Skip to content

Harden policy on what operations clients are allowed to take#2763

Merged
zorgiepoo merged 3 commits into2.xfrom
service-hardening-fixes
Sep 8, 2025
Merged

Harden policy on what operations clients are allowed to take#2763
zorgiepoo merged 3 commits into2.xfrom
service-hardening-fixes

Conversation

@zorgiepoo
Copy link
Copy Markdown
Member

@zorgiepoo zorgiepoo commented Sep 7, 2025
edited
Loading

  • For the Installer and Downloader XPC Services, if these executables are code signed with an Apple issued Team ID, then the connecting client must also be code signed with a matching Team ID.
  • For the Downloader XPC Service, the request URL must be http/https
  • For Autoupdate, if stage 1 of installation hasn't been completed yet and this executable is code signed with an Apple issued Team ID, then the connecting client must also be code signed with a matching Team ID. As before, multiple simultaneous connections are still disallowed.
  • For Autoupdate, if it's not signed with Apple issued certificate, when installing package updates the bundle being updated must be itself and owned by root on disk (as one expects from a PKG installation)
  • The authorization prompt message in the Installer Service is more computed inside the service so the client can't pass a completely arbitrary message
  • Add extra nullable checking of parameters coming from XPC endpoints
  • Add more thread-safe synchronization for Autoupdate installer
  • Add logs for more failure points

This change is back ported to 2.7.2 over here fc4f8cb

The in depth security details of this change are discussed here.

Misc Checklist

  • My change requires a documentation update on Sparkle's website repository
  • My change requires changes to generate_appcast, generate_keys, or sign_update

Testing

I tested and verified my change by using one or multiple of these methods:

  • Sparkle Test App
  • Unit Tests
  • My own app
  • Other (please specify)

Tested:

  • Running sparkle test app in debug
  • Production app using sandboxing and no sandboxing,
  • Production app with using pkg update

macOS version tested:
15.5 (24F74)
10.14.6

@zorgiepoo
Harden policy on what operations clients are allowed to take
fa8e25d 
* For the Installer and Downloader XPC Services, if these executables are code signed with an Apple issued Team ID, then the connecting client must also be code signed with a matching Team ID.
* For the Installer and Downloader XPC Services, the connecting client must be sandboxed.
* For the Downloader XPC Service, the request URL must be http/https
* For Autoupdate, if stage 1 of installation hasn't been completed yet and this executable is code signed with an Apple issued Team ID, then the connecting client must also be code signed with a matching Team ID. As before, multiple simultaneous connections are still disallowed.
* For Autoupdate, if it's not signed with Apple issued certificate, when installing package updates the bundle being updated must be itself and owned by root on disk (as one expects from a PKG installation)
* The authorization prompt message in the Installer Service is more computed inside the service so the client can't pass a completely arbitrary message
* Add extra nullable checking of parameters coming from XPC endpoints
* Add more thread-safe synchronization for Autoupdate installer
* Add logs for more failure points
@zorgiepoo zorgiepoo added this to the 2.8 milestone Sep 7, 2025
@zorgiepoo zorgiepoo merged commit 4dac8e3 into 2.x Sep 8, 2025
2 checks passed
@zorgiepoo zorgiepoo deleted the service-hardening-fixes branch September 8, 2025 01:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

2.8

Development

Successfully merging this pull request may close these issues.

1 participant

@zorgiepoo