Can you update a sandboxed Mac app using Sparkle or something similar?

23
votes

For those distributing Mac apps outside the Mac App Store, how are you planning to support updating and sandboxing? I'm guessing most people's answers for the time being is that they're not, but I hope that eventually non-MAS apps could be sandboxed just like MAS apps.

To use Sparkle, your app would need network access, which could be granted, as well as the ability to overwrite itself in Applications. Currently you could do this with the com.apple.security.temporary-exception.files.absolute-path.read-write entitlement, but that's not a good solution. It will likely go away, and even if it doesn't there's little point in sandboxing an app if you're going to give it full filesystem read-write access as well as network access.

Has anyone already gone down this path and found a good solution? I ask because I try to keep my MAS build and my non-MAS build as identical as possible, and I'm currently looking at having my MAS build sandboxed and my non-MAS build not.

3
macoscocoasandboxsparkle
One of the many sandbox-related headaches devs are having!sbooth

3 Answers

5
votes

In a conversation started by @chockenberry on twitter, @andy_matuschak responded favorably to creating an XPC service for Sparkle.

I have a pull request open on GitHub that actually creates the XPC service. Hopefully, this will get incorporated into Sparkle soon.

1
votes

We actually have two versions of our app: one for our own web site and one for the app store.

I recommend using Sam Deane's approach which you can find in his GitHub repository. It works well for us.

0
votes

Not yet.

As of 1.15 Sparkle does not support sandboxing, and the patch that is floating around has a vulnerability that allows complete bypass of sandbox security.