Releases: dineshkn-dev/tora
Releases · dineshkn-dev/tora
Tora v1.2.2
Tora v1.2.2
This patch release fixes a startup crash in the packaged macOS application.
Fixes
- Resolved a startup crash (dyld error) by adding
@executable_path/../Frameworksto theToraapplication binary's runtime search paths (rpaths). This allows the system to correctly locate the Sparkle framework in the app bundle.
Included artifacts
The release workflow publishes:
appcast.xmlTora-v1.2.2-macos.zipTora-v1.2.2-macos.zip.sha256Tora-v1.2.2-macos.dmgTora-v1.2.2-macos.dmg.sha256
Tora v1.2.1
Tora v1.2.1
This patch release fixes updater startup behavior introduced in v1.2.0.
Fixes
- Prevented Sparkle from starting when Tora is launched as an unbundled SwiftPM debug executable.
- Ensured local and ad-hoc packaged builds always use a numeric bundle version so Sparkle accepts the host app configuration.
Included artifacts
The release workflow publishes:
appcast.xmlTora-v1.2.1-macos.zipTora-v1.2.1-macos.zip.sha256Tora-v1.2.1-macos.dmgTora-v1.2.1-macos.dmg.sha256
Tora v1.2.0
Tora v1.2.0
This release adds app update support for packaged macOS builds.
Highlights
- Added a native
Check for Updates...menu item powered by Sparkle. - Enabled automatic update checks and automatic installation for future releases.
- Bundled and signed Sparkle with the packaged app so update verification happens inside the normal macOS app bundle.
- Added a signed Sparkle appcast to the release workflow.
Release pipeline
- Release builds now generate and publish
appcast.xmlfor Sparkle update discovery. - The appcast is signed with the configured Sparkle EdDSA private key, while the app bundle embeds the matching public key.
- Release notes are embedded into the Sparkle feed when a matching
.github/release-notes/<tag>.mdfile exists.
Upgrade note
Existing v1.1.0 builds do not contain Sparkle, so they cannot self-update to this version. Install v1.2.0 manually once; updates after this release can use the in-app updater.
Included artifacts
The release workflow publishes:
appcast.xmlTora-v1.2.0-macos.zipTora-v1.2.0-macos.zip.sha256Tora-v1.2.0-macos.dmgTora-v1.2.0-macos.dmg.sha256
Tora v1.1.0
Tora v1.1.0
This release focuses on hardening the macOS app around unsafe filesystem input, tightening release packaging, and improving the public GitHub Pages experience.
Highlights
- Added stricter symlink protection for download roots, torrent paths, and deletion targets so torrent-provided paths cannot escape the approved Tora download area through existing symbolic links.
- Hardened persistence loading by rejecting oversized metadata and settings files before decoding.
- Improved libtorrent integration checks and release packaging so release builds include binary verification for bundled app artifacts.
- Added sandbox entitlements for the packaged macOS app, including network access and Downloads folder access.
- Refreshed the GitHub Pages site with a product-first layout, real app screenshot, clearer security messaging, and mobile-safe navigation.
Security and safety
DownloadPathPolicynow rejects symlinked download directories and symlinked intermediate path components.TorrentPathValidatorrejects existing symlink path components before accepting torrent-provided file paths.DeletionPolicyrejects deletion roots that resolve through symlinks or outside the approved download root.- Added tests for symlink traversal, sibling-prefix rejection, deletion boundaries, and oversized persistence files.
Release pipeline
- Release packaging now verifies bundled Mach-O binaries and app entitlements before shipping artifacts.
- The release workflow builds libtorrent from source for the configured macOS deployment target before packaging.
- GitHub releases can now use versioned curated release notes when
.github/release-notes/<tag>.mdexists.
Included artifacts
The release workflow publishes:
Tora-v1.1.0-macos.zipTora-v1.1.0-macos.zip.sha256Tora-v1.1.0-macos.dmgTora-v1.1.0-macos.dmg.sha256
Tora v1.0.0
Full Changelog: https://github.com/dineshkn-dev/tora/commits/v1.0.0