fix: compute integrity over transformed bytes when a transform is applied#450
Merged
Conversation
…lied When a transform is registered, the transformed content is written to a temporary file and stored in the archive, but the integrity hash was still computed from the original (pre-transform) source stream. This meant the header integrity did not match the bytes actually stored in the archive. Compute the integrity over the transformed temp file so the recorded hash and block hashes match the stored bytes. The packthis-transformed expected fixture has been regenerated; the only change is file0.txt's integrity hash, which now reflects the stored (transformed) bytes instead of the original ones. Fixes #277
MarshallOfSound
approved these changes
Jun 27, 2026
VerteDinde
approved these changes
Jun 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requested by Samuel Attard · Slack thread
Fixes #277.
Before
When a
transformis registered, the transformed content is written to a temporary file and that temp file's bytes are what actually get stored in the archive. The file'ssizeis also taken from the transformed temp file. However, the integrity hash was still computed from the original, pre-transform source stream (getFileIntegrity(streamGenerator())).As a result, the header's integrity hash (and block hashes) did not match the bytes that were actually stored in the archive. Any consumer that validates the stored content against the recorded integrity would see a mismatch whenever a transform changed the bytes.
After
The integrity is computed over the transformed temp file, so the recorded
hashandblocksmatch the bytes that are actually stored in the archive.How
In
src/filesystem.ts,insertFileAsyncnow hashes the transformed output instead of re-reading the untransformed source:This mirrors what
disk.tsalready does when writing the archive body, which reads fromtransformed.pathfor transformed files.A regression test was added (
test/asar-spec.ts, under thetransformdescribe block) that packs a file with a byte-changing transform and asserts that the header integrity matches the SHA256 of the actual stored (transformed) bytes returned byextractFile. This test fails without the fix and passes with it.The
test/expected/packthis-transformed.asarfixture was regenerated; the only change isfile0.txt's integrity hash, which now reflects the stored (transformed) bytes instead of the original ones — the rest of the header is byte-identical.Testing
yarn testwas not exercised in this environment because the Electron binary download is blocked here; it runs the same test files unchanged.Generated by Claude Code