From ac2a52b077b4a88f255e6957f6ed7711f5690254 Mon Sep 17 00:00:00 2001 From: Zorg Date: Sat, 17 Feb 2024 14:42:24 -0800 Subject: [PATCH 1/3] Perform Gatekeeper scan to pre-warm app launch This avoids users being a "Verifying..." Dialog when the installed update is (re-)launched. This scan is only done for macOS 14.4+ onwards (gktool was introduced in macOS 14.0 but had issues). Also this scan is only done if Autoupdate's team identifier matches the new update's team identifier. Otherwise the OS may think Autoupdate is modifying a bundle which it shouldn't be permitted to (this is a bug). --- Autoupdate/SUCodeSigningVerifier.h | 3 ++ Autoupdate/SUCodeSigningVerifier.m | 39 +++++++++++++++++++++++ Autoupdate/SUPlainInstaller.m | 51 ++++++++++++++++++++++++++++-- 3 files changed, 90 insertions(+), 3 deletions(-) diff --git a/Autoupdate/SUCodeSigningVerifier.h b/Autoupdate/SUCodeSigningVerifier.h index b9181143e8..82cfc2ac6e 100644 --- a/Autoupdate/SUCodeSigningVerifier.h +++ b/Autoupdate/SUCodeSigningVerifier.h @@ -24,6 +24,9 @@ SPU_OBJC_DIRECT_MEMBERS + (BOOL)codeSignatureIsValidAtBundleURL:(NSURL *)bundleURL error:(NSError *__autoreleasing *)error; + (BOOL)bundleAtURLIsCodeSigned:(NSURL *)bundleURL; + ++ (BOOL)teamIdentifierAtURL:(NSURL *)url1 matchesTeamIdentifierAtURL:(NSURL *)url2; + @end #endif diff --git a/Autoupdate/SUCodeSigningVerifier.m b/Autoupdate/SUCodeSigningVerifier.m index 5846426e1f..5986104bf9 100644 --- a/Autoupdate/SUCodeSigningVerifier.m +++ b/Autoupdate/SUCodeSigningVerifier.m @@ -258,4 +258,43 @@ + (BOOL)bundleAtURLIsCodeSigned:(NSURL *)bundleURL return (result == 0); } +static NSString * _Nullable teamIdentifierAtURL(NSURL *url) +{ + SecStaticCodeRef staticCode = NULL; + OSStatus staticCodeResult = SecStaticCodeCreateWithPath((__bridge CFURLRef)url, kSecCSDefaultFlags, &staticCode); + if (staticCodeResult != noErr) { + SULog(SULogLevelError, @"Failed to get static code for retrieving team identifier: %d", staticCodeResult); + return nil; + } + + CFDictionaryRef cfSigningInformation = NULL; + OSStatus copySigningInfoCode = SecCodeCopySigningInformation(staticCode, kSecCSSigningInformation, + &cfSigningInformation); + + NSDictionary *signingInformation = CFBridgingRelease(cfSigningInformation); + + if (copySigningInfoCode != noErr) { + SULog(SULogLevelError, @"Failed to get signing information for retrieving team identifier: %d", copySigningInfoCode); + return nil; + } + + // Note this will return nil for ad-hoc or unsigned binaries + return signingInformation[@"teamid"]; +} + ++ (BOOL)teamIdentifierAtURL:(NSURL *)url1 matchesTeamIdentifierAtURL:(NSURL *)url2 +{ + NSString *teamIdentifierForURL1 = teamIdentifierAtURL(url1); + if (teamIdentifierForURL1 == nil) { + return NO; + } + + NSString *teamIdentifierForURL2 = teamIdentifierAtURL(url2); + if (teamIdentifierForURL2 == nil) { + return NO; + } + + return [teamIdentifierForURL1 isEqualToString:teamIdentifierForURL2]; +} + @end diff --git a/Autoupdate/SUPlainInstaller.m b/Autoupdate/SUPlainInstaller.m index a7244d7ba5..d9fdcdb97a 100644 --- a/Autoupdate/SUPlainInstaller.m +++ b/Autoupdate/SUPlainInstaller.m @@ -14,6 +14,7 @@ #import "SUErrors.h" #import "SUVersionComparisonProtocol.h" #import "SUStandardVersionComparator.h" +#import "SUCodeSigningVerifier.h" #include "AppKitPrevention.h" @@ -41,7 +42,7 @@ - (instancetype)initWithHost:(SUHost *)host bundlePath:(NSString *)bundlePath in return self; } -- (void)_performInitialInstallationWithFileManager:(SUFileManager *)fileManager oldBundleURL:(NSURL *)oldBundleURL newBundleURL:(NSURL *)newBundleURL progressBlock:(nullable void(^)(double))progress SPU_OBJC_DIRECT +- (void)_performInitialInstallationWithFileManager:(SUFileManager *)fileManager oldBundleURL:(NSURL *)oldBundleURL newBundleURL:(NSURL *)newBundleURL skipGatekeeperScan:(BOOL)skipGatekeeperScan progressBlock:(nullable void(^)(double))progress SPU_OBJC_DIRECT { // Release our new app from quarantine NSError *quarantineError = nil; @@ -88,6 +89,48 @@ - (void)_performInitialInstallationWithFileManager:(SUFileManager *)fileManager if (progress) { progress(8/11.0); } + + if (!skipGatekeeperScan) + { + // Perform a Gatekeeper scan to pre-warm the app launch + // This avoids users seeing a "Verifying..." dialog when the installed update is launched + // Note the tool we use to perform the Gatekeeper scan (gktool) is technically available on macOS 14.0, + // however there are some potential bugs/issues with performing a Gatekeeper scan on versions before 14.4: + // https://github.com/sparkle-project/Sparkle/issues/2491 + if (@available(macOS 14.4, *)) { + // Only perform Gatekeeper scan if we're updating an app bundle + NSString *newBundlePath = newBundleURL.path; + if ([newBundlePath.pathExtension caseInsensitiveCompare:@"app"] == NSOrderedSame) { + // We only invoke gktool if Autoupdate is signed with the same team identifier as the new update bundle + // Otherwise we may unfortunately run into some Privacy & Security prompt bugs in the OS (note this is *not* a security check) + // This does overall imply that for an app to test the gktool path, this path may often skipped for most common development workflows that don't + // re-sign Sparkle's Autoupdate helper + NSURL *mainExecutableURL = NSBundle.mainBundle.executableURL; + if (mainExecutableURL != nil && [SUCodeSigningVerifier teamIdentifierAtURL:mainExecutableURL matchesTeamIdentifierAtURL:newBundleURL]) { + NSURL *gktoolURL = [NSURL fileURLWithPath:@"/usr/bin/gktool" isDirectory:NO]; + if ([gktoolURL checkResourceIsReachableAndReturnError:NULL]) { + NSTask *gatekeeperScanTask = [[NSTask alloc] init]; + gatekeeperScanTask.executableURL = gktoolURL; + gatekeeperScanTask.arguments = @[@"scan", newBundlePath]; + + NSError *taskError; + if (![gatekeeperScanTask launchAndReturnError:&taskError]) { + // Not a fatal error + SULog(SULogLevelError, @"Failed to perform GateKeeper scan on '%@' with error %@", newBundlePath, taskError); + } else { + [gatekeeperScanTask waitUntilExit]; + + if (gatekeeperScanTask.terminationStatus != 0) { + SULog(SULogLevelError, @"gktool failed and returned exit status %d", gatekeeperScanTask.terminationStatus); + } + } + } + } else { + SULog(SULogLevelDefault, @"Skipping invocation of gktool because Autoupdate is not signed with same identity as the new update %@", newBundleURL.lastPathComponent); + } + } + } + } } @@ -189,7 +232,9 @@ - (BOOL)startInstallationToURL:(NSURL *)installationURL fromUpdateAtURL:(NSURL * } if (!_newAndOldBundlesOnSameVolume) { - [self _performInitialInstallationWithFileManager:fileManager oldBundleURL:oldURL newBundleURL:newFinalURL progressBlock:progress]; + // If we're updating a bundle on another volume, the install process can be pretty slow. + // In this case let's get out of the way and skip the Gatekeeper scan + [self _performInitialInstallationWithFileManager:fileManager oldBundleURL:oldURL newBundleURL:newFinalURL skipGatekeeperScan:YES progressBlock:progress]; } if (progress) { @@ -312,7 +357,7 @@ - (BOOL)performInitialInstallation:(NSError * __autoreleasing *)error // We can do a lot of the installation work ahead of time if the new app update does not need to be copied to another volume if (_newAndOldBundlesOnSameVolume) { - [self _performInitialInstallationWithFileManager:fileManager oldBundleURL:_host.bundle.bundleURL newBundleURL:bundle.bundleURL progressBlock:NULL]; + [self _performInitialInstallationWithFileManager:fileManager oldBundleURL:_host.bundle.bundleURL newBundleURL:bundle.bundleURL skipGatekeeperScan:NO progressBlock:NULL]; } return YES; From d2dd11111cdfda3d48d4c7951d6b8d7e75a68029 Mon Sep 17 00:00:00 2001 From: Zorg Date: Sun, 18 Feb 2024 07:42:50 -0800 Subject: [PATCH 2/3] Use constant for teamid --- Autoupdate/SUCodeSigningVerifier.m | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Autoupdate/SUCodeSigningVerifier.m b/Autoupdate/SUCodeSigningVerifier.m index 5986104bf9..61b41a3f58 100644 --- a/Autoupdate/SUCodeSigningVerifier.m +++ b/Autoupdate/SUCodeSigningVerifier.m @@ -279,7 +279,7 @@ + (BOOL)bundleAtURLIsCodeSigned:(NSURL *)bundleURL } // Note this will return nil for ad-hoc or unsigned binaries - return signingInformation[@"teamid"]; + return signingInformation[(NSString *)kSecCodeInfoTeamIdentifier]; } + (BOOL)teamIdentifierAtURL:(NSURL *)url1 matchesTeamIdentifierAtURL:(NSURL *)url2 From 859db115df4694b1b6a15a9668e2dad27c4f8197 Mon Sep 17 00:00:00 2001 From: Zorg Date: Sun, 18 Feb 2024 07:49:31 -0800 Subject: [PATCH 3/3] Fix brace style --- Autoupdate/SUPlainInstaller.m | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Autoupdate/SUPlainInstaller.m b/Autoupdate/SUPlainInstaller.m index d9fdcdb97a..7dbfbd34b2 100644 --- a/Autoupdate/SUPlainInstaller.m +++ b/Autoupdate/SUPlainInstaller.m @@ -90,8 +90,7 @@ - (void)_performInitialInstallationWithFileManager:(SUFileManager *)fileManager progress(8/11.0); } - if (!skipGatekeeperScan) - { + if (!skipGatekeeperScan) { // Perform a Gatekeeper scan to pre-warm the app launch // This avoids users seeing a "Verifying..." dialog when the installed update is launched // Note the tool we use to perform the Gatekeeper scan (gktool) is technically available on macOS 14.0,