Swiftpack.co - Package - sparkle-project/Sparkle

404: Not Found

Github

link
Stars: 5067

Dependencies

Used By

Total: 0

Releases

Bug fixes - 2020-05-13 10:29:18

This build is for Intel Macs only. Sparkle supports Apple Silicon (ARM) if you compile it yourself using the latest Xcode beta.

  • Fixed error about "about:blank" release notes (Louis Pontoise)
  • Use the SHA-256 hash of the archive as the cache path (Nate Weaver)
  • Don't return an optional from the FileHandle method (Nate Weaver)
  • Added URL+Hashing (Nate Weaver)
  • Update SUUpdateAlert.xib (DanielFirlej)
  • Added help command line option (Dominik H)
  • Added function that parses all command line options (Dominik H)
  • Command line option to provide a download url prefix is now parsed and set on each archive item (Dominik H)

- 2020-02-11 18:22:13

This build is for Intel Macs only. Sparkle supports Apple Silicon (ARM) if you compile it yourself using the latest Xcode beta.

  • Support generating appcast with localizations (#1499) (Alik Vovkotrub)
  • Support versions with git commit SHA (#1504) (Alec Larson)
  • Hide "Skip..." and "Remind..." buttons when they're not relevant (#1480) (Kenneth Johnsen)
  • Preserve Finder tags while updating apps (#1512) (CoreCode)
  • Read-only update alert dialog formatting improvements (#1515) (Quinn Taylor)
  • Check if SUBundleName is set before normalizing (Jake Fenton)
  • NSInteger cast warning on Xcode 11 (Marga Keuvelaar)
  • Correct appcast file extension (Tom Vos)
  • Update Sparkle.strings (Emir Sarı)
  • Fix spelling (#1508) (Frank Chiarulli Jr)
  • Fix missing Danish translations in Sparkle.strings (Kenneth Johnsen)
  • Update Sparkle.strings (#1531) (BR Lingo)
  • Remove .h files from Build Rules for bsdiff and ed25519 (#1538) (pteeson)

Many small improvements - 2019-09-22 12:07:35

  • Add delegate methods to suppress update alerts (George Nachman)
  • Improved error when running from translocated location (Michael Buckley)
  • Add phased rollout feature (#1381) (Fabian Jäger)
  • Ignore non-standard permissions in delta updates instead of failing the build (Kornel Lesiński)
  • Notify user when installed version is newer than the latest in the appcast (CoreCode)
  • Reset timers after computer sleep (CoreCode)
  • Block-based alternatives to NSInvocation-based delegate methods (Fabian Jäger)
  • add delegate userDidSkipThisVersion (BobZombie, Leo Natan)
  • Pass item to updaterShouldShowUpdateAlertForScheduledUpdate delegate method (George Nachman)
  • Support providing private key as argument (Yakuhzi)
  • Separate the ed25519 sources into a new static library (Tony Arnold)
  • Disambiguate signing error messages (Nate Weaver)
  • Use XMLNode.Options.nodePrettyPrint in generate_appcast instead of trying to add whitespace manually (fumoboy007)
  • Annotate SUHost for nullability (Michael Buckley)
  • Use SUAVAILABLE macro (Christiaan Hofman)
  • Fix warnings when using modules (nivekkagicom)
  • Correction of Czech localization inconsistency (#1403) (vojtakonarik)
  • BR locale fix (BR Lingo)
  • Update Japanese localization (fujisoft)
  • French Sparkle.strings (Jean-Baptiste)

Hardened runtime - 2019-06-29 13:52:48

Small bugfixes - 2019-02-11 14:17:40

  • Catch exceptions from subcommands (Julian Mayer)
  • generate_appcast can sign any bundles instead of just apps (Nate Weaver)
  • Check that effectiveAppearance is being observed before calling removeObserver (Pierluigi)
  • Losslessly reduced the size of PNG (Barijaona Ramaholimihaso)

EdDSA Delta Dark Mode - 2018-12-18 22:02:53

  • Allow EdDSA for delta updates, too (Kornel)
  • Warning fixes (Brian Bergstrand)
  • Improvements to release notes view context menu and dark mode (Bi11)

1.21.1 is the same as 1.21.0 - 2018-12-10 12:54:13

EdDSA upgrade is here - 2018-11-25 16:07:15

The DSA algorithm that has been used by Sparkle so far is considered outdated. We're migrating to a newer, more secure EdDSA (ed25519) signatures. We still support DSA signatures for existing applications, but all new apps should use EdDSA from now on.

We now use macOS Keychain to automatically store private EdDSA keys, which is more convenient and more secure.

  • Added support EdDSA (ed25519) signatures (Kornel)
    • Both old DSA and new EdDSA are still supported (and old apps can use both), but new applications should use EdDSA only, and we recommend migrating away from DSA signatures.
  • generate_keys is now a Swift tool that stores EdDSA private keys in the Keychain
    • Existing apps can continue using their old DSA keys, but we've dropped support for generation of old DSA keys
    • The public EdDSA key is not a file any more. It's a string to copy&paste into Info.plist
  • sign_update is now a Swift tool that signs using EdDSA from private keys in the Keychain
    • The old DSA-based signing script has been moved to bin/old_dsa_scripts
    • The old DSA-based signing script has been fixed to work on pre-10.13 systems (Thomas Tempelmann)
  • generate_appcast has been updated to support EdDSA signatures
    • It can sign both DSA (if dsa_priv.pem file is specified) and EdDSA from Keychain
    • The tool now uses Caches directory and doesn't generate unnecessary delta files
  • Fixed verification of delta updates on filesystems that change permissions of symlinks
  • Fixed NSURLSession leak (Michael Ehrmann)

Known issues

  • generate_keys, sign_update, and generate_appcast prompt for Keychain access permission every time.

New EdDSA (ed25519) signatures take 2 - 2018-10-31 01:01:57

Generate EdDSA (ed25519) signatures - 2018-09-16 20:30:01

Stability fixes - 2018-07-17 15:39:59

  • generate_appcast option to read private key directly from the keychain (Tamás Lustyik)
  • Add delegate callbacks for finished download and extraction related events (Csaba Horony)
  • Don't check for updates if Do Not Disturb is on (Kornel)
  • Expose CodesigningVerifier, add codesign info API (sunuslee)
  • Threading fixes:
    • Fix potential hang with dispatch_sync to main thread (Brian Bergstrand)
    • Fix closeCheckingWindow called from background thread (Alexey Martemyanov)
  • Improve 'read-only' error message (#1192) (Adrian Thomas)
  • New Spanish localisation (Ken Arroyo Ohori)
  • Updated Finnish language resources (Jason Pollack)
  • Hungarian localization (Csaba Horony)
  • Log more information about authentication requests (Kornel)
  • Explicitly specify types to silence "Messaging unqualified id" warning that's new in Xcode 10. Removed __has_feature(objc_generics) check and use generisc to help silence the warnings. (Kent Sutherland)
  • Fix binary delta creation on network drives (sagecook)
  • Fix compilation issues on Xcode 10 with new build system (Leo Natan)

- 2018-06-19 21:37:40

  • generate_appcast option to read private key directly from the keychain (Tamás Lustyik)
  • Add delegate callbacks for fininshed download and extraction related events (Csaba Horony)
  • Don't check for updates if Do Not Disturb is on (Kornel)
  • Expose CodesigningVerifier, add codesign info API (sunuslee)
  • Improve 'read-only' error message (#1192) (Adrian Thomas)
  • Threading fixes:
    • Fix potential hang with dispatch_sync to main thread (Brian Bergstrand)
    • Fix closeCheckingWindow called from background thread (Alexey Martemyanov)
  • Updated Finnish language resources (Jason Pollack)
  • Hungarian localization (Csaba Horony)
  • Log more information about authentication requests (Kornel)
  • Explicitly specify types to silence "Messaging unqualified id" warning that's new in Xcode 10. Removed __has_feature(objc_generics) check and use generisc to help silence the warnings. (Kent Sutherland)

Just some debug info - 2018-04-29 12:39:37

  • Logs why it asks for authorization

New downloader - 2018-04-14 16:04:36

  • Refactoring of downloader code to avoid deprecated methods (Deadpikle)
  • Changes to which methods run on the main thread. Note: some delegate methods may be called on non-main thread now. (Kornel)
  • Update Japanese localization (1024jp)
  • Update Sparkle.strings (Stefan Paychère, Adrian Thomas)
  • Fix Sparkle clients polling too frequently (Jonathan Bullard)
  • Handle SecTransformExecute errors (Kornel)
  • Silence Touch Bar availability warnings on Xcode 9 by using API_AVAILABLE. Disable gnu-zero-variadic-macro-arguments to prevent warnings from use of API_AVAILABLE. (Kent Sutherland)
  • 10.11 SDK compatibility (David Fuhrmann)

- 2018-03-18 14:21:28

- 2018-03-18 14:22:37

1.18.1 - 2017-08-14 12:28:39

  • Add optional updaterDidRelaunchApplication: method on SUUpdaterDelegate (App Tyrant)
  • Implemented sparkle:os attribute as documented (Memphiz)
  • Additional termination detection in case kpoll fails. (fujisoft)
  • Included bin files in CocoaPods installation (Keith Smiley)
  • Updated Dutch localization (Eitot)
  • Updated German localization (Eitot)
  • Updated Japanese translation (1024jp)
  • Updated Portuguese translation (Victor)
  • Updated to Xcode 9/Swift 4

- 2017-07-16 20:01:33

  • Name of the host app is used in authorization prompt (the SPARKLE_RELAUNCH_TOOL_NAME setting is now obsolete)
  • More detailed progress bar for package installers (Kornel Lesiński)
  • Disabled the keyboard shortcut for the install button for scheduled updates to avoid accidental installs. (George Nachman)
  • generate_appcast tool adds release notes if there's an .html file with the same base name as the archive (Brett Walker)
  • Added sparkle:shortVersionString to the enclosure, #1032 (Brett Walker)
  • Fixed Japanese localization (1024jp)
  • Fixed escaping of system profile URLs
  • Added more logging in various failure cases (Kornel Lesiński)
  • Better error message for quarantined apps that can't be updated
  • Feed attribute sparkle:os now works as documented (Memphiz)

- 2017-06-02 11:20:30

- 2017-05-18 20:57:14

- 2017-03-08 00:59:14

  • Added Touch Bar support (Bi11)
  • Skip buttons are disabled if the update is marked as critical (Kornel Lesiński)
  • Keyboard shortcut for the install button is disabled for scheduled updates to avoid accidental installs (George Nachman)
  • Background updates ask OS for lower-priority networking (Kornel Lesiński)
  • Upgraded SULog to use logging APIs that Apple provides built-in (Zorg)
  • Refactorings to sync with upcoming 2.0
    • Added kqueue-based termination listener (Zorg)
    • Added AppKit prevention guards to modules that shouldn't import it (Zorg)
    • Added Obj-C generics where applicable (Zorg)
    • Made SUBundleIcon & SUApplicationInfo take SUHost, not NSBundle (Zorg)
    • Improved -[SUHost objectForInfoDictionaryKey:] (Zorg)
    • Detect and fail if any two-way dependencies exist in the project (Zorg)
  • generate_appcast:
    • fixed handling of multiple directories in an archive
    • percent encode the filename used in the delta url (Brett Walker)
  • Update Sparkle.strings (BR Lingo)
  • Improved handling of non-ASCII names in delta archives (Kornel Lesiński)
  • Don't touch Info.plist unless git version changes (Václav Slavík)

OS X 10.7 or later required

If you're not generating appcasts automatically, remember to add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

HTTPS required

Apple has deprecated insecure HTTP in macOS 10.11. Please use HTTPS for updates.

- 2017-02-09 00:06:10

1.16 Automatic Appcast Generator - 2017-01-24 13:57:04

  • Guided package installs are now the default for updating packages (Zorg)
    • pkg installers won't show any UI. If you require the old behavior of showing a full installer window, rename the *.pkg file to *.sparkle_interactive.pkg
  • Previous version of the app is now deleted instead of staying in the trash (Zorg)
  • Added generate_appcast helper tool (Kornel Lesiński)
  • Made manual check resume pending automatic updates instead of starting a new update (Kornel Lesiński)
  • Started using length value from RSS if HTTP doesn't give one (Zorg)
  • Hidden automatic updates checkbox for information only updates (Bi11)
  • Fixed UI update scheduler not prompting for install & relaunch (Zorg)
  • Added progressbar for DMG and binary delta extraction (Kornel Lesiński)
  • Fixed showing of download status if we attempt a 2nd download (Zorg)
  • Refactorings to sync with upcoming 2.0
    • Decoupled and simplified installation code using protocols (Zorg)
    • Added nullability annotations (Zorg)
    • Allowed delegate methods that return an object to return nil (Zorg)
    • Decreased responsibility of SUHost and moved code into other components (Zorg)
    • Removed Sparkle.pch and many file #includes (Zorg)

The new generate_appcast tool automatically creates and updates appcast.xml files with DSA signatures and binary delta updates from a directory of archives.

./bin/generate_appcast path/to/your/private/dsa_key.pem update_downloads_folder/

The first argument for the tool is a DSA private key that must be corresponding to a DSA public key embedded in your app.

The second argument is a folder that should contain archived versions of your app bundle, e.g. example-app-1.2.zip, example-app-1.3.zip, etc.

The tool will read all information from the archives, e.g. read app versions and appcast URL from Info.plist of the archived apps.

It will generate (or update existing) appcast and create delta update files in the same directory. You can upload/rsync the entire directory to your server.

Note that the tool currently works only with regular .app bundles (i.e. not .pkg updates) and requires apps to use DSA signatures and have SUFeedURL in the Info.plist.

OS X 10.7 or later required

If you're not generating appcasts automatically, remember to add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

HTTPS required

OS X 10.11 has deprecated insecure HTTP. Please use HTTPS for updates.

- 2017-01-13 01:18:30

- 2016-12-04 12:20:29

Same as 1.15.0, except a build bugfix:

  • A new icon! Thanks to 1024jp
  • Show alert when an update is sent over insecure HTTP with no DSA key (Zorg)
    • If you can't use HTTPS, you must at least sign updates with a DSA key.
  • Improved binary delta implementation (Zorg)
  • Added improved -validateMenuItem: as a method in SUUpdater.h for public use (Zorg)
  • Removed reachability preflight check (Zorg)
  • Clear update caches directory before downloading new update (Zorg)
  • Check the bundle's parent directory for writability too (Zorg)
  • Don't follow symbolic links for file operations (Zorg)
  • Don't bring up an authorized dialog during cleanup (Zorg)
  • Made Sparkle look for the highest compatible version regardless of timestamps (Zorg)
  • Fixed compatibility with 10.7
    • Fixed crash on 10.7 - subscript operator not available (kleuter)
    • Fixed warnings caused by -Wpartial-availability (Zorg)
  • Fixed german l10n. (Sebastian Volland)
  • Error code for download errors (Kornel Lesiński)
  • Update last update check date when the update driver finishes (Zorg)
  • Scale app icon up if needed in Software Update window (Nicholas Riley)
  • Don't register for termination notifications more than once (Zorg)
  • Don't terminate the app if we're already terminating (Zorg)
  • Removed SUEnableAutomaticChecksKeyOld and SUCheckAtStartup constants (Eitot)
  • Updated Sparkle framework headers to use modules if modules are available (B. Kevin Hardman)
  • Fixed warnings, fixed uses of SULocalizedString (Jerry Krinock)

OS X 10.7 or later required

Make sure you add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

HTTPS required

OS X 10.11 has deprecated insecure HTTP. Please use HTTPS for updates.

- 2016-12-01 20:21:37

  • A new icon! Thanks to 1024jp
  • Show alert when an update is sent over insecure HTTP with no DSA key (Zorg)
    • If you can't use HTTPS, you must at least sign updates with a DSA key.
  • Improved binary delta implementation (Zorg)
  • Added improved -validateMenuItem: as a method in SUUpdater.h for public use (Zorg)
  • Removed reachability preflight check (Zorg)
  • Clear update caches directory before downloading new update (Zorg)
  • Check the bundle's parent directory for writability too (Zorg)
  • Don't follow symbolic links for file operations (Zorg)
  • Don't bring up an authorized dialog during cleanup (Zorg)
  • Made Sparkle look for the highest compatible version regardless of timestamps (Zorg)
  • Fixed compatibility with 10.7
    • Fixed crash on 10.7 - subscript operator not available (kleuter)
    • Fixed warnings caused by -Wpartial-availability (Zorg)
  • Fixed german l10n. (Sebastian Volland)
  • Error code for download errors (Kornel Lesiński)
  • Update last update check date when the update driver finishes (Zorg)
  • Scale app icon up if needed in Software Update window (Nicholas Riley)
  • Don't register for termination notifications more than once (Zorg)
  • Don't terminate the app if we're already terminating (Zorg)
  • Removed SUEnableAutomaticChecksKeyOld and SUCheckAtStartup constants (Eitot)
  • Updated Sparkle framework headers to use modules if modules are available (B. Kevin Hardman)
  • Fixed warnings, fixed uses of SULocalizedString (Jerry Krinock)

OS X 10.7 or later required

Make sure you add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

HTTPS required

OS X 10.11 has deprecated insecure HTTP. Please use HTTPS for updates.

- 2016-03-11 09:14:26

Sparkle used to try to fix invalid URLs, but now it's stricter. When upgrading, make sure your URLs in the appcast don't contain un-encoded non-ASCII characters.

JavaScript is disabled in release notes' HTML, unless you add SUEnableJavaScript to app's Info.plist.

  • Disable javascript by default and make it opt-in (Zorg)
  • URL-encoding of appcast URLs is preserved (Kornel Lesiński)
  • Delegate is asked for fallback updates if delta update fails (Kornel Lesiński)
  • Fixed crash on 10.7 - subscript operator not available (kleuter)
  • Fixed check of feed URL before delegate had a chance to set it (Kornel Lesiński)
  • Re-added support for password-protected dmg images (Andrew K. Boyd)
  • Added warning about ATS blocking (Kornel Lesiński)
  • Translation fixes for pt-BR. (vitu)
  • Add some Japanese lozalized strings (1024jp)
  • Made test app available in all languages (LIU Dongyuan / 柳东原)
  • Czech localizations update (Frantisek Erben)
  • Removed a test resource from the framework bundle (Karl Moskowski)
  • Test if the updated app is the frontmost one (Zorg)
  • UI Tests for the Test Application (Zorg)

OS X 10.7 or later required

Make sure you add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

HTTPS or ATS exception required

OS X 10.11 deprecated HTTP and blocks updates unless you use HTTPS or disable App Transport Security.

Important security fix - 2016-01-29 15:21:07

HTTP MITM vulnerability

All Sparkle versions older than 1.13.1 which fetch appcast or release notes over insecure HTTP connection are vulnerable to a man-in-the-middle attack that can lead to disclosure of local files or remote code execution.

Applications using Sparkle with HTTPS appcast feed URLs and HTTPS release notes links (if any) are safe. We strongly recommend everyone to switch to HTTPS (it's fast and certificates are free).

The vulnerability is fixed in version 1.13.1. Patches for older versions are available: a6e9c8aff644f0cf5314c9f10e039c34cd350561 70f6929ac766b404e8e0d28d5cbda7872dc2ee3f

Thanks to Radoslaw Karpowicz for reporting the vulnerabilty.

OS X 10.7 or later required

Make sure you add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

If you require 10.6 support, then switching to HTTPS is the only option.

HTTPS or ATS exception required

OS X 10.11 deprecated HTTP and blocks updates unless you use HTTPS or disable App Transport Security.


The binary has been built when the vulnerability wasn't public yet, and the commit hash in the binary is unintentionally different than the tag created later on github. However, we've verified that the binary contains the fixes. Sorry for the confusion.

More reliable migration from old Sparkle versions - 2015-12-18 17:25:33

⚠️ Do NOT use this or any older version of Sparkle ⚠️

No changes since 1.12 apart from change of framework's bundle ID from org.andymatuschak.Sparkle to org.sparkle-project.Sparkle.

This helps updating apps containing older versions of Sparkle (1.10 or older) which looked up resources by bundle ID and could get confused if another copy of Sparkle was present. Sparkle 1.11 and later is immune to this problem.

OS X 10.7 or later required

Make sure you add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

HTTPS or ATS exception required

OS X 10.11 deprecated HTTP and blocks updates unless you use HTTPS or disable App Transport Security.

Atomic installs - 2015-12-15 09:53:34

⚠️ Do NOT use this or any older version of Sparkle ⚠️

This version significantly improves handling of interrupted installations, incorrect permissions, and quarantined files.

Sparkle is compatible with all OS X versions since 10.7 Lion, including 10.11 El Capitan (if you comply with App Transport Security).

  • Rewritten file operations for updating an app (Zorg)
    • Ensuring atomic move operations, robust error handling.
    • Faster.
    • Using modern APIs where possible (no FSPathMakeRef, FSGetCatalogInfo, FSFindFolder, etc.)
    • Strong documentation, easier to read code.
  • Automatic updates won't be installed if the system is about to shut off (Zorg)
  • Deprecated serving over HTTP without DSA (Zorg)
    • Note that Apple has deprecated insecure HTTP in OS X 10.11
  • Improved Autoupdate application (Zorg)
    • Do all the installation work after the runloop is set up
    • TerminationListener only does termination listening now
    • Handle cases where host path is not installation path and host path is not desired executable path
    • Don't show Autoupdate dock icon if we shouldn't show UI
    • Update modification & access time for new update
  • Added installUpdatesIfAvailable (Ian Langworth)
  • Removed extensions from shell scripts (Jake Petroules)
  • Rewritten test app so it works again, and from a local web server (Zorg)
  • Replaced use of Python with built-in web server (Kevin Wojniak)
  • Set LD_RUNPATH_SEARCH_PATHS in Podspec (Jake Petroules)
  • Don't install automatic updates if the system might shut off (Zorg)
  • Don't show Autoupdate dock icon if we shouldn't show UI (Zorg)
  • Updated layout constraints when removing release notes (Zorg)
  • Improved BinaryDelta error handling & logging (Zorg)
  • Refactored quarantine removal (Zorg)
  • Fixed German localization (1024jp)
  • Updated zh_CN translation (LIU Dongyuan / 柳东原)
  • Updated Mac models list until July 2015 (Gabriel Ulici)
  • Updated Polish translation (Kornel Lesiński)
  • Updated Xcode project languages for which we have translations (Jake Petroules)
  • Updated XIB files (Kornel Lesiński)
  • Use NSByteCountFormatter if available (Jake Petroules)
  • Declared protocols on SUUpdateAlert for the 10.11 SDK (Daniel Jalkut)
  • Silenced warning about casting away const-ness and -Wassign-enum (Daniel Jalkut)
  • Added script to generate a report comparing the Sparkle.strings files (Kevin Wojniak)
  • Check for empty strings (as well as nil) in SUHost's -name method (Karl Moskowski)
  • Don't follow symlinks for checking file existence (Zorg)
  • Unit tests in Swift (Zorg, Jake Petroules)
  • Fixed framework imports (Felix Schulze)
  • Fixed issues with copying files from different mounted drives (Zorg)
  • Disallowed automatic updates when user can't write to the bundle (Zorg)
  • Set the task working directories instead of changing the process working directory (Kevin Wojniak)

OS X 10.7 or later required

Make sure you add <sparkle:minimumSystemVersion>10.7</sparkle:minimumSystemVersion> tag to <item>s in your appcast. Sparkle will crash on Snow Leopard.

HTTPS or ATS exception required

OS X 10.11 deprecated HTTP and blocks updates unless you use HTTPS or disable App Transport Security.