Is there a way to authenticate the endpoint serving the appcast.xml and the app.dmg files?

[dgrcode]

Hi,

I'm very new to both Swift/Mac development and Sparkle, so my question here might be completely missing something obvious.

As I'm implementing Sparkle in the app I'm working on, I've noticed the appcast.xml file is publicly served, so anyone could get it knowing the url.

Then, on the appcast contents there's the option of having a link to the .dmg itself, or an external download link, where the user has to click through and download the new version. While it's already an improvement being notified when there's an update, I think the best UX is when the user can click on the "Install Update" button and automatically get the new version.

However, having an url pointing to the .dmg file in the appcast.xml means that anyone with access to the appcast.xml can go to the link and get the app. An the appcast.xml is publicly available, so it's kind of leaving the .dmg up for grabs, no?

Is there a way to authenticate the request to download the .dmg so it's only downloadable by Sparkle?

I know people could analyze a genuine request from sparkle and then "hack" a request replica and get the .dmg. But that already involves some work trying to hack the authentication. As I understand the current situation is that anyone stumbling upon my appcast.xml file would have a publicly downloadable version of my app.

Is there a standard way of avoiding leaving the .dmg out in the open? Should I at least obfuscate the urls so people can't easily find my appcast.xml file?

Thanks!

[zorgiepoo]

See #2301

[zorgiepoo]

With that said, there are delegate methods to programmatically specify the feed URL (instead of Info.plist) or provide a password to decrypt the dmg (this is hardly used as far as I know). But these are not a true sense of "security" I recommend.

[dgrcode]

Thanks for the fast response!

Asking around someone mentioned using delta updates only. That sounds like a simpler way to prevent people from having easy access to the full .dmg. What are your thoughts about only using delta updates and not adding an url to the full version in the appcast.xml file?

[zorgiepoo]

Asking around someone mentioned using delta updates only. That sounds like a simpler way to prevent people from having easy access to the full .dmg. What are your thoughts about only using delta updates and not adding a url to the full version in the appcast.xml file?

It's not supported to omit the full archive. The full version is still needed as a fallback. There are small corner cases where the delta update won't be picked or fails to apply, and it's not always practical to generate a delta against every old version.