electron-builder icon indicating copy to clipboard operation
electron-builder copied to clipboard
verified publisher icon electron-userland

electronFuses corrupted by windows codeSign [unpacked only]

Open mayfield opened this issue 3 weeks ago • 1 comments

Hi,

I'm enabling asarIntegrity with my app but it does not work for my windows build when used in conjunction with code signing. MacOS works fine.

electron-builder: 26.3.4 electron: 38.2.1 Platform: windows 11 Signed with: hardware sectigo based usb device

My relevant eb options are:

    "electronFuses": {
      "enableEmbeddedAsarIntegrityValidation": true,
      "onlyLoadAppFromAsar": true,
      "enableNodeCliInspectArguments": false,
      "enableNodeOptionsEnvironmentVariable": false
    },
    "asar": {
      "smartUnpack": false
    },
    "asarUnpack": [
      "**/*.node"
    ]

With code signing disabled I get the expected integrity checking...

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift (main)
$ cd dist/win-unpacked/

$ npx @electron/fuses read --app Sauce\ for\ Zwift™.exe
npm verbose cli C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js
npm info using [email protected]
npm info using [email protected]
npm verbose title npm exec @electron/fuses read --app Sauce for Zwift™.exe
npm verbose argv "exec" "--" "@electron/fuses" "read" "--app" "Sauce for Zwift™.exe"
npm verbose logfile logs-max:10 dir:C:\Users\tooke\AppData\Local\npm-cache\_logs\2025-12-07T01_41_23_132Z-
npm verbose logfile C:\Users\tooke\AppData\Local\npm-cache\_logs\2025-12-07T01_41_23_132Z-debug-0.log
npm verbose shrinkwrap failed to load node_modules/.package-lock.json out of date, updated: node_modules/bufferutil
Analyzing app: Sauce for Zwift™.exe
Fuse Version: v1
  RunAsNode is Enabled
  EnableCookieEncryption is Disabled
  EnableNodeOptionsEnvironmentVariable is Disabled
  EnableNodeCliInspectArguments is Disabled
  EnableEmbeddedAsarIntegrityValidation is Enabled
  OnlyLoadAppFromAsar is Enabled
  LoadBrowserProcessSpecificV8Snapshot is Disabled
  GrantFileProtocolExtraPrivileges is Enabled
npm verbose cwd C:\Users\tooke\project\sauce4zwift\dist\win-unpacked
npm verbose os Windows_NT 10.0.26100
npm verbose node v22.21.0
npm verbose npm  v10.9.4
npm verbose exit 0
npm info ok

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked (main)
$ ls
 LICENSE.electron.txt              chrome_200_percent.pak   libEGL.dll      resources.pak             vk_swiftshader_icd.json
 LICENSES.chromium.html            d3dcompiler_47.dll       libGLESv2.dll   snapshot_blob.bin         vulkan-1.dll
'Sauce for Zwift□'$'\204''□.exe'   ffmpeg.dll               locales         v8_context_snapshot.bin
 chrome_100_percent.pak            icudtl.dat               resources       vk_swiftshader.dll

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked (main)
$ cd resources

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked/resources (main)
$ mv app.asar app.asar.correct

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked/resources (main)
$ cp ~/badactor.asar ./app.asar

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked/resources (main)
$ ls -al
total 35456
drwxr-xr-x 1 mayfield 197121        0 Dec  6 18:35 .
drwxr-xr-x 1 mayfield 197121        0 Dec  6 18:32 ..
-rw-r--r-- 1 mayfield 197121 18146555 Dec  6 18:35 app.asar
-rw-r--r-- 1 mayfield 197121 18146677 Dec  6 18:32 app.asar.correct
drwxr-xr-x 1 mayfield 197121        0 Dec  6 18:32 app.asar.unpacked

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked/resources (main)
$ cd ..

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked (main)
$ ./Sauce\ for\ Zwift™.exe

[8460:1206/183550.018:FATAL:electron\shell\common\asar\asar_util.cc:143] Integrity check failed for asar archive (afe80035b0cb9001fff40c028dd148b50f2ef2361f4dad071a25c0a278a5119c vs 323343be3ddf6ed42bbe2f81db4d35a4ef0bd0f90816280cd398df406c3a747d)
[8460:1206/183550.018:ERROR:third_party\crashpad\crashpad\client\crashpad_client_win.cc:869] not connected

When I reintroduce my code signing I see that electron/fuses is still run, with the correct flags, but the code signing process is undoing the fuses, thus rendering the executable unsafe...

Relevant eb options:

    "win": {
      "signtoolOptions": {
        "certificateSubjectName": "MY SUBJECT NAME"
      }
    },

This is used with a SafeNet (Thales) usb hardware signer.

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift (main)
$ make unpacked
> electron-builder --dir

  • electron-builder  version=26.3.4 os=10.0.26100
  • loaded configuration  file=package.json ("build" field)
  • writing effective config  file=dist\builder-effective-config.yaml
  • packageManager not detected by file, falling back to environment detection  resolvedPackageManager=npm detected=C:\Users\tooke\project\sauce4zwift
  • executing @electron/rebuild  electronVersion=38.2.1 arch=x64 buildFromSource=true workspaceRoot=C:\Users\tooke\project\sauce4zwift projectDir=./ appDir=./
  • installing native dependencies  arch=x64
  • preparing       moduleName=better-sqlite3 arch=x64
  • finished        moduleName=better-sqlite3 arch=x64
  • preparing       moduleName=bufferutil arch=x64
  • finished        moduleName=bufferutil arch=x64
  • preparing       moduleName=keytar arch=x64
  • finished        moduleName=keytar arch=x64
  • preparing       moduleName=xxhash-addon arch=x64
  • finished        moduleName=xxhash-addon arch=x64
  • completed installing native dependencies
  • packaging       platform=win32 arch=x64 electron=38.2.1 appOutDir=dist\win-unpacked
  • updating asar integrity executable resource  executablePath=dist\win-unpacked\Sauce for Zwift™.exe
  • executing @electron/fuses  electronPath=dist\win-unpacked\Sauce for Zwift™.exe
  • identified pwsh.exe
npm verbose cwd C:\Users\tooke\project\sauce4zwift
npm verbose os Windows_NT 10.0.26100
npm verbose node v22.21.0
npm verbose npm  v10.9.4
npm verbose exit 0
npm info ok

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift (main)
$ npx @electron/fuses read --app dist/win-unpacked/Sauce*.exe
npm verbose cli C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js
npm info using [email protected]
npm info using [email protected]
npm verbose title npm exec @electron/fuses read --app dist/win-unpacked/Sauce for Zwift™.exe
npm verbose argv "exec" "--" "@electron/fuses" "read" "--app" "dist/win-unpacked/Sauce for Zwift™.exe"
npm verbose logfile logs-max:10 dir:C:\Users\tooke\AppData\Local\npm-cache\_logs\2025-12-07T02_01_52_663Z-
npm verbose logfile C:\Users\tooke\AppData\Local\npm-cache\_logs\2025-12-07T02_01_52_663Z-debug-0.log
npm verbose shrinkwrap failed to load node_modules/.package-lock.json out of date, updated: node_modules
Analyzing app: Sauce for Zwift™.exe
Fuse Version: v1
  RunAsNode is Enabled
  EnableCookieEncryption is Disabled
  EnableNodeOptionsEnvironmentVariable is Enabled
  EnableNodeCliInspectArguments is Enabled
  EnableEmbeddedAsarIntegrityValidation is Disabled
  OnlyLoadAppFromAsar is Disabled
  LoadBrowserProcessSpecificV8Snapshot is Disabled
  GrantFileProtocolExtraPrivileges is Enabled
npm verbose cwd C:\Users\tooke\project\sauce4zwift
npm verbose os Windows_NT 10.0.26100
npm verbose node v22.21.0
npm verbose npm  v10.9.4
npm verbose exit 0
npm info ok

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift (main)
$ cd dist/win-unpacked/resources

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked/resources (main)
$ cp ~/badactor.asar ./

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked/resources (main)
$ cd ../

mayfield@justin-win11vm MINGW64 ~/project/sauce4zwift/dist/win-unpacked (main)
$ ./Sauce*.exe

19:02:39.856 [INFO] (logging.js:201): Sauce log file: C:\Users\tooke\Documents\Sauce\logs\sauce.log

The last line being valid code execution from my app with the badactor.asar.

mayfield avatar Dec 07 '25 02:12 mayfield

So I just did packed build and checking the installed exec it looks like it's working properly. So only unpacked builds are affected.

$ npx @electron/fuses read --app ../../AppData/Local/Programs/sauce4zwift/Sauce\ for\ Zwift™.exe
npm verbose cli C:\Program Files\nodejs\node.exe C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js
npm info using [email protected]
npm info using [email protected]
npm verbose title npm exec @electron/fuses read --app ../../AppData/Local/Programs/sauce4zwift/Sauce for Zwift™.exe
npm verbose argv "exec" "--" "@electron/fuses" "read" "--app" "../../AppData/Local/Programs/sauce4zwift/Sauce for Zwift™.exe"
npm verbose logfile logs-max:0 dir:C:\Users\tooke\AppData\Local\npm-cache\_logs\2025-12-07T04_14_32_161Z-
npm verbose logfile no logfile created
npm verbose shrinkwrap failed to load node_modules/.package-lock.json out of date, updated: node_modules
Analyzing app: Sauce for Zwift™.exe
Fuse Version: v1
  RunAsNode is Enabled
  EnableCookieEncryption is Disabled
  EnableNodeOptionsEnvironmentVariable is Disabled
  EnableNodeCliInspectArguments is Disabled
  EnableEmbeddedAsarIntegrityValidation is Enabled
  OnlyLoadAppFromAsar is Enabled
  LoadBrowserProcessSpecificV8Snapshot is Disabled
  GrantFileProtocolExtraPrivileges is Enabled
npm verbose cwd C:\Users\tooke\project\sauce4zwift
npm verbose os Windows_NT 10.0.26100
npm verbose node v22.21.0
npm verbose npm  v10.9.4
npm verbose exit 0
npm info ok

mayfield avatar Dec 07 '25 04:12 mayfield