sparkle-project · zorgiepoo · Jun 20, 2024 · Jun 20, 2024
diff --git a/Autoupdate/AppInstaller.m b/Autoupdate/AppInstaller.m
@@ -193,9 +193,9 @@ - (void)extractAndInstallUpdate SPU_OBJC_DIRECT
 
         _updateValidator = [[SUUpdateValidator alloc] initWithDownloadPath:archivePath signatures:_signatures host:_host verifierInformation:_verifierInformation];
 
-        // Delta & package updates will require validation before extraction
+        // Delta, package updates, and .aar/.yaa archives will require validation before extraction
         // Normal application updates are a bit more lenient allowing developers to change one of apple dev ID or EdDSA keys
-        BOOL needsPrevalidation = [[unarchiver class] mustValidateBeforeExtraction] || ![_installationType isEqualToString:SPUInstallationTypeApplication];
+        BOOL needsPrevalidation = [[unarchiver class] mustValidateBeforeExtractionWithArchivePath:archivePath] || ![_installationType isEqualToString:SPUInstallationTypeApplication];
 
         if (needsPrevalidation) {
             success = [_updateValidator validateDownloadPathWithError:&unarchiverError];

diff --git a/Autoupdate/SUBinaryDeltaUnarchiver.m b/Autoupdate/SUBinaryDeltaUnarchiver.m
@@ -28,7 +28,7 @@ + (BOOL)canUnarchivePath:(NSString *)path
     return [[path pathExtension] isEqualToString:@"delta"];
 }
 
-+ (BOOL)mustValidateBeforeExtraction
++ (BOOL)mustValidateBeforeExtractionWithArchivePath:(NSString *)archivePath
 {
     return YES;
 }

diff --git a/Autoupdate/SUDiskImageUnarchiver.m b/Autoupdate/SUDiskImageUnarchiver.m
@@ -34,7 +34,7 @@ + (BOOL)canUnarchivePath:(NSString *)path
     return [[path pathExtension] isEqualToString:@"dmg"];
 }
 
-+ (BOOL)mustValidateBeforeExtraction
++ (BOOL)mustValidateBeforeExtractionWithArchivePath:(NSString *)archivePath
 {
     return NO;
 }

diff --git a/Autoupdate/SUFlatPackageUnarchiver.m b/Autoupdate/SUFlatPackageUnarchiver.m
@@ -28,7 +28,7 @@ + (BOOL)canUnarchivePath:(NSString *)path
     return [path.pathExtension isEqualToString:@"pkg"] || [path.pathExtension isEqualToString:@"mpkg"];
 }
 
-+ (BOOL)mustValidateBeforeExtraction
++ (BOOL)mustValidateBeforeExtractionWithArchivePath:(NSString *)archivePath
 {
     return YES;
 }

diff --git a/Autoupdate/SUPipedUnarchiver.m b/Autoupdate/SUPipedUnarchiver.m
@@ -75,9 +75,9 @@ + (BOOL)canUnarchivePath:(NSString *)path
     return _commandAndArgumentsConformingToTypeOfPath(path) != nil;
 }
 
-+ (BOOL)mustValidateBeforeExtraction
++ (BOOL)mustValidateBeforeExtractionWithArchivePath:(NSString *)archivePath
 {
-    return NO;
+    return ([archivePath hasSuffix:@".aar"] || [archivePath hasSuffix:@".yaa"]);
 }
 
 - (instancetype)initWithArchivePath:(NSString *)archivePath extractionDirectory:(NSString *)extractionDirectory

diff --git a/Autoupdate/SUUnarchiverProtocol.h b/Autoupdate/SUUnarchiverProtocol.h
@@ -12,7 +12,7 @@ NS_ASSUME_NONNULL_BEGIN
 
 @protocol SUUnarchiverProtocol <NSObject>
 
-+ (BOOL)mustValidateBeforeExtraction;
++ (BOOL)mustValidateBeforeExtractionWithArchivePath:(NSString *)archivePath;
 
 - (void)unarchiveWithCompletionBlock:(void (^)(NSError * _Nullable))completionBlock progressBlock:(void (^ _Nullable)(double))progressBlock;
 

diff --git a/Sparkle/SUUpdateValidator.m b/Sparkle/SUUpdateValidator.m
@@ -121,7 +121,7 @@ - (BOOL)validateWithUpdateDirectory:(NSString *)updateDirectory error:(NSError *
     {
         // Because we already validated the EdDSA signature, this is just a consistency check to see
         // if the developer signed their application properly with their Apple ID
-        // Currently, this case only gets hit for binary delta updates
+        // Currently, this case gets hit for binary delta updates and .aar/.yaa archives
 
         NSError *innerError = nil;
         if ([SUCodeSigningVerifier bundleAtURLIsCodeSigned:installSourceURL] && ![SUCodeSigningVerifier codeSignatureIsValidAtBundleURL:installSourceURL error:&innerError]) {