--- a/spec/fixtures/test.asar/web.asar
+++ b/spec/fixtures/test.asar/web.asar
--- a/typings/internal-ambient.d.ts
+++ b/typings/internal-ambient.d.ts
@ -63,6 +63,10 @@ declare namespace NodeJS {
    size: number;
    unpacked: boolean;
    offset: number;
    integrity?: {
      algorithm: 'SHA256';
      hash: string;
    }
  };
  type AsarFileStat = {
@ -74,13 +78,12 @@ declare namespace NodeJS {
  }
  interface AsarArchive {
    readonly path: string;
    getFileInfo(path: string): AsarFileInfo | false;
    stat(path: string): AsarFileStat | false;
    readdir(path: string): string[] | false;
    realpath(path: string): string | false;
    copyFileOut(path: string): string | false;
-    getFd(): number | -1;
+    getFdAndValidateIntegrityLater(): number | -1;
  }
  interface AsarBinding {
--- a/yarn.lock
+++ b/yarn.lock
@ -1079,10 +1079,10 @@ arrify@^1.0.0:
  resolved "https://registry.yarnpkg.com/arrify/-/arrify-1.0.1.tgz#898508da2226f380df904728456849c1501a4b0d"
  integrity sha1-iYUI2iIm84DfkEcoRWhJwVAaSw0=
-asar@^3.0.3:
+asar@^3.1.0:
-  version "3.0.3"
+  version "3.1.0"
-  resolved "https://registry.yarnpkg.com/asar/-/asar-3.0.3.tgz#1fef03c2d6d2de0cbad138788e4f7ae03b129c7b"
+  resolved "https://registry.yarnpkg.com/asar/-/asar-3.1.0.tgz#70b0509449fe3daccc63beb4d3c7d2e24d3c6473"
-  integrity sha512-k7zd+KoR+n8pl71PvgElcoKHrVNiSXtw7odKbyNpmgKe7EGRF9Pnu3uLOukD37EvavKwVFxOUpqXTIZC5B5Pmw==
+  integrity sha512-vyxPxP5arcAqN4F/ebHd/HhwnAiZtwhglvdmc7BR2f0ywbVNTOpSeyhLDbGXtE/y58hv1oC75TaNIXutnsOZsQ==
  dependencies:
    chromium-pickle-js "^0.2.0"
    commander "^5.0.0"