Can you update a sandboxed Mac app using Sparkle or something similar?

Question

For those distributing Mac apps outside the Mac App Store, how are you planning to support updating and sandboxing? I'm guessing most people's answers for the time being is that they're not, but I hope that eventually non-MAS apps could be sandboxed just like MAS apps.

To use Sparkle, your app would need network access, which could be granted, as well as the ability to overwrite itself in Applications. Currently you could do this with the com.apple.security.temporary-exception.files.absolute-path.read-write entitlement, but that's not a good solution. It will likely go away, and even if it doesn't there's little point in sandboxing an app if you're going to give it full filesystem read-write access as well as network access.

Has anyone already gone down this path and found a good solution? I ask because I try to keep my MAS build and my non-MAS build as identical as possible, and I'm currently looking at having my MAS build sandboxed and my non-MAS build not.

One of the many sandbox-related headaches devs are having! – sbooth Jan 07 '12 at 15:02 — sbooth, Jan 07 '12 at 15:02

wbyoung · Answer 1 · 2012-03-20T15:12:18.260

5

In a conversation started by @chockenberry on twitter, @andy_matuschak responded favorably to creating an XPC service for Sparkle.

I have a pull request open on GitHub that actually creates the XPC service. Hopefully, this will get incorporated into Sparkle soon.

edited Mar 20 '12 at 15:12

answered Jan 10 '12 at 21:53

wbyoung

22,383
2
34
40

My previous answer included a recommendation to create a temporary exception, but that would not work under sandboxing. – wbyoung Mar 19 '12 at 17:46
How is the status of this now? Are you guys any closer in making Sparkle fully sandbox compatible? Were you able to get all the security concerns of Andy (in that discussion on GitHub) fixed? Thanks. – Dennis Ritchie Dec 17 '12 at 22:43
2

Still not pulled into Sparkle. We're shipping Mac App Store only now, so I won't be working on it. Feel free to continue from that pull request, though. – wbyoung Dec 18 '12 at 20:53
1

We're currently in the process of merging support for this into Sparkle; see https://github.com/sparkle-project/Sparkle/issues/363 – Jake Petroules Jul 05 '14 at 08:24

score 1 · Answer 2 · answered Jul 17 '13 at 12:01

1

We actually have two versions of our app: one for our own web site and one for the app store.

I recommend using Sam Deane's approach which you can find in his GitHub repository. It works well for us.

answered Jul 17 '13 at 12:01

uem

713
1
7
18

I've been given more credit than I deserve for that version - I mostly just pulled together some work done by others. – Sam Deane May 28 '15 at 18:51
fwiw, credit should go to Whitney Young and Erik Aderstedt I think. – Sam Deane May 28 '15 at 19:28

score 0 · Answer 3 · answered Oct 14 '16 at 16:27

0

Not yet.

As of 1.15 Sparkle does not support sandboxing, and the patch that is floating around has a vulnerability that allows complete bypass of sandbox security.

answered Oct 14 '16 at 16:27

Kornel

97,764
37
219
309

Can you update a sandboxed Mac app using Sparkle or something similar?

3 Answers3

Linked

Related