Sparkle

Could we disable the signing/https checks when update host is localhost?

Asked by Cranky

Because this is a huge PITA during development. Self signing my web server isn't really working out and all I want to do is get the update flow (which is really complicated for my app) working.

I'm going to start using a hacked version, but seriously, for development, I think this ought to be in there. In fact, I think it ought to be a configurable policy overall.

Question information

Language:
English Edit question
Status:
Solved
For:
Sparkle Edit question
Assignee:
No assignee Edit question
Solved by:
Cranky
Solved:
Last query:
Last reply:
Revision history for this message
Andy Matuschak (andymatuschak) said : 		#1

Good call. https://bugs.edge.launchpad.net/bugs/300053

Revision history for this message
Cranky (tblanchard) said : 		#2

Cool, I look forward to that in the new version. FWIW, my hacked version is

- (void)downloadDidFinish:(NSURLDownload *)d
{
 // New in Sparkle 1.5: we're now checking signatures on all non-secure downloads, where "secure" is defined as both the appcast and the download being transmitted over SSL.
 NSURL *downloadURL = [[d request] URL];
    if(![[downloadURL host] isEqualToString: @"localhost"] && ![[downloadURL host] isEqualToString: @"127.0.0.1"])
    {
        if (![[downloadURL scheme] isEqualToString:@"https"] || ![[appcastURL scheme] isEqualToString:@"https"] || [host publicDSAKey])
        {
            if (![SUDSAVerifier validatePath:downloadPath withEncodedDSASignature:[updateItem DSASignature] withPublicDSAKey:[host publicDSAKey]])
            {
                [self abortUpdateWithError:[NSError errorWithDomain:SUSparkleErrorDomain code:SUSignatureError userInfo:[NSDictionary dictionaryWithObject:@"The update is improperly signed." forKey:NSLocalizedDescriptionKey]]];
                return;
            }
        }
    }

 [self extractUpdate];
}