Update to the latest asar format (`integrity`, `executable`, etc. in header)

[sleeyax]

The asar spec has been updated over time, while asarmor hasn't been updated with it yet. For example we currently don't include things like integrity checks in the header. While this isn't breaking any applications that depend on asarmor, it makes bypassing patches trivial.

See https://github.com/electron/asar#format for the implementation.

[burgil]

hey! Any progress on that? how can we help? Also, how exactly do you bypass it so trivially please? Maybe exposing the ways you bypass it will help us find ways to enforce it, you know, share the secrets and we will help secure them?

[sleeyax]

Any progress on that? how can we help?

No one is assigned to this issue, so no one is working on this yet.

how can we help?

Asarmor needs to be updated to match the latest asar spec (see link in the issue) so that it writes the latest expected fields to the outptut asar header when patches are applied. Basic understanding of how asarmor works is required, so start by checking out the source code and unit tests. You can safely ignore the encryption module; that should be unaffected by these kind of changes.

Also, how exactly do you bypass it so trivially please?

Well, someone could just fork asar and modify the code that iterates over the header and skip all sections that don't have a integrity field or any other field that is defined in the latest spec.

Maybe exposing the ways you bypass it will help us find ways to enforce it, you know, share the secrets and we will help secure them?

I don't think exposing bypasses in detail in public is a good idea because some developers depend on asarmor to secure their (often proprietary) software. If you're serious about this and want to help improving asarmor we can chat about this in private though.