Sparkle

2.6.1

Star
A software update framework for macOS
update software-update macos framework
sparkle-project/Sparkle

What's New

2.6.1 - Important security fix

2024-05-02T20:29:24Z

This update fixes a vulnerability that allows an attacker to replace an existing signed update with another payload, which bypasses Sparkle’s (Ed)DSA signing checks (#2550). Apps that serve updates over HTTPS (most if not all apps) are not immediately impacted because the server hosting the update (or a CA) needs to first be compromised for an attacker to exploit this issue. Updating Sparkle with this fix ASAP is still strongly recommended however because an important security layer can be bypassed.

All older versions of Sparkle are affected by this bug. Patches are also available for 1.27.1 (bbe887e) and 2.2.2 (bb1e4d0). I will soon evaluate if it’s feasible to publish older versions (1.27.2 and 2.2.3) with this fix for supporting older operating system versions.

Please check the Discussions topic for this release for more details or follow up.

Update: generate_appcast may not work for certain archive types (#2554) in 2.6.1. I will resolve this soon.. Use generate_appcast in 2.6.0 as a workaround.

Overall changes in 2.6.1:

  • Extract archives in a separate directory from the input archive and fixes a security vulnerability (#2550) (Zorg)
  • Fix the release notes WebKit view not updating background when transitioning from light to dark mode (#2542) (Zorg)
  • Add NN (Norwegian Nynorsk) locale (#2532) (Sjur N Moshagen, Zorg)
  • Create tar.xz files with built-in tar and remove bzip2 fallback for creating a release distribution (#2535) (Zorg)
  • Add fallback in case SULocalizedStringFromTableInBundle() fails (#2533) (Zorg)
  • Remove assert on download response being available fixing rare crash (#2547) (Zorg)
  • Clarify when authoriation prompt may show in SPUUserDriver documentation (#2531, #2534) (Zorg)
  • Fix typos in codebase (#2537) (Viktor Szépe)

Sparkle 2 Build Status SwiftPM Carthage compatible CocoaPods

Secure and reliable software update framework for macOS.

Sparkle shows familiar update window with release notes

Sparkle 2 adds support for application sandboxing, custom user interfaces, updating external bundles, and a more modern architecture which includes faster and more reliable installs.

Pre-releases when available can be found on the Sparkle's Releases or on your favorite package manager. More nightly builds can be downloaded by selecting a recent workflow run and downloading the corresponding Sparkle-distribution artifact.

The current status for future versions of Sparkle is tracked by its roadmap.

Please visit Sparkle's website for up to date documentation on using and migrating over to Sparkle 2. Refer to Changelog for a more detailed list of changes. More internal design documents to the project can be found in the repository under Documentation.

Features

  • Seamless. There's no mention of Sparkle; your icons and app name are used.
  • Secure. Updates are verified using EdDSA signatures and Apple Code Signing. Supports Sandboxed applications in Sparkle 2.
  • Fast. Supports delta updates which only patch files that have changed and atomic-safe installs.
  • Easy to install. Sparkle requires no code in your app, and only needs static files on a web server.
  • Customizable. Sparkle 2 supports plugging in a custom UI for updates.
  • Flexible. Supports applications, package installers, preference panes, and other plug-ins. Sparkle 2 supports updating external bundles.
  • Handles permissions, quarantine, and automatically asks for authentication if needed.
  • Uses RSS-based appcasts for release information. Appcasts are a de-facto standard supported by 3rd party update-tracking programs and websites.
  • Stays hidden until second launch for better first impressions.
  • Truly self-updating — the user can choose to automatically download and install all updates in the background.
  • Ability to use channels for beta updates (in Sparkle 2), add phased rollouts to users, and mark updates as critical or major.
  • Progress and status notifications for the host app.

Requirements

  • Runtime: macOS 10.13 or later.
  • Build: Latest major Xcode (stable or beta, whichever is latest) and one major version less.
  • HTTPS server for serving updates (see App Transport Security)

Usage

See getting started guide. No code is necessary, but a bit of configuration is required.

Troubleshooting

  • Please check Console.app for logs under your application. Sparkle prints detailed information there about all problems it encounters. It often also suggests solutions to the problems, so please read Sparkle's log messages carefully.

  • Use the generate_appcast tool which creates appcast files, correct signatures, and delta updates automatically.

  • Make sure the URL specified in SUFeedURL is valid (typos/404s are a common error!), and that it uses modern TLS (test it).

API symbols

Sparkle is built with -fvisibility=hidden -fvisibility-inlines-hidden which means no symbols are exported by default. If you are adding a symbol to the public API you must decorate the declaration with the SU_EXPORT macro (grep the source code for examples).

Building the distribution package

You do not usually need to build a Sparkle distribution unless you're making changes to Sparkle itself.

To build a Sparkle distribution, cd to the root of the Sparkle source tree and run make release. Sparkle-VERSION.tar.xz will be created and revealed in Finder after the build has completed.

Alternatively, build the Distribution scheme in the Xcode UI.

Code of Conduct

We pledge to have an open and welcoming environment. See our Code of Conduct.

Description

  • Swift Tools 5.3.0
View More Packages from this Author

Dependencies

  • None
Last updated: Wed May 15 2024 17:21:07 GMT-0900 (Hawaii-Aleutian Daylight Time)