Perform Gatekeeper scan to pre-warm app launch (#2505)

This avoids users being a "Verifying..." Dialog when the installed update is (re-)launched. This scan is only done for macOS 14.4+ onwards (gktool was introduced in macOS 14.0 but had issues). Also this scan is only done if Autoupdate's team identifier matches the new update's team identifier. Otherwise the OS may think Autoupdate is modifying a bundle which it shouldn't be permitted to (this is a bug).
sparkle-project · Feb 18, 2024 · 66c1989 · 66c1989
1 parent 24f0f39
commit 66c1989
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 3 deletions.
diff --git a/Autoupdate/SUCodeSigningVerifier.h b/Autoupdate/SUCodeSigningVerifier.h
@@ -24,6 +24,9 @@ SPU_OBJC_DIRECT_MEMBERS
 + (BOOL)codeSignatureIsValidAtBundleURL:(NSURL *)bundleURL error:(NSError *__autoreleasing *)error;
 
 + (BOOL)bundleAtURLIsCodeSigned:(NSURL *)bundleURL;
+
++ (BOOL)teamIdentifierAtURL:(NSURL *)url1 matchesTeamIdentifierAtURL:(NSURL *)url2;
+
 @end
 
 #endif
diff --git a/Autoupdate/SUCodeSigningVerifier.m b/Autoupdate/SUCodeSigningVerifier.m
@@ -258,4 +258,43 @@ + (BOOL)bundleAtURLIsCodeSigned:(NSURL *)bundleURL
     return (result == 0);
 }
 
+static NSString * _Nullable teamIdentifierAtURL(NSURL *url)
+{
+    SecStaticCodeRef staticCode = NULL;
+    OSStatus staticCodeResult = SecStaticCodeCreateWithPath((__bridge CFURLRef)url, kSecCSDefaultFlags, &staticCode);
+    if (staticCodeResult != noErr) {
+        SULog(SULogLevelError, @"Failed to get static code for retrieving team identifier: %d", staticCodeResult);
+        return nil;
+    }
+
+    CFDictionaryRef cfSigningInformation = NULL;
+    OSStatus copySigningInfoCode = SecCodeCopySigningInformation(staticCode, kSecCSSigningInformation,
+        &cfSigningInformation);
+
+    NSDictionary *signingInformation = CFBridgingRelease(cfSigningInformation);
+
+    if (copySigningInfoCode != noErr) {
+        SULog(SULogLevelError, @"Failed to get signing information for retrieving team identifier: %d", copySigningInfoCode);
+        return nil;
+    }
+
+    // Note this will return nil for ad-hoc or unsigned binaries
+    return signingInformation[(NSString *)kSecCodeInfoTeamIdentifier];
+}
+
++ (BOOL)teamIdentifierAtURL:(NSURL *)url1 matchesTeamIdentifierAtURL:(NSURL *)url2
+{
+    NSString *teamIdentifierForURL1 = teamIdentifierAtURL(url1);
+    if (teamIdentifierForURL1 == nil) {
+        return NO;
+    }
+
+    NSString *teamIdentifierForURL2 = teamIdentifierAtURL(url2);
+    if (teamIdentifierForURL2 == nil) {
+        return NO;
+    }
+
+    return [teamIdentifierForURL1 isEqualToString:teamIdentifierForURL2];
+}
+
 @end
diff --git a/Autoupdate/SUPlainInstaller.m b/Autoupdate/SUPlainInstaller.m
@@ -14,6 +14,7 @@
 #import "SUErrors.h"
 #import "SUVersionComparisonProtocol.h"
 #import "SUStandardVersionComparator.h"
+#import "SUCodeSigningVerifier.h"
 
 
 #include "AppKitPrevention.h"
@@ -41,7 +42,7 @@ - (instancetype)initWithHost:(SUHost *)host bundlePath:(NSString *)bundlePath in
     return self;
 }
 
-- (void)_performInitialInstallationWithFileManager:(SUFileManager *)fileManager oldBundleURL:(NSURL *)oldBundleURL newBundleURL:(NSURL *)newBundleURL progressBlock:(nullable void(^)(double))progress SPU_OBJC_DIRECT
+- (void)_performInitialInstallationWithFileManager:(SUFileManager *)fileManager oldBundleURL:(NSURL *)oldBundleURL newBundleURL:(NSURL *)newBundleURL skipGatekeeperScan:(BOOL)skipGatekeeperScan progressBlock:(nullable void(^)(double))progress SPU_OBJC_DIRECT
 {
     // Release our new app from quarantine
     NSError *quarantineError = nil;
@@ -88,6 +89,47 @@ - (void)_performInitialInstallationWithFileManager:(SUFileManager *)fileManager
     if (progress) {
         progress(8/11.0);
     }
+
+    if (!skipGatekeeperScan) {
+        // Perform a Gatekeeper scan to pre-warm the app launch
+        // This avoids users seeing a "Verifying..." dialog when the installed update is launched
+        // Note the tool we use to perform the Gatekeeper scan (gktool) is technically available on macOS 14.0,
+        // however there are some potential bugs/issues with performing a Gatekeeper scan on versions before 14.4:
+        // https://github.com/sparkle-project/Sparkle/issues/2491
+        if (@available(macOS 14.4, *)) {
+            // Only perform Gatekeeper scan if we're updating an app bundle
+            NSString *newBundlePath = newBundleURL.path;
+            if ([newBundlePath.pathExtension caseInsensitiveCompare:@"app"] == NSOrderedSame) {
+                // We only invoke gktool if Autoupdate is signed with the same team identifier as the new update bundle
+                // Otherwise we may unfortunately run into some Privacy & Security prompt bugs in the OS (note this is *not* a security check)
+                // This does overall imply that for an app to test the gktool path, this path may often skipped for most common development workflows that don't
+                // re-sign Sparkle's Autoupdate helper
+                NSURL *mainExecutableURL = NSBundle.mainBundle.executableURL;
+                if (mainExecutableURL != nil && [SUCodeSigningVerifier teamIdentifierAtURL:mainExecutableURL matchesTeamIdentifierAtURL:newBundleURL]) {
+                    NSURL *gktoolURL = [NSURL fileURLWithPath:@"/usr/bin/gktool" isDirectory:NO];
+                    if ([gktoolURL checkResourceIsReachableAndReturnError:NULL]) {
+                        NSTask *gatekeeperScanTask = [[NSTask alloc] init];
+                        gatekeeperScanTask.executableURL = gktoolURL;
+                        gatekeeperScanTask.arguments = @[@"scan", newBundlePath];
+
+                        NSError *taskError;
+                        if (![gatekeeperScanTask launchAndReturnError:&taskError]) {
+                            // Not a fatal error
+                            SULog(SULogLevelError, @"Failed to perform GateKeeper scan on '%@' with error %@", newBundlePath, taskError);
+                        } else {
+                            [gatekeeperScanTask waitUntilExit];
+
+                            if (gatekeeperScanTask.terminationStatus != 0) {
+                                SULog(SULogLevelError, @"gktool failed and returned exit status %d", gatekeeperScanTask.terminationStatus);
+                            }
+                        }
+                    }
+                } else {
+                    SULog(SULogLevelDefault, @"Skipping invocation of gktool because Autoupdate is not signed with same identity as the new update %@", newBundleURL.lastPathComponent);
+                }
+            }
+        }
+    }
 }
 
 
@@ -189,7 +231,9 @@ - (BOOL)startInstallationToURL:(NSURL *)installationURL fromUpdateAtURL:(NSURL *
     }
 
     if (!_newAndOldBundlesOnSameVolume) {
-        [self _performInitialInstallationWithFileManager:fileManager oldBundleURL:oldURL newBundleURL:newFinalURL progressBlock:progress];
+        // If we're updating a bundle on another volume, the install process can be pretty slow.
+        // In this case let's get out of the way and skip the Gatekeeper scan
+        [self _performInitialInstallationWithFileManager:fileManager oldBundleURL:oldURL newBundleURL:newFinalURL skipGatekeeperScan:YES progressBlock:progress];
     }
 
     if (progress) {
@@ -312,7 +356,7 @@ - (BOOL)performInitialInstallation:(NSError * __autoreleasing *)error
 
     // We can do a lot of the installation work ahead of time if the new app update does not need to be copied to another volume
     if (_newAndOldBundlesOnSameVolume) {
-        [self _performInitialInstallationWithFileManager:fileManager oldBundleURL:_host.bundle.bundleURL newBundleURL:bundle.bundleURL progressBlock:NULL];
+        [self _performInitialInstallationWithFileManager:fileManager oldBundleURL:_host.bundle.bundleURL newBundleURL:bundle.bundleURL skipGatekeeperScan:NO progressBlock:NULL];
     }
 
     return YES;