I have an application that is being deployed outside of the AppStore using a PKG installer. Since our application has to be deployed outside the AppStore (for enterprise configuration requirements) we also need to handle updates outside the AppStore. I understand that SMJobBless function is now deprecated which seems to be how much open source software is implementing their privileged helpers namely Firefox.
However, since I am already deploying my software using a PKG installer why should I use SMJobBless or the new version SMAppService rather than adding additional functionality to my postinstall script that will set up a LaunchDaemon to handle my automatic updates?
The main issues that come to mind for me is that if a user were to delete our application rather than running the uninstall script the LaunchDaemon would still persist. Therefore we will likely need to handle that scenario and either have the LaunchDaemon recognize that and remove itself, or exit and do nothing.
Additionally, I would be missing out on the security benefits that a service like SMJobBless provides by only allowing my AuthorizedClient to execute the privileged helper.
On the other hand at least my LaunchDaemon would consistently work with older versions of macOS and I wouldn't be locked in to either supporting both SMJobBless and SMAppService or supporting only systems running macOS 13+.
What have other people done to handle automatic updates when they can't deploy through the AppStore? Is just creating a LaunchDaemon a common path? How do people typically handle removing the LaunchDaemon if their application is uninstalled?
Post
Replies
Boosts
Views
Activity
In the developer documentation Customizing the notarization workflow it states that the notarytool supports a --webhook flag. When the notarization is complete the Apple notarization server will send the following webhook payload to the webserver that I configured.
{
"payload": "{\"completed_time\":\"2024-02-13T17:24:37.911Z\",\"event\":\"processing-complete\",\"start_time\":\"2024-02-13T17:24:02.743Z\",\"submission_id\":\"<submission-id>\",\"team_id\":\"<team-id>\"}",
"signature": "<signature>",
"cert_chain": "<base64-certchain>"
}
My question is how can I validate that this Webhook is coming from Apple?
In that same developer documentation it states the various IP addresses that the stapler requires access too but those are not the same addresses that the notarytool webhook results are coming from.
Presumably I should be able to use the signature to validate that the request is coming from Apple, however I have been unable to find any documentation about this webhook flag at all beyond the documentation stating that it exists.