Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Using codesign and update from helper app #285

ybizeul opened this Issue · 7 comments

3 participants


I'm trying to run the update check from my helper app. I'm getting the path to my app bundle and get its SUUpdater.

But I constantly get an insecure update warning, the test in Sparkle code makes sure that the current bundle is the main bundle to use developer certificate. What is the reson for that ? Can I use developer certificate (and not DSA keys) if I'm checking for update from a helper background app ?


Hey ybizeul, I'm having the same issue while trying to use sparkle from within a preference pane. Mainbundle refers to system preferences which is not the bundle I am trying to update. In some circumstances I am even trying to update a preference pane from a helper app that is distributed within. Did you ever find a workaround to this?

I'm not quite sure I understand the reason behind checking that the bundle calling the update is the mainBundle. I guess I feel like sparkle should compare the signature of the bundle it is initialised with to the bundle that it has downloaded regardless of what process that check is running within.


We support apple code signing only for simple app in zip updates.

Everything else - plugins, pref panes, installers MUST use DSA signatures.

We can't verify Apple's code signature identity unless it's used to sign main (and the only) app bundle running.


Fair enough. I guess i'm just unsure why that is the limitation. Does OS X not allow you to compare the signatures of two arbitrary bundles or can you only compare another bundle with the current? Seems like this may be more a limitation of the current implementation than anything else. Would you be willing to accept a pull request if this functionality can be implemented or do you have a reason why this shouldn't be done?


It's probably just a limitation of the implementation:

so PRs are welcome. It is a security-sensitive code though, so it needs to be possible without any risky hacks.


Good to hear DSA worked for you.

@pornel pornel closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.