Thanks for taking time to look into the issue and for reading up on the Sparkle Updater vulnerability. It is very much appreciated.
Last night Apple updated developer beta which resolved the following issue: “Known issue with this build:
Applications that dynamically update their executable after installation may encounter an invalid code signature resulting a crash on launch”
I have not tested it throughly, but I have not had issues today. Although, I have not been listening to music much and I did update to latest DPS last night as well. If there is a way I can help in this matter to let me know. There were some changes to CA inside Xcode (7.2.1) and with the third beta. Then again…it could be my system. 🙂
You are correct about Sparkle. Potentially, any application that does not use HTTPS for updates is vulnerable. They did patch this in 1.13.1, but if HTTPS is used then it is non-issue regardless of version used. Older versions would not throw an error in case of an invalid SSL certificate by default, as far as aware of. Thanks for taking time to investigate this and confirm that the DPS is secure. 🙂 There are a lot of applications using Sparkle and most of them developed by a single developer so security is not really a priority. I personally have 4 applications which use both outdated framework and are updated via HTTP. Happy to hear you have secured your users before rolling out public release.
I updated to the newest beta last night and update process went without a hitch. I did not have to reboot the system and was able to continue to use the system as usual. That is great news. I really do like the tweaks and fixes you have incorporated in the last two releases.
I did not do clean reinstall so I cannot confirm if the freezing issue with login window still exists.
- The DPS application folder is now opened in the Finder after installation.
Is it possible to do the following:
If DPS is already running and is (being) updated, do not open the application folder. If the application is closed or disabled open it. I realize why this is implemented and it is great. Especially if you download and run installer manually. It is preferred behavior. But if updated via internal updater, I would just want it to install and relaunch. This is just an idea. Updater downloads full installer rather than delta updates so this might not be possible.
One thing I do have to report, and it is not related to just current build, is that sometimes I answer my calls on my Mac (via FaceTime) and the volume gets low during/after ending a call. Re-sync does boost the volume and restores it. It does not happen all the time though. As if “volume boost” gets disabled. Increasing decreasing volume does not change things, only re-sync.
@ wzrd8kd, I also have that happening. I do not know why, but it does not seem to affect the application when switching between the outputs.