"Verifying..." Dialog Box when app is restarted for an update about sparkle HOT 6 CLOSED

Thanks for filing this. I'm aware of this issue and tried adopting gktool (which is fairly new) before (#2421, #2433). After several experiments/tests, I ran into some unreliability issues with the OS rejecting swapping the bundle atomically and presenting security/privacy alerts after using gktool in certain conditions and filed bugs to Apple (FB13117812). If the OS bugs I encountered are improved/resolved in the future I will look forward to try adopting gktool again. Until then, I don't want to risk adopting the tool. Leaving this issue open for now because I ultimately do want to adopt performing a Gatekeeper scan (after extraction/validation) in the future.

from sparkle.

Ah okay, good to know! Thank you for the explanation.

from sparkle.

MacOS 14.4 Seed 1 came out and I believe they attempted to resolve FB13117812 as mentioned in the release notes !

Trusted Execution
New Features

• /usr/bin/syspolicy_check is a new command line tool to help determine if the provided macOS application will pass the current running configurations’ system policy. This includes the same checks performed by the Apple notary service and other macOS Trusted Execution layers such as codesign, Gatekeeper, XProtect, and more. Please see the main page for additional details. (108737781)

• /usr/bin/gktool is a new command line tool to assess Gatekeeper Policy on applications. gktool can be called to pre-warm the system cache so users do not see the ‘Verifying…’ dialog on first launch of an application. (109793778)

from sparkle.

Those are release notes from macOS 14.0 and aren't new. However, I did some quick testing and believe the issues I was seeing are resolved in the 14.4 Beta. So I'll look at getting a PR up and testing this again soon when I get the chance.

from sparkle.

I merged changes in #2505 to do a gktool scan. There are a couple requirements:

• User must be running macOS 14.4 or later, which is still in beta currently (this path is skipped on earlier OS versions)
• Due to running into other OS issues, Sparkle's Autoupdate helper must be signed with the same team identifier as your new update, otherwise the gktool scan will be skipped. In many in-development scenarios, it is common for this to not be the case (Xcode does not recursively re-sign Sparkle's helpers with Code Sign on Copy). Hence you should test an app update on a build that is notarized, which will definitely be fully/properly signed and further test the update behavior works correctly in this case.

I have not tried what the experience is on a "big" app that would most benefit from this change. I can't test this because any such "big" app is not an app I own and isn't signed by me. Thus it would be helpful if you can test these changes. I may release a pre-release beta build soon. An official release won't be released before macOS 14.4 is released.

from sparkle.

@kaylagalway macOS 14.4 has been released and Sparkle 2.6.0-beta.2 contains the latest changes for invoking gktool. Let me know if you have a chance to test this updating from a fully properly signed build (like a notarized one). Otherwise I will likely release the update sometime next week.

from sparkle.