Handle encryption keys only internally (closes #61)

The key is unique per asarmor installation and should be the exact same from both the JS and C/C++ side. To prevent user error we should not expose the `key` property to the user in the library API or CLI. Instead, we always use the randomly generated key. If a user wishes to rotate the key, they can do so by manually reinstalling `asarmor` or by deleting the `key.txt` file and regenerating it using a script.
sleeyax · Apr 19, 2024 · 1ba3d45 · 1ba3d45
1 parent 2c26000
commit 1ba3d45
Show file tree

Hide file tree

Showing 5 changed files with 12 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@ Usage:
 const asarmor = require('asarmor');
 
 (async () => {
-  // Encrypt the contents of the asar archive.
+  // Encrypt the JavaScript file contents stored withing the asar file.
   await asarmor.encrypt({
     src: './app.asar', // target asar file to encrypt
     dst: './encrypted.asar', // output asar file
@@ -99,14 +99,12 @@ Steps:
 exports.default = async ({ appOutDir, packager }) => {
   try {
 +   const asarPath = join(packager.getResourcesDir(appOutDir), 'app.asar');   
-+   console.log(`asarmor is encrypting all JS files stored in ${asarPath}`);
++   console.log(`asarmor is encrypting all JavaScript files stored in ${asarPath}`);
 +   await encrypt({
 +     // path to the input asar file
 +     src: asarPath,
 +     // path to the output asar file
 +     dst: asarPath,
-+     // path to the encryption key file; asarmor should generate a new one every time it's installed as a dependency.
-+     key: join(__dirname, '..', 'node_modules', 'asarmor', 'src', 'encryption', 'key.txt'),
 +   });
 -   const asarPath = join(packager.getResourcesDir(appOutDir), 'app.asar');
     console.log(`asarmor applying patches to ${asarPath}`);

diff --git a/bin/asarmor.ts b/bin/asarmor.ts
@@ -29,8 +29,8 @@ const program = new Command()
     (value) => parseNumber(value, false)
   )
   .option(
-    '-e, --encryption [key.txt file path or raw string]',
-    'encrypt the archive'
+    '-e, --encryption',
+    'encrypt the JavaScript files stored in the archive'
   )
   .addHelpText(
     'after',
@@ -55,7 +55,6 @@ async function main() {
     await encrypt({
       src: options.archive,
       dst: options.output,
-      key: options.encryption === true ? undefined : options.encryption,
     });
   }
 

diff --git a/example/electron/afterPack.js b/example/electron/afterPack.js
@@ -14,7 +14,6 @@ exports.default = async ({ appOutDir, packager }) => {
     await encrypt({
       src: asarPath,
       dst: asarPath,
-      key: join(root, 'build', 'src', 'encryption', 'key.txt'),
     });
 
     // then patch the header

diff --git a/example/node/build.js b/example/node/build.js
@@ -7,7 +7,7 @@ const {original, protected} = require('./constants');
   await asar.createPackageFromFiles('.', original, ['src/index.js', 'src/sum.js', 'package.json']);
   console.log('built archive:', original);
 
-  await asarmor.encrypt({src: original, dst: protected, key: '0x1e,0x79,0x7a,0x06,0x52,0xbe,0x5c,0x69,0xa1,0x8d,0x51,0x11,0x5e,0x4f,0xd4,0xfe,0x5d,0x66,0x03,0x8d,0x40,0x86,0xf2,0x53,0x2f,0x32,0xf0,0x84,0xef,0x27,0x3e,0xa1'});
+  await asarmor.encrypt({src: original, dst: protected});
   console.log('encrypted archive:', protected);
 
   // apply asarmor patches

diff --git a/src/encryption/encryption.ts b/src/encryption/encryption.ts
@@ -19,27 +19,18 @@ export type EncryptionOptions = {
    * @example `encrypted.asar`.
    */
   dst: string;
-
-  /**
-   *  File path to a hex-encoded encryption key or the encryption key in plaintext.
-   */
-  key?: string;
 };
 
-// TODO: encrypt files from existing asar archive.
-// See: https://github.com/sleeyax/asarmor/issues/42
-
 /**
  * Encrypts and packages all files into an asar archive.
  */
-export async function encrypt({
-  key: keyOrFile = join(__dirname, 'key.txt'),
-  src,
-  dst,
-}: EncryptionOptions) {
-  const key = (await pathExists(keyOrFile))
-    ? Buffer.from(fromHex(await readFile(keyOrFile)))
-    : Buffer.from(keyOrFile.includes(',') ? fromHex(keyOrFile) : keyOrFile);
+export async function encrypt({ src, dst }: EncryptionOptions) {
+  const keyFile = join(__dirname, 'key.txt');
+  if (!pathExists(keyFile)) {
+    throw new Error(`Key file '${keyFile}' not found.`);
+  }
+
+  const key = Buffer.from(fromHex(await readFile(keyFile)));
   const extractedPath = `${src}.extracted`;
 
   extractAll(src, extractedPath);