1

I'm in the works of purchasing authenticode certs from Digicert for an open source Electron project. However I'm concerned with how Electron is built if my certificates will remain safe. From what I can see electron-builder, code signing is only done to the executable files like Electron.exe. What about the ASAR archive? Technicially couldn't someone maliciously swap out the asar archive, rename the executable, and then redistribute the newly formed application with my certificates attached?

How would one go about preventing something like that?

Dustin
  • 6,207
  • 19
  • 61
  • 93
  • Electron/ASAR does not protect your source. See https://github.com/electron/electron/issues/3041 – BadZen Dec 07 '16 at 01:43
  • 1
    @BadZen I'm not looking to protect my source, but rather the certificates used to sign electron executables. https://github.com/electron/windows-installer#sign-your-installer-or-else-bad-things-will-happen – Dustin Dec 07 '16 at 01:48
  • You don't need to protect certificates; they're public. All they do is say that the owner of the private key can attest to having signed the binary. PK signatures do nothing to prevent someone from handing your .exe to someone else (with different data or with your data). If you want, you can checksum the archive and have the binary check the checksum. But then you'll need to release a new binary with every data update. – BadZen Dec 07 '16 at 01:52

0 Answers0