Electron-packager: Hide Source Code of Application

Does the asar format meet your needs?

It does, but it can be extracted. I've tried bundling the asar with the exe using the same method above (with copy /B) but it doesn't work.

I honestly like electron far better than nw.js, but this is the deal-breaker. If you can't package applications, then what's the point?

There's not currently another way to merge all of the source files into one file using electron-packager. A library to do what you propose would be welcome to be integrated into electron-packager, the same as asar currently is.

I mean it's technically possible to do, but it would mean changing the source of electron itself.

You can already drag .asar archives into the .exe file. And also run the .asar files with electron.exe (in cmd)..

So maybe there is a way we could get it work that way?

It sounds like you might want to file an issue with either asar or electron to have this implemented in one of those places first.

I wonder how the closed source apps in https://github.com/sindresorhus/awesome-electron packaged their apps.

Well, if you look at Visual Studio Code, for example, they don't even pack up an asar - you can plainly see the contents of the resources/app folder. The JavaScript is minified, and there is a _lot_ of it, but technically someone who is _really persistent_ (and perhaps really bored and really needs other hobbies) could try to piece together what it's doing.

As the OP points out, even combining the data with the executable doesn't make the source completely inaccessible, it just further obscures it. Ultimately, you can arrive at some level of "security through obscurity", but that's as far as you're going to get. (This is arguably true of other languages as well to varying extents, e.g. using Java decompilers.)

If someone has a concrete requirement for something we need to support then feel free to open another issue, but I'm closing this as it's not clear theres anything we need to do here.

All this module does is package up an app in the formats Electron supports, so if someone has a new idea for a format that Electron can support that lets you obfuscate your source code, and we don't support that format, then open an issue.

@maxogden Is there any sort of source validation that takes place (like hashes)? Because as it stands, what stops someone from editing source and running the application?

That would be far more important to me then hiding the source.

@jacobvalenta theres nothing built in to electron to do that, so we don't support anything like that (since we only support what electron supports). you would have to implement that in your own module and run it on your code before using electron-packager

@maxogden Since this issue was closed, javascript obfuscators became very powerful, and useful enough for majority who want to protect their code. I found a package doing it, but would be very convenient to have option in this packager already.
https://github.com/timedotcc/asar-package-obfuscator

I'm not going to add built-in support for this, but if someone in the community wants to write a plugin for this, I would be happy to link to it in the README. Although the package you link to seems to be meant to be run after Electron Packager is run.

@maxogden Since this issue was closed, javascript obfuscators became very powerful, and useful enough for majority who want to protect their code. I found a package doing it, but would be very convenient to have option in this packager already.
https://github.com/timedotcc/asar-package-obfuscator

can you tell me how can i use this package?

@maxogden Since this issue was closed, javascript obfuscators became very powerful, and useful enough for majority who want to protect their code. I found a package doing it, but would be very convenient to have option in this packager already.
https://github.com/timedotcc/asar-package-obfuscator

can you tell me how can i use this package?

just run index.js using node index.js input.asar output.asar you can see implementation here https://github.com/nils-kt/asar-package-obfuscator/blob/master/index.js

The only feasible method would be to modify the source code of Electron, add some sort of encryption mechanism to decrypt an encrypted asar, and so forth.

The other option would be to bundle two executables, one a regular NodeJS application running a webserver (use pkg to create an executable out of it) and then create a "client" with electron.

There are still work arounds, but you could add obfuscation to make things more difficult for people who try to read your source code.