"Verifying..." Dialog Box when app is restarted for an update

[kaylagalway]

Summary

Hello! When a user restarts the app to install an update with Sparkle, we sometimes see the "Verifying..." dialog pop up box, which I believe is caused by gatekeeper. This adds latency to the update flow and I'm hoping to avoid it if possible.

I was wondering where we replace the app file in it's directory in the sparkle code and if it was in any way possible to hook into something to know when that file replacement happens? The reason I'd like to know, is there is a gatekeeper command we can run on the new file for the app to make it so that the "Verifying..." dialog does not pop up. I'll put more info below in the possible fix section.

Possible Fix

gktool help scan should be able to scan the specified path. If I can know when the new version of the file for my application has been replaced, this command can be run to avoid the slow down of that Verifying... pop up:

% gktool help scan
OVERVIEW: Performs a Gatekeeper scan of the specified path.

This is useful for pre-warming the cache so users do not see the 'Verifying...' dialog on first launch of an application.

USAGE: gktool scan <bundle-path>

ARGUMENTS:
  <bundle-path>           The application bundle to scan.

OPTIONS:
  -h, --help              Show help information.

Version

Sparkle 2

[zorgiepoo]

Thanks for filing this. I'm aware of this issue and tried adopting gktool (which is fairly new) before (#2421, #2433). After several experiments/tests, I ran into some unreliability issues with the OS rejecting swapping the bundle atomically and presenting security/privacy alerts after using gktool in certain conditions and filed bugs to Apple (FB13117812). If the OS bugs I encountered are improved/resolved in the future I will look forward to try adopting gktool again. Until then, I don't want to risk adopting the tool. Leaving this issue open for now because I ultimately do want to adopt performing a Gatekeeper scan (after extraction/validation) in the future.

[kaylagalway]

Ah okay, good to know! Thank you for the explanation.

[kaylagalway]

MacOS 14.4 Seed 1 came out and I believe they attempted to resolve FB13117812 as mentioned in the release notes !

Trusted Execution New Features

• /usr/bin/syspolicy_check is a new command line tool to help determine if the provided macOS application will pass the current running configurations’ system policy. This includes the same checks performed by the Apple notary service and other macOS Trusted Execution layers such as codesign, Gatekeeper, XProtect, and more. Please see the main page for additional details. (108737781)

• /usr/bin/gktool is a new command line tool to assess Gatekeeper Policy on applications. gktool can be called to pre-warm the system cache so users do not see the ‘Verifying…’ dialog on first launch of an application. (109793778)

[zorgiepoo]

Those are release notes from macOS 14.0 and aren't new. However, I did some quick testing and believe the issues I was seeing are resolved in the 14.4 Beta. So I'll look at getting a PR up and testing this again soon when I get the chance.

[zorgiepoo]

I merged changes in #2505 to do a gktool scan. There are a couple requirements:

• User must be running macOS 14.4 or later, which is still in beta currently (this path is skipped on earlier OS versions)
• Due to running into other OS issues, Sparkle's Autoupdate helper must be signed with the same team identifier as your new update, otherwise the gktool scan will be skipped. In many in-development scenarios, it is common for this to not be the case (Xcode does not recursively re-sign Sparkle's helpers with Code Sign on Copy). Hence you should test an app update on a build that is notarized, which will definitely be fully/properly signed and further test the update behavior works correctly in this case.

I have not tried what the experience is on a "big" app that would most benefit from this change. I can't test this because any such "big" app is not an app I own and isn't signed by me. Thus it would be helpful if you can test these changes. I may release a pre-release beta build soon. An official release won't be released before macOS 14.4 is released.

[zorgiepoo]

@kaylagalway macOS 14.4 has been released and Sparkle 2.6.0-beta.2 contains the latest changes for invoking gktool. Let me know if you have a chance to test this updating from a fully properly signed build (like a notarized one). Otherwise I will likely release the update sometime next week.