Releases: sparkle-project/Sparkle
2.6.1 - Important security fix
This update fixes a vulnerability that allows an attacker to replace an existing signed update with another payload, which bypasses Sparkleβs (Ed)DSA signing checks (#2550). Apps that serve updates over HTTPS (most if not all apps) are not immediately impacted because the server hosting the update (or a CA) needs to first be compromised for an attacker to exploit this issue. Updating Sparkle with this fix ASAP is still strongly recommended however because an important security layer can be bypassed.
All older versions of Sparkle are affected by this bug. Patches are also available for 1.27.1 (bbe887e) and 2.2.2 (bb1e4d0). I will soon evaluate if itβs feasible to publish older versions (1.27.2 and 2.2.3) with this fix for supporting older operating system versions.
Please check the Discussions topic for this release for more details or follow up.
Update: generate_appcast may not work for certain archive types (#2554) in 2.6.1. I will resolve this soon.. Use generate_appcast in 2.6.0 as a workaround.
Overall changes in 2.6.1:
- Extract archives in a separate directory from the input archive and fixes a security vulnerability (#2550) (Zorg)
- Fix the release notes WebKit view not updating background when transitioning from light to dark mode (#2542) (Zorg)
- Add NN (Norwegian Nynorsk) locale (#2532) (Sjur N Moshagen, Zorg)
- Create tar.xz files with built-in tar and remove bzip2 fallback for creating a release distribution (#2535) (Zorg)
- Add fallback in case SULocalizedStringFromTableInBundle() fails (#2533) (Zorg)
- Remove assert on download response being available fixing rare crash (#2547) (Zorg)
- Clarify when authoriation prompt may show in SPUUserDriver documentation (#2531, #2534) (Zorg)
- Fix typos in codebase (#2537) (Viktor SzΓ©pe)
1.27.2 - Important security fix
Changes:
- Extract archives in a separate directory from the input archive and fixes a security vulnerability (#2552) (Zorg)
- Fix incorrect xz log warning in make release (#2044) (trss)
This release contains a security fix backported from 2.6.1.
The minimum system requirements for this release is still macOS 10.9.
Note: this release is not available for CocoaPods yet (because I need to first fetch an old macOS/Xcode setup).
2.6.0 Further Sonoma Improvements
Changes:
- Perform Gatekeeper scan to pre-warm app launch (#2505) (Zorg)
- Disable sandboxing for the Downloader XPC service by default to fix downloader prompt warnings about βDownloaderβ differing from previously opened versions (#2511) (Zorg)
- Store private seed as the secret for newly generated keys (#2472) (Zorg)
- Improve signing error message to developers if they serve the wrong update file (#2471) (Zorg)
- Prevent app modification warnings from external updaters (like sparkli-cli) by improving installation (#2516) (Zorg)
- Update Korean localization (#2504) (CheolHyun Mun)
- Use $PROJECT_DIR instead of $SRCROOT (#2489) (Zorg)
- Set Package.swift minimum deployment to macOS 10.13 (#2481) (Eitot)
- Fix false positive analyzer warning about resumableUpdate type (#2454) (Zorg)
This update is recommended for sandboxed apps that enable Sparkle's Downloader XPC Service because it fixes a bug where an app may show a "Downloader" differing from previously opened versions prompt warning. The sandboxing guide for the Downloader Service and Code Signing has been updated.
For users running macOS 14.4 or later, a Gatekeeper scan is performed on the new update before installing it, which may skip a "Verifying.." dialog when relaunching the app.
2.6.0-beta.2
- Perform Gatekeeper scan to pre-warm app launch (#2505) (Zorg)
- Disable sandboxing for the Downloader XPC service by default to fix downloader prompt warnings (#2511) (Zorg)
- Store private seed as the secret for newly generated keys (#2472) (Zorg)
- Improve signing error message to developers if they serve the wrong update file (#2471) (Zorg)
- Prevent app modification warnings from external updaters (like sparkli-cli) by improving installation (#2516) (Zorg)
- Update Korean localization (#2504) (CheolHyun Mun)
- Use $PROJECT_DIR instead of $SRCROOT (#2489) (Zorg)
- Set Package.swift minimum deployment to macOS 10.13 (#2481) (Eitot)
- Fix false positive analyzer warning about resumableUpdate type (#2454) (Zorg)
The Downloader XPC Service is no longer sandboxed by default. If you use this service, please check the updated sandboxing guide.
For users running macOS 14.4 (beta) or later, a Gatekeeper scan is performed on the new update before installing it.
2.6.0-beta.1
Changes:
- Perform Gatekeeper scan to pre-warm app launch (#2505) (Zorg)
- Disable sandboxing for the Downloader XPC service by default to fix downloader prompt warnings (#2511) (Zorg)
- Store private seed as the secret for newly generated keys (#2472) (Zorg)
- Improve signing error message to developers (#2471) (Zorg)
- Update Korean localization (#2504) (CheolHyun Mun)
- Use $PROJECT_DIR instead of $SRCROOT (#2489) (Zorg)
- Set Package.swift minimum deployment to macOS 10.13 (#2481) (Zorg)
- Fix false positive analyzer warning about resumableUpdate type (#2454) (Zorg)
The Downloader XPC Service is no longer sandboxed by default. If you use this service, please check the updated sandboxing guide.
For users running macOS 14.4 (beta) or later, a Gatekeeper scan is performed on the new update before installing it.
2.5.2 Release Notes + Sonoma Improvements
Changes:
- Don't clean up update directory when Autoupdate receives SIGTERM to fix a rare corruption issue where the installed bundle could be missing files (#2479) (Zorg)
- Update Japanese localization (#2475) (1024jp)
- Improve Turkish translations (#2464) (Emir SARI)
- Update Spanish translation for 'You are currently running version %@.' and 'Version History' (#2463) (Billy Gray)
2.5.1 Release Notes + Sonoma Improvements
Changes:
- Default to English for XML nodes when no xml:lang is present (#2440) (Zorg)
- Filter for archive files in generate_appcast more intelligently (#2448) (Zorg)
- Use correct entitlements and dsym files when using custom bundle id and XPC names in ConfigCommon (#2446) (floorish)
Please also see the changes in 2.5.0.
2.5.0 Release Notes + Sonoma Improvements
Changes:
- Add ability to adapt release notes based on the currently installed version (#2373) (docs) (Nathan Manceaux-Panot)
- Allow developers to use custom URL schemes in the release notes view (#2393) (docs) (Zorg)
- Adopt cooperative app activation APIs in macOS 14 Sonoma (#2409) (Zorg)
- Improve permission prompt layout (#2420) (Zorg)
- Remove hyphenation in "You're up to date" message (#2425) (Zorg, Dom Neill)
- Pre-warm installs before relaunch and resolve sporadic failures in CI (#2421) (Zorg)
- Fix make release not building distribution successfully (#2430) (Zorg)
- Fix Updater app not starting when running Sparkle as root (e.g. from CLI with sudo or a daemon) on macOS 14 Sonoma (#2432) (Zorg)
- Fix KVO usage for updaterController.updater.* (#2404) (Zorg)
- Replace CFUUID* with NSUUID (#2395) (Eitot)
- Report an error when detecting duplicate updates in generate_appcast (#2407) (Zorg)
- Improve error for rejecting xattr based code signing for delta updates (#2408) (Zorg)
- Fail gracefully when auxiliary tool cannot be located (#2436) (Zorg)
This release includes enhancements to Sparkle's release notes view and compatibility improvements for macOS 14 Sonoma.
2.5.0-beta.2
Changes since beta 1:
- Improve permission prompt layout (#2420) (Zorg)
- Remove hyphenation in "You're up to date" message (#2425) (Zorg, Dom Neill)
- Pre-warm installs before relaunch and resolve sporadic failures in CI (#2421) (Zorg)
- Fix make release not building distribution successfully (#2430) (Zorg)
- Fix Updater app not starting when running Sparkle as root (e.g. from CLI with sudo or a daemon) on macOS 14 Sonoma (#2432) (Zorg)
Overall Changes:
- Add ability to adapt release notes based on the currently installed version (#2373) (Nathan Manceaux-Panot)
- Allow developers to use custom URL schemes in the release notes view (#2393) (Zorg)
- Adopt cooperative app activation APIs in macOS 14 Sonoma (#2409) (Zorg)
- Improve permission prompt layout (#2420) (Zorg)
- Remove hyphenation in "You're up to date" message (#2425) (Zorg, Dom Neill)
- Pre-warm installs before relaunch and resolve sporadic failures in CI (#2421) (Zorg)
- Fix make release not building distribution successfully (#2430) (Zorg)
- Fix Updater app not starting when running Sparkle as root (e.g. from CLI with sudo or a daemon) on macOS 14 Sonoma (#2432) (Zorg)
- Fix KVO usage for updaterController.updater.* (#2404) (Zorg)
- Replace CFUUID* with NSUUID (#2395) (Eitot)
- Report an error when detecting duplicate updates in generate_appcast (#2407) (Zorg)
- Improve error for rejecting xattr based code signing for delta updates (#2408) (Zorg)
2.5.0-beta.1
Changes:
- Add ability to adapt release notes based on the currently installed version (#2373) (Nathan Manceaux-Panot) (docs)
- Allow developers to use custom URL schemes in the release notes view (#2393) (Zorg) (docs)
- Adopt cooperative app activation APIs in macOS 14 Sonoma (#2409) (Zorg)
- Replace CFUUID* with NSUUID (#2395) (Eitot)
- Fix KVO usage for updaterController.updater.* (#2404) (Zorg)
- Report an error when detecting duplicate updates in generate_appcast (#2407) (Zorg)
- Improve error for rejecting xattr based code signing for delta updates (#2408) (Zorg)
This release includes enhancements Sparkle's release notes view and compatibility improvements for macOS 14 Sonoma.