Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate permission bits of Sparkle executable for delta updates #2151

Merged
merged 4 commits into from
Jun 11, 2022
Merged

Validate permission bits of Sparkle executable for delta updates #2151

merged 4 commits into from
Jun 11, 2022

Conversation

zorgiepoo
Copy link
Member

@zorgiepoo zorgiepoo commented Jun 11, 2022
edited
Loading

This upgrades our preflight test of validating that we can perform delta updates before downloading them. Checking the underlying file system type is not reliable and does not cover cases where a 'tainted' bundle moves across file systems.

We also prevent creating new binary delta updates that have an invalid permission mode for Sparkle's executable.

Fixes #2148

Misc Checklist

  • My change requires a documentation update on Sparkle's website repository
  • My change requires changes to generate_appcast, generate_keys, or sign_update

Only bug fixes to regressions or security fixes are being backported to the 1.x (master) branch now. If you believe your change is significant enough to backport, please also create a separate pull request against the master branch.

Testing

I tested and verified my change by using one or multiple of these methods:

  • Sparkle Test App
  • Unit Tests
  • My own app
  • Other (please specify)

Tested delta update works with test app (setting env test mode), sparkle-cli works in success and failure (bad permission mode) case of updating an app with delta update provided, added unit tests for creating delta updates, tested manually creating delta updates in success and failure cases. Tested update on actual (Ex)FAT volume on Ventura.

macOS version tested: 12.4 (21F79), 13.0 Beta (22A5266r)

@zorgiepoo
Check permission bits of Sparkle executable of bundle we are updating
4157133 
This upgrades our a preflight test to see if delta updates are eligible before downloading them. Testing the underlying file system name is not reliable and technically inferior.
@zorgiepoo
Prevent creating deltas with bad Sparkle executable permissions
da95cbc
@zorgiepoo
Bump version 2 minor version too
794a988
@zorgiepoo
Add TEST_MODE env to Sparkle Test App scheme
bb43e2a 
Disable it by default.
@zorgiepoo zorgiepoo merged commit d794276 into 2.x Jun 11, 2022
@zorgiepoo zorgiepoo deleted the delta-permission-bits branch June 11, 2022 18:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Re-evaluate not performing delta update based on file system logic
1 participant
@zorgiepoo