From dda314753cb203e6ba42d6cc54b2ff8132699fdd Mon Sep 17 00:00:00 2001 From: Zorg Date: Sat, 13 Sep 2025 18:35:32 -0700 Subject: [PATCH] Update notes on security and package updates --- documentation/package-updates/index.md | 14 +++----------- documentation/security-and-reliability/index.md | 3 +++ documentation/upgrading/index.md | 2 ++ 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/documentation/package-updates/index.md b/documentation/package-updates/index.md index 86ca8d2..cb8c7bf 100644 --- a/documentation/package-updates/index.md +++ b/documentation/package-updates/index.md @@ -5,7 +5,7 @@ title: Package Updates --- ## Package Updates -Package installation allows Sparkle to update your application by downloading and installing a package, `pkg`, or multi-package, `mpkg` usually without user interaction except for asking for an administrator password. +Package installation allows Sparkle to update your application by downloading and installing a package, `pkg`, or multi-package, `mpkg` without user interaction except for asking for an administrator password. Note package installation should only be used for apps with very custom installation needs that cannot be satisfied by distributing a regular app bundle. For Sparkle, the downsides of using package updates are: @@ -17,6 +17,8 @@ Note package installation should only be used for apps with very custom installa Applications that [install daemons](https://developer.apple.com/documentation/servicemanagement/smappservice) or [install system extensions](https://developer.apple.com/documentation/systemextensions/installing-system-extensions-and-drivers) do not need to distribute package installers. +As of Sparkle 2.7.3, installing package updates may not work in development builds of apps where Sparkle's helper tools are not usually re-signed. If this is the case, please [test Sparkle](/documentation#6-test-sparkle-out) either from a notarized version of your app, or from a version that was installed by your package installer. + ### Bare Package Installation Sparkle supports serving and signing flat `*.pkg` or `*.mpkg` packages directly without having to zip or archive them. This method requires users from old versions of your application to be using [Sparkle 1.26 or later](/documentation/upgrading/). If you have users running older versions of Sparkle, you can expedite migration by [switching to a new appcast](/documentation/publishing/#upgrading-to-newer-features), or use [Archived Package Installation](#archived-package-installation) until the majority of your users update. @@ -28,13 +30,3 @@ This method is the recommended way of serving package based updates because it a A package installation occurs when Sparkle finds a `*.pkg` or `*.mpkg` file in the root of the download archive (e.g, from within a `.zip`). **Note**: For Sparkle 2, you must also add `sparkle:installationType="package"` to your appcast item's `enclosure` for updating archived packages. - -### Interactive Archived UI Installation - -**Warning**: This type of installation is deprecated and may be removed one day. Please don't use it for future updates to your application. - -An interactive installation occurs when Sparkle finds a `*.sparkle_interactive.pkg` or `*.sparkle_interactive.mpkg` file in the root of the download archive. - -The package will be installed using macOS's built-in GUI installer. The installation will require user to manually click through the steps, so we don't recommend this type of installation. You must also archive your package update (e.g, in a `.zip`) to get this behavior. - -**Note**: For Sparkle 2, you must also add `sparkle:installationType="interactive-package"` to your appcast item's `enclosure` for updating interactive packages. diff --git a/documentation/security-and-reliability/index.md b/documentation/security-and-reliability/index.md index 6f602f0..89bc88d 100644 --- a/documentation/security-and-reliability/index.md +++ b/documentation/security-and-reliability/index.md @@ -7,8 +7,11 @@ title: Update Improvements These are a list of *major* security and reliability improvements in Sparkle, or reasons why developers should consider upgrading Sparkle. Note this list is missing many other minor improvements that the [latest production release](//github.com/{{ site.github_username }}/Sparkle/releases) of Sparkle may have. +If you have any security concerns, please report them through the [Security tab on GitHub](https://github.com/sparkle-project/Sparkle/security). + | Version | Changes | | --------------- | -------------------------------------------------------------------------------------------------------------------------------------- | +| 2.7.3 | Fixes a security issue that allows attacker to gain access to TCC protected files using the Downloader XPC Service (#2763). Fixes an issue that allows an attacker to execute an arbitrary package installation through the Installer XPC Service with a shown authorization prompt, or through a race condition (#2763). Specific details about these local exploits can be found in [this discussion](https://github.com/sparkle-project/Sparkle/discussions/2764). | 2.6.4 | Fixes a security issue that allows an attacker to replace an existing signed update with another payload, which bypasses Sparkle's (Ed)DSA signing checks ([#2550](https://github.com/sparkle-project/Sparkle/pull/2550)); updating is strongly recommended and a fix is also backported to 1.27.3. Fixes an issue for sandboxed apps that enable the Downloader XPC Service from conflicting with each other and presenting a system dialog that "Downloader" differs from previously opened versions affecting macOS 14 and later ([#2511](https://github.com/sparkle-project/Sparkle/pull/2511)). Performs a Gatekeeper scan for signed app updates on macOS 14.4 and later so users don't see a system "Verifying..." dialog when an app update is relaunched ([#2505](https://github.com/sparkle-project/Sparkle/pull/2505)). | | 2.5.2 | Fixes a rare corruption issue resulting in missing files in the installed bundle, which Gatekeeper may reject ([#2479](https://github.com/sparkle-project/Sparkle/pull/2479)). Adopts macOS 14 Sonoma's cooperative app activation APIs instead of using `-[NSApplication activateIgnoringOtherApps:]` which was deprecated in macOS 14 (mainly impacts background/dockless running apps) ([#2409](https://github.com/sparkle-project/Sparkle/pull/2409)). Fixes updates not installing when executed from a Sparkle CLI utility as root (sudo) user on macOS 14 Sonoma (impacts few out-of-app updaters) ([#2432](https://github.com/sparkle-project/Sparkle/pull/2432)). | | 2.4.2 | Fixes `NSKeyedUnarchiver` decoding warning of appcast item that contains delta updates ([#2383](https://github.com/sparkle-project/Sparkle/pull/2383)). Hardens verification of passing the update's download to Sparkle's Autoupdate helper ([#2392](https://github.com/sparkle-project/Sparkle/pull/2392)). | diff --git a/documentation/upgrading/index.md b/documentation/upgrading/index.md index 6169965..6c7f26a 100644 --- a/documentation/upgrading/index.md +++ b/documentation/upgrading/index.md @@ -12,6 +12,8 @@ Sparkle 2.7 introduces a new format for delta updates, which preserves the creat [Custom version comparators](/documentation/api-reference/Protocols/SPUUpdaterDelegate.html#/c:objc(pl)SPUUpdaterDelegate(im)versionComparatorForUpdater:) have been deprecated. Please use an increasing (numerical `x`, `x.y`, or `x.y.z`) `CFBundleVersion` / `sparkle:version` instead and disjoint them from more human presentable `CFBundleShortVersionString` / `sparkle:shortVersionString` if needed. +As of 2.7.3, package updates may need to be tested with a production build of your app, rather than a development one. Please see [package updates](/documentation/package-updates) for more information. + ## Upgrading to Sparkle 2.6 Sparkle 2.6 no longer sandboxes the Downloader XPC Service by default. If you enabled this XPC Service, please see the updated [sandboxing guide](/documentation/sandboxing) for more information.