Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Verifying..." Dialog Box when app is restarted for an update #2491

Closed
kaylagalway opened this issue Jan 16, 2024 · 6 comments · Fixed by #2505
Closed

"Verifying..." Dialog Box when app is restarted for an update #2491

kaylagalway opened this issue Jan 16, 2024 · 6 comments · Fixed by #2505
Milestone
2.6

Comments

@kaylagalway
Copy link

kaylagalway commented Jan 16, 2024
edited
Loading

Summary

Hello! When a user restarts the app to install an update with Sparkle, we sometimes see the "Verifying..." dialog pop up box, which I believe is caused by gatekeeper. This adds latency to the update flow and I'm hoping to avoid it if possible.

I was wondering where we replace the app file in it's directory in the sparkle code and if it was in any way possible to hook into something to know when that file replacement happens? The reason I'd like to know, is there is a gatekeeper command we can run on the new file for the app to make it so that the "Verifying..." dialog does not pop up. I'll put more info below in the possible fix section.

Possible Fix

gktool help scan should be able to scan the specified path. If I can know when the new version of the file for my application has been replaced, this command can be run to avoid the slow down of that Verifying... pop up:

% gktool help scan
OVERVIEW: Performs a Gatekeeper scan of the specified path.

This is useful for pre-warming the cache so users do not see the 'Verifying...' dialog on first launch of an application.

USAGE: gktool scan <bundle-path>

ARGUMENTS:
  <bundle-path>           The application bundle to scan.

OPTIONS:
  -h, --help              Show help information.

Version

Sparkle 2
@zorgiepoo
Copy link
Member

zorgiepoo commented Jan 17, 2024
edited
Loading

Thanks for filing this. I'm aware of this issue and tried adopting gktool (which is fairly new) before (#2421, #2433). After several experiments/tests, I ran into some unreliability issues with the OS rejecting swapping the bundle atomically and presenting security/privacy alerts after using gktool in certain conditions and filed bugs to Apple (FB13117812). If the OS bugs I encountered are improved/resolved in the future I will look forward to try adopting gktool again. Until then, I don't want to risk adopting the tool. Leaving this issue open for now because I ultimately do want to adopt performing a Gatekeeper scan (after extraction/validation) in the future.

@kaylagalway
Copy link
Author

Ah okay, good to know! Thank you for the explanation.

@kaylagalway
Copy link
Author

kaylagalway commented Jan 30, 2024
edited
Loading

MacOS 14.4 Seed 1 came out and I believe they attempted to resolve FB13117812 as mentioned in the release notes !

Trusted Execution
New Features

  • /usr/bin/syspolicy_check is a new command line tool to help determine if the provided macOS application will pass the current running configurations’ system policy. This includes the same checks performed by the Apple notary service and other macOS Trusted Execution layers such as codesign, Gatekeeper, XProtect, and more. Please see the main page for additional details. (108737781)

  • /usr/bin/gktool is a new command line tool to assess Gatekeeper Policy on applications. gktool can be called to pre-warm the system cache so users do not see the ‘Verifying…’ dialog on first launch of an application. (109793778)

@zorgiepoo
Copy link
Member

zorgiepoo commented Jan 31, 2024
edited
Loading

Those are release notes from macOS 14.0 and aren't new. However, I did some quick testing and believe the issues I was seeing are resolved in the 14.4 Beta. So I'll look at getting a PR up and testing this again soon when I get the chance.

@zorgiepoo zorgiepoo mentioned this issue Feb 18, 2024
Merged
6 tasks
@zorgiepoo zorgiepoo added this to the 2.6 milestone Feb 18, 2024
@zorgiepoo
Copy link
Member

zorgiepoo commented Feb 18, 2024
edited
Loading

I merged changes in #2505 to do a gktool scan. There are a couple requirements:

  • User must be running macOS 14.4 or later, which is still in beta currently (this path is skipped on earlier OS versions)
  • Due to running into other OS issues, Sparkle's Autoupdate helper must be signed with the same team identifier as your new update, otherwise the gktool scan will be skipped. In many in-development scenarios, it is common for this to not be the case (Xcode does not recursively re-sign Sparkle's helpers with Code Sign on Copy). Hence you should test an app update on a build that is notarized, which will definitely be fully/properly signed and further test the update behavior works correctly in this case.

I have not tried what the experience is on a "big" app that would most benefit from this change. I can't test this because any such "big" app is not an app I own and isn't signed by me. Thus it would be helpful if you can test these changes. I may release a pre-release beta build soon. An official release won't be released before macOS 14.4 is released.

@zorgiepoo
Copy link
Member

zorgiepoo commented Mar 8, 2024
edited
Loading

@kaylagalway macOS 14.4 has been released and Sparkle 2.6.0-beta.2 contains the latest changes for invoking gktool. Let me know if you have a chance to test this updating from a fully properly signed build (like a notarized one). Otherwise I will likely release the update sometime next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.6
Development

Successfully merging a pull request may close this issue.

Perform Gatekeeper scan to pre-warm app launch sparkle-project/Sparkle
2 participants
@zorgiepoo @kaylagalway