Changes:

• Fix potential crash due to race condition within clearDownloadedUpdate (#2863) (Julian Pscheid)
• Fix generate_appcast failing if feed URL doesn't have lastPathComponent (#2862) (Julian Pscheid)
• Don't let progress status text title string line wrap (#2856) (Zorg)
• Add minimal framework support for building arm64e (#2858, #2860) (Zorg)
• Add SKIP_INSTALL=YES to for XPCServices targets (#2864) (Jeremy Huddleston Sequoia)

Please also check 2.9.0 for previous changes.

Changes:

• Add basic markdown support for release notes (requires macOS 12+) including customizing its presentation (#2810, #2817) (Zorg)
• Add support for signing and verifying appcast feeds (#2822, #2828) (Zorg)
• Add sparkle:hardwareRequirements for enforcing an Apple silicon (arm64) requirement (#2797) (Zorg)
• Add sparkle:minimumUpdateVersion for specifying a minimum version an app needs to be on before upgrading (#2811) (Zorg)
• Add API annotations for Swift concurrency (#2827) (Zorg)
• Validate Obj-C class when reading objects from user defaults / Info plists (#2782) (Zorg)
• Download temporary files in-memory using NSURLSessionDataTask (#2825) (Zorg)
• Allow impatient update check interval to be configured for updates that are downloaded automatically (#2799) (Zorg)
• Probe agent & status service as soon as we launch it to reduce timeout issues (#2852) (Zorg)
• Add allowsAutomaticUpdates property to determine if automatic downloading/installing of updates option should be enabled (#2809) (Zorg)
• Add Vietnamese translation (#2816, #2839) (TranPhuong319)
• Add missing nn language to Installer progress Info.plist (#2818) (Zorg)
• Improve German localization (#2847) (Marco Hillger)
• Find non-canonical Sparkle.framework locations in generate_appcast when creating delta updates to determine compatibility (#2833) (Zorg)
• Make Debug builds of Sparkle use same time interval settings as Release (#2805) (Zorg)
• Remove sparkle-cli from the binary distribution (#2826) (Zorg)
• Make generate_appcast deltas order stable and thread-safe (#2848) (Nathan Manceaux-Panot)
• Fix Xcode 26.4 beta compiler warnings (#2850) (Zorg)

This release adds appcast enhancements such as markdown support and signed feeds.

CocoaPods distribution is now deprecated. Please consider migrating away.

Discussion

Changes since 2.9.0 beta 1:

• Preserve XML whitespace better when signing appcast feed (#2840) (Zorg)
• Expose --disable-signing-warning flag in signing tools (#2841) (Zorg)
• Update Vietnamese translation (#2839) (TranPhuong319)
• Update API documentation for updates checked in background (#2842) (Zorg)
• Fix signature verifier class collisions in unit tests (#2843) (Zorg)

Overall changes to 2.9.0:

• Add basic markdown support for release notes (requires macOS 12+) including customizing its presentation (#2810, #2817) (Zorg)
• Add support for signing and verifying appcast feeds (#2822, #2828) (Zorg)
• Add sparkle:hardwareRequirements for enforcing an Apple silicon (arm64) requirement (#2797) (Zorg)
• Add sparkle:minimumUpdateVersion for specifying a minimum version an app needs to be on before upgrading (#2811) (Zorg)
• Add API annotations for Swift concurrency (#2827) (Zorg)
• Validate Obj-C class when reading objects from user defaults / Info plists (#2782) (Zorg)
• Download temporary files in-memory using NSURLSessionDataTask (#2825) (Zorg)
• Allow impatient update check interval to be configured for updates that are downloaded automatically (#2799) (Zorg)
• Add allowsAutomaticUpdates property to determine if automatic downloading/installing of updates option should be enabled (#2809) (Zorg)
• Add Vietnamese translation (#2816, #2839) (TranPhuong319)
• Add missing nn language to Installer progress Info.plist (#2818) (Zorg)
• Find non-canonical Sparkle.framework locations in generate_appcast when creating delta updates to determine compatibility (#2833) (Zorg)
• Make Debug builds of Sparkle use same time interval settings as Release (#2805) (Zorg)
• Remove sparkle-cli from the binary distribution (#2826) (Zorg)

This release adds appcast enhancements such as markdown support and signed feeds.

CocoaPods distribution is now deprecated. Please consider migrating away.

Discussion

Changes:

• Add basic markdown support for release notes (requires macOS 12+) including customizing its presentation (#2810, #2817) (Zorg)
• Add support for signing and verifying appcast feeds (#2822, #2828) (Zorg)
• Add sparkle:hardwareRequirements for enforcing an Apple silicon (arm64) requirement (#2797) (Zorg)
• Add sparkle:minimumUpdateVersion for specifying a minimum version an app needs to be on before upgrading (#2811) (Zorg)
• Add API annotations for Swift concurrency (#2827) (Zorg)
• Validate Obj-C class when reading objects from user defaults / Info plists (#2782) (Zorg)
• Download temporary files in-memory using NSURLSessionDataTask (#2825) (Zorg)
• Allow impatient update check interval to be configured for updates that are downloaded automatically (#2799) (Zorg)
• Add allowsAutomaticUpdates property to determine if automatic downloading/installing of updates option should be enabled (#2809) (Zorg)
• Add Vietnamese translation (#2816) (TranPhuong319)
• Add missing nn language to Installer progress Info.plist (#2818) (Zorg)
• Find non-canonical Sparkle.framework locations in generate_appcast when creating delta updates to determine compatibility (#2833) (Zorg)
• Make Debug builds of Sparkle use same time interval settings as Release (#2805) (Zorg)
• Remove sparkle-cli from the binary distribution (#2826) (Zorg)

This release adds appcast enhancements such as markdown support and signed feeds.

CocoaPods distribution is now deprecated. Please consider migrating away.

Discussion for Sparkle 2.9 (beta)

On a fun extra note, we have also reached Sparkle's 20 year anniversary.

Changes:

• Enforce RunAtLoad to reduce potential timeout issue when launching updater task (#2795) (Zorg)
• Add missing executable bit permission warnings on connection failure (#2792) (Zorg)
• Add missing localizations to zh-CN & zh-TW (#2789, #2791) (Francis Feng)
• Add documentation note for delegates being weakly referenced (#2802) (Zorg)
• Include app name in startUpdater: failure in SPUStandardUpdaterController (#2780) (Zorg)

Please also check 2.8.0 for previous changes.

Changes:

• UI modernization and macOS Tahoe support
  • Modernize update alert and release notes UI (#2737) (Zorg, Noah Nuebling, Cykelero, Daniel Jalkut, Peter Nowell)
  • Update retrieving app icon to work better in Tahoe (#2742) (Zorg)
  • Improve retrieval of main app icon for authorization dialog (#2743) (Zorg)
• Delta updates
  • Improve bsdiff performance by preventing excessive iterations when processing similar data blocks (#2693) (Will Fairclough)
  • Fix an issue while searching a cloneable file for delta updates (#2748, #2753) (Vincent Bénony, Zorg)
  • Add support for relative URLs for delta updates (#2741) (jj)
• Localization
  • Set STRINGS_FILE_OUTPUT_ENCODING build setting to "binary" (#2712) (Nicolas Kick)
  • Move all localizations to main Sparkle.strings (#2760) (Zorg)
• Synchronize updater settings with user defaults to fix out-of-sync UI state (#2728) (Zorg)
• Document and better enforce main thread only requirement for using Sparkle methods (#2746, #2754, #2768)) (Sebastien Marchand, Zorg)
• Make -[SPUUserDriver showUpdateInFocus] optional (#2717) (Zorg)
• Add private module map for framework (#2722) (Zorg)
• Workaround a corner case in which the bundle path of a running application contains Contents/MacOS/Executable (#2726, #2747) (Jeremy Huddleston Sequoia, Zorg)
• Disable false dependency scan analysis warnings when building Sparkle from source (#2762) (Daniel Jalkut)
• Refactor the logic for avoiding re-sending the system profile more frequently than once a week (#2720) (Daniel Jalkut)
• Remove deprecated interactive package installer type (#2767) (Zorg)

Sparkle 2.8 introduces a refreshed UI update to the software update window and includes compatibility improvements for macOS 26 Tahoe. Thanks to all of those that contributed to the design of the update window (#2737).

Discussion

Changes:

• UI modernization and macOS Tahoe support
  • Modernize update alert and release notes UI (#2737) (Zorg, Noah Nuebling, Cykelero, Daniel Jalkut, Peter Nowell)
  • Update retrieving app icon to work better in Tahoe (#2742) (Zorg)
  • Improve retrieval of main app icon for authorization dialog (#2743) (Zorg)
• Delta updates
  • Improve bsdiff performance by preventing excessive iterations when processing similar data blocks (#2693) (Will Fairclough)
  • Fix an issue while searching a cloneable file for delta updates (#2748, #2753) (Vincent Bénony, Zorg)
  • Add support for relative URLs for delta updates (#2741) (jj)
• Localization
  • Set STRINGS_FILE_OUTPUT_ENCODING build setting to "binary" (#2712) (Nicolas Kick)
  • Move all localizations to main Sparkle.strings (#2760) (Zorg)
• Synchronize updater settings with user defaults to fix out-of-sync UI state (#2728) (Zorg)
• Document and better enforce main thread only requirement for using Sparkle methods (#2746, #2754) (Sebastien Marchand, Zorg)
• Make -[SPUUserDriver showUpdateInFocus] optional (#2717) (Zorg)
• Add private module map for framework (#2722) (Zorg)
• Workaround a corner case in which the bundle path of a running application contains Contents/MacOS/Executable (#2726, #2747) (Jeremy Huddleston Sequoia, Zorg)
• Disable false dependency scan analysis warnings when building Sparkle from source (#2762) (Daniel Jalkut)
• Refactor the logic for avoiding re-sending the system profile more frequently than once a week (#2720) (Daniel Jalkut)

2.8.0 beta 3 specifically includes a crash fix from 2.7.3 and important security fixes from 2.7.2.

Sparkle 2.8 includes a more modernized UI for the standard update alert and Tahoe compatibility support fixes. Feel free to head over to the discussions.

Changes for 2.7.3:

• Double quote team identifiers in requirement strings to fix crash if Team ID starts with number (#2766) (Zorg)

This fixes a potential crash that may occur for specific Team IDs, introduced in 2.7.2 which includes security fixes.

A release for 2.8.0 betas (aimed at revamped Tahoe support) with this fix will also been published soon.

--

Changes for 2.7.2:

This release contains security fixes for local exploits reported/reviewed by @Karmaz95 . More details can be found in this discussion.

For apps that install package updates, you may not be able to test Sparkle in a development environment easily where Sparkle's tools are often not specially signed. If this is the case, please try testing Sparkle either from a notarized version of your app, or from a version of your app that was installed by your package installer.

Warning (EDIT): Don't use this build. Use 2.8.0-beta.3 or later which includes a potential crash fix introduced here.

Changes:

• UI modernization and macOS Tahoe support
  • Modernize update alert and release notes UI (#2737) (Zorg, Noah Nuebling, Cykelero, Daniel Jalkut, Peter Nowell)
  • Update retrieving app icon to work better in Tahoe (#2742) (Zorg)
  • Improve retrieval of main app icon for authorization dialog (#2743) (Zorg)
• Delta updates
  • Improve bsdiff performance by preventing excessive iterations when processing similar data blocks (#2693) (Will Fairclough)
  • Fix an issue while searching a cloneable file for delta updates (#2748, #2753) (Vincent Bénony, Zorg)
  • Add support for relative URLs for delta updates (#2741) (jj)
• Localization
  • Set STRINGS_FILE_OUTPUT_ENCODING build setting to "binary" (#2712) (Nicolas Kick)
  • Move all localizations to main Sparkle.strings (#2760) (Zorg)
• Synchronize updater settings with user defaults to fix out-of-sync UI state (#2728) (Zorg)
• Document and better enforce main thread only requirement for using Sparkle methods (#2746, #2754) (Sebastien Marchand, Zorg)
• Make -[SPUUserDriver showUpdateInFocus] optional (#2717) (Zorg)
• Add private module map for framework (#2722) (Zorg)
• Workaround a corner case in which the bundle path of a running application contains Contents/MacOS/Executable (#2726, #2747) (Jeremy Huddleston Sequoia, Zorg)
• Disable false dependency scan analysis warnings when building Sparkle from source (#2762) (Daniel Jalkut)
• Refactor the logic for avoiding re-sending the system profile more frequently than once a week (#2720) (Daniel Jalkut)

2.8 beta 2 specifically includes important security fixes from 2.7.2.

Sparkle 2.8 includes a more modernized UI for the standard update alert and Tahoe compatibility support fixes. Feel free to head over to the discussions.

Warning (EDIT): Don't use this build. Use 2.7.3 or later which includes a potential crash fix introduced here.

Changes:

• Harden policy on what operations clients are allowed to take (#2763) (Zorg)

This release contains security fixes for local exploits reported/reviewed by @Karmaz95 . More details can be found in this discussion.

For apps that install package updates, you may not be able to test Sparkle in a development environment easily where Sparkle's tools are often not specially signed. If this is the case, please try testing Sparkle either from a notarized version of your app, or from a version of your app that was installed by your package installer.

A release for 2.8.0 betas (aimed at revamped Tahoe support) with these fixes has also been published.