Security and Reliability Changes

These are a list of major security and reliability improvements in Sparkle, or reasons why developers should consider upgrading Sparkle. Note this list is missing many other minor improvements that the latest production release of Sparkle may have.

Version Changes
2.6.3 Fixes a security issue that allows an attacker to replace an existing signed update with another payload, which bypasses Sparkle’s (Ed)DSA signing checks (#2550); updating is strongly recommended and a fix is also backported to 1.27.3. Fixes an issue for sandboxed apps that enable the Downloader XPC Service from conflicting with each other and presenting a system dialog that “Downloader” differs from previously opened versions affecting macOS 14 and later (#2511). Performs a Gatekeeper scan for signed app updates on macOS 14.4 and later so users don’t see a system “Verifying…” dialog when an app update is relaunched (#2505).
2.5.2 Fixes a rare corruption issue resulting in missing files in the installed bundle, which Gatekeeper may reject (#2479). Adopts macOS 14 Sonoma’s cooperative app activation APIs instead of using -[NSApplication activateIgnoringOtherApps:] which was deprecated in macOS 14 (mainly impacts background/dockless running apps) (#2409). Fixes updates not installing when executed from a Sparkle CLI utility as root (sudo) user on macOS 14 Sonoma (impacts few out-of-app updaters) (#2432).
2.4.2 Fixes NSKeyedUnarchiver decoding warning of appcast item that contains delta updates (#2383). Hardens verification of passing the update’s download to Sparkle’s Autoupdate helper (#2392).
2.2.2 Deprecates the -s flag to generate_appcast and sign_update for passing the private EdDSA key as a command line argument which is insecure (#2170). Please use the Keychain, or pass the key as standard input in CI environments when using --ed-key-file - instead. Run these tools with -h for further information.
2.1.0 Updates delta updates to use a custom efficient container format instead of xar which Apple deprecated and is no longer under active development. xar was not well documented and difficult to use correctly (#1899). Clients using delta updates should strongly consider upgrading. Also updates file copying operations for installation to use NSFileManager instead of FSCopyObjectSync() which was deprecated in macOS 10.8 (#2059).
2.0.0 Adds support for App Sandboxing. Also improves handling authorization by submitting an isolated privileged installer process to launchd instead of using AuthorizationExecuteWithPrivileges() to insecurely and less reliably execute privileged operations.
1.27.3 Improves the transition process for migrating from DSA to EdDSA. DSA signing is deprecated and should no longer be used except for transitioning to EdDSA. DSA relies on Security framework APIs that have been deprecated and marked as no longer being supported. Also fixes generation of new binary delta update files on modern macOS versions (#1906) and hardens security of patching delta files (#1988).
1.25.0 Updates the release notes view to use WebKit2 instead of WebKit1 which is no longer supported and deprecated in macOS 10.14.
1.21.2 Adds support for signing updates using more secure EdDSA algorithm instead of DSA. New applications should not use DSA (#1037).
1.19.0 Updates the downloader to use NSURLSession instead of NSURLDownload which logged unsupported usage warnings to the Console and is deprecated in macOS 10.11.
1.15.1 Improves handling authorization usage by including a standalone fileop tool instead of shelling out to specific commands (cp, chown, etc) (#818). Previously, Sparkle could not reliably detect when a privileged operation using AuthorizationExecuteWithPrivileges() finished executing. This is later superseded by further authorization improvements made in 2.0.0. Also requires delta patches to pass signing validation before they are extracted (#881).
1.14.0 Disables JavaScript by default in the release notes web view (#755).
1.13.1 Fixes a man-in-the-middle attack that can lead to disclosure of local files or remote code execution when fetching an appcast or release notes over an insecure HTTP connection. Do not use any version of Sparkle without this fix.
1.12.0 Rewrites file operations for updating an app to be atomic (#575) which prevents potential corrupt app installations (#441).
1.11.0 Improves app update validation to doubly verify both Apple code signing and Sparkle signing on the update archive. Reduces trust from the appcast and allows rotation between Sparkle and Apple signing keys (provided they are valid) (#534).