Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

OK, I've started adding version numbers to this script now to avoid confusion. 
:~!

Latest 'update' is v1.3 (fixed: the 'choose folder' option now works correctly):

I don't think this is the last version...there's at least one outstanding 
problem one person's having that I'm waiting to here more about (I can't 
reproduce it myself, but will post an update if / when needed).


#script version 1.3
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set defaultAppsFolder to "/Applications"

#comment out the three lines above and uncomment the three lines below if you 
want to choose the folder yourself

#set pathToAppFolder to choose folder
#set defaultAppsFolder to POSIX path of pathToAppFolder
#set defaultAppsFolder to text 1 thru -2 of defaultAppsFolder


set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find " & defaultAppsFolder & " -name 
Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist

if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote:

You can do that in the terminal, I found this terminal command online:

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
-F'.' '{print $1}'


Here’s an AppleScript that will output the insecure http apps from your 
Applications folder. Note two caveats:

i. it won’t catch apps not in your /Applications folder

ii. it won’t catch apps that don’t use the SUFeedURL in the info.plist (some 
hide it in the binary, DriveDx being one I know of). 

I’ve also posted this script and a summary of what’s been said here on my blog 
at:


http://applehelpwriter.com/2016/02/10/how-to-check-for-sparkle-vulnerability/


Here’s the script. Paste it into the Script Editor, compile and run. If there’s 
any compile problems, it’s just to formatting from your Email editor, so copy 
and paste as plain text.



set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find /Applications -name Sparkle.framework | awk 
-F'/' '{print $3}' | awk -F'.' '{print $1}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ".app:" & infoFilePath as string
tell application "System Events"
set thePlist to contents of property list file f
set theValue to value of thePlist
set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
sparkle updater:

" & sparkleAppsList as string

#EOF




Best


Phil
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote:


You can do that in the terminal, I found this terminal command online:



find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
-F'.' '{print $1}'


Sorry, some posting problems. Here’s the latest version of the script, with 
error checking. Also see the comments if you want to choose a subfolder or 
other folders aside from /Applications:



set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
#comment out the two lines above and uncomment the line below if you want to 
choose the folder yourself

#set pathToAppFolder to choose folder

set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find /Applications -name Sparkle.framework | awk 
-F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist

if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Contextual menu for NSTableCellView in NSOutlineView

[Konidaris Christos]

I cannot get contextual menus to work inside the cells of my view-based 
NSOutlineView. 

In my cell view I have one standard NSImageView and one NSTextFieldCell. I set 
the menu for the outline view in IB. When I (right) click on a cell outside the 
two views the contextual menu appears. When I click on one of the two fields it 
does not. I can see from the logs that the menu delegate's menuNeedsUpdate: is 
not called in this case.  I tried setting the same menu as the menu for these 
views in IB with the same result.  I get the same behavior when I implement  
-menuForEvent:(NSEvent *)event for my NSOutlineView subclass instead of setting 
the menu in IB.

I also tried implementing -menuForEvent:(NSEvent *)event for my NSTableCellView 
subclass with no better luck. This all in Xcode 7.2.1, deployment target set to 
10.9, no ARC.

Does anybody know what I am missing for the contextual menu to work for my cell 
views?

Thanks in advance,

- Christos Konidaris


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

I've removed some duplications in the code, but functionally identical to the 
last version.

Again, I'll point out that this is only going to show you apps in 
/Applications, and it's not going to find those that hide the appcast url in 
the binary (DriveDx, for one, but there are others). Bear in mind that it's a 
script that shows Sparkle apps that are definitely insecure, and doesn't imply 
that all the other apps that use Sparkle on your mac are secure.


#script version 1.41
set x to (path to startup disk) as text
set defaultAppsFolder to "/Applications"
set plistContents to ""
set pathToAppFolder to x & "Applications:"
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find " & defaultAppsFolder & " -name 
Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist
try
if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end try
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

On 10 Feb 2016, at 22:55, Peter Teeson  wrote:
find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; 
-exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v 
CFBundleShortVersionString


That produces a list of apps that are on earlier versions of Sparkle than 1.13. 
That’s not the same as a list of apps that are vulnerable to the exploit. Apps 
running 1.11 are safe if both the https urls and release notes urls are https 
secured (or so we established earlier in the thread, so I say that 
notwithstanding further info to the contrary). 

Here’s the latest version of the applescript that reveals any Sparkle app not 
using https. I had to abandon the attempt to implement choosing other folders. 
Too many problems trying to get it to work. 



#script version 1.4
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set defaultAppsFolder to "/Applications"


set plistContents to ""
set x to (path to startup disk) as text
set pathToAppFolder to x & "Applications:" as alias
set infoFilePath to "Contents:info.plist"
set theApp to ""
set sparkleAppsList to {}
set theAppList to do shell script "find " & defaultAppsFolder & " -name 
Sparkle.framework | awk -F'/' '{print $3}'"
set theAppList to paragraphs of theAppList
repeat with i from 1 to number of items in theAppList
set theApp to text of item i of theAppList
set this_item to item i of theAppList
set f to pathToAppFolder & this_item & ":" & infoFilePath as string
tell application "System Events"
if exists property list file f then
set thePlist to contents of property list file f
set theValue to value of thePlist
try
if exists SUFeedURL of theValue then

set thisSUFeedURL to SUFeedURL of theValue as text
if thisSUFeedURL contains "http:" then
set theResultString to "Application : " & my theApp & " : " & thisSUFeedURL as 
text
set end of my sparkleAppsList to theResultString & "

"
end if

end if
end try
end if
end tell
end repeat
display dialog "The following apps do not use secure https connections for the 
Sparkle updater:

" & sparkleAppsList as string buttons "OK" default button "OK" with title "Sparkle 
Framework Vulnerability Check"

#EOF

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Peter Teeson]

This worked for me:

find /Applications -path '*Autoupdate.app/Contents/Info.plist' -exec echo {} \; 
-exec grep -A1 CFBundleShortVersionString '{}' \; | grep -v 
CFBundleShortVersionString

and I got it from this link:

>

It found 6 apps in Applications….

respect…

Peter
> On Feb 10, 2016, at 10:43 AM, sqwarqDev  wrote:
> 
> OK, I've started adding version numbers to this script now to avoid 
> confusion. :~!
> 
> Latest 'update' is v1.3 (fixed: the 'choose folder' option now works 
> correctly):
> 
> I don't think this is the last version...there's at least one outstanding 
> problem one person's having that I'm waiting to here more about (I can't 
> reproduce it myself, but will post an update if / when needed).

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jens Alfke]

> On Feb 10, 2016, at 12:17 PM, brodhage  wrote:
> 
> Why? Because any application accessing web content via the WebView framework 
> (Sparkle, Safari and many other apps) might allow to "launch special / 
> default behaviour" (for example "file://" or "ftp://; or Safari which starts 
> iTunes if you click a link to any app store resources) 

No, not if those apps are well-written. Denying navigation from a remote URL to 
a to file: URLs is a well-known part of the browser security model. I haven’t 
looked at the Sparkle source, but I suspect that the reason the WebView didn’t 
block that request completely was because Sparkle loaded the HTML into the view 
in a way that made it appear to be a local resource, not remote.

No offense, but browser security is a very big, very complex topic that a *lot* 
of effort goes into. It does not sound as though you’re an expert at it. (I’m 
certainly not, though I seem to know more about it than you.) As with most big 
complex topics, it's unlikely that someone who’s not an expert at it is going 
to come up with an insight on how to make it better.

> 1.) If a domain is accessed, then do not allow access to ANY other domain.

Um, no. This would completely break almost every real-world website, and not 
because of analytics/ads. It is extremely common to host page resources like 
images or scripts on different subdomains of a site, and also to use CDNs to 
optimize access time of static resources.

As an experiment you could build yourself a little browser with a WebView, 
implement such a policy in your delegate callbacks, and try browsing with it to 
see how broken the web would be.

> 2.) If a web content (or included resources) tries to access "unusual" 
> resources (like "file://" or "ftp://; or "http://192.0 ..." or 
> whatever) then ask the user for confirmation.

* Yes, browsers already block requests for file: URLs, if the request comes 
from a page not loaded from a file: URL.
* There’s nothing insecure with a page navigating to an ftp: URL, or other URL 
schemes that have apps registered to handle them, like itms:. It’s very common, 
especially on iOS.
* The security considerations for obviously-LAN domains like 192.168.*.* are 
probably pretty complex, and I won’t answer as I’m not an expert.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[brodhage]

May be I am wrong (or it is off-topic) - but is this (just) a Sparkle problem?

I have read "Vulnerable Security - There's a lot of vulnerable OS X 
applications out there" (https://vulnsec.com/2016/osx-apps-vulnerabilities/) - 
and if I got the idea then browsing the web is insecure.

Why? Because any application accessing web content via the WebView framework 
(Sparkle, Safari and many other apps) might allow to "launch special / default 
behaviour" (for example "file://" or "ftp://; or Safari which starts iTunes if 
you click a link to any app store resources) and access to "unknows domains" 
("other domains" or even worse included OS routines). Correct?

In my opinion, the solution (for the Sparkle problem and browsing the internet) 
would be to change the WebView framework itself:
1.) If a domain is accessed, then do not allow access to ANY other domain.
2.) If a web content (or included resources) tries to access "unusual" 
resources (like "file://" or "ftp://; or "http://192.0...; or whatever) then 
ask the user for confirmation.

This might not only fix the Sparkle problem, but would give us much more 
security. HTTP or HTTPS.
And it might stop all these (external) traffic analytics and ads we all do not 
want to join or see.
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Contextual menu for NSTableCellView in NSOutlineView

[Ken Thomases]

Any connection you make from a table cell view to something outside of the 
table column is suspect.  It probably doesn't work.

The views "inside" of a table column are actually in a sub-NIB.  There's a NIB 
archived to a data blob that's embedded in the NIB holding the outline view.  
That NIB is unarchived and loaded by the table/outline view in its 
-makeViewWithIdentifier:owner: method.  The owner is whatever you pass to that 
method.  (If you let the table/outline view create views without its delegate 
being involved, it will pass its own delegate as the owner.)

When that sub-NIB is loaded, it contains just its own objects.  None of the 
other objects from the outer NIB.  The menu is presumably in the outer NIB, not 
the sub-NIB.  So, the cell views won't be able to establish their connection to 
the menu.

One exception is the File's Owner placeholder.  A connection to that works, but 
may give a different result than you expect.  The File's Owner for the sub-NIB 
is the owner passed to -makeViewWithIdentifier:owner:.  It's not the owner of 
the outer NIB.

You will need to connect the menu programmatically, most likely in your 
delegate's -outlineView:viewForTableColumn:item: method.

Regards,
Ken

> On Feb 10, 2016, at 3:54 PM, Konidaris Christos  wrote:
> 
> Yes I did set it, to the outlineView’s delegate object.
> 
> 
>> On 10 Feb 2016, at 23:32, Lee Ann Rucker  wrote:
>> 
>> Did you set the menu's delegate? It doesn't know about the outlineView's 
>> delegate.
>> 
>>> On Feb 10, 2016, at 9:10 AM, Konidaris Christos  wrote:
>>> 
>>> I cannot get contextual menus to work inside the cells of my view-based 
>>> NSOutlineView. 
>>> 
>>> In my cell view I have one standard NSImageView and one NSTextFieldCell. I 
>>> set the menu for the outline view in IB. When I (right) click on a cell 
>>> outside the two views the contextual menu appears. When I click on one of 
>>> the two fields it does not. I can see from the logs that the menu 
>>> delegate's menuNeedsUpdate: is not called in this case.  I tried setting 
>>> the same menu as the menu for these views in IB with the same result.  I 
>>> get the same behavior when I implement  -menuForEvent:(NSEvent *)event for 
>>> my NSOutlineView subclass instead of setting the menu in IB.
>>> 
>>> I also tried implementing -menuForEvent:(NSEvent *)event for my 
>>> NSTableCellView subclass with no better luck. This all in Xcode 7.2.1, 
>>> deployment target set to 10.9, no ARC.
>>> 
>>> Does anybody know what I am missing for the contextual menu to work for my 
>>> cell views?
>>> 
>>> Thanks in advance,
>>> 
>>> - Christos Konidaris
>>> 
>> 
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/ken%40codeweavers.com
> 
> This email sent to k...@codeweavers.com


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Contextual menu for NSTableCellView in NSOutlineView

[Konidaris Christos]

Thanks for the insight Ken. I’ll try setting the menu manually tomorrow (it’s 
half past midnight here) and let you know. But shouldn’t the 
-menuForEvent:(NSEvent *)event for my NSTableCellView subclass work instead ?

- Christos


> On 11 Feb 2016, at 00:18, Ken Thomases  wrote:
> 
> Any connection you make from a table cell view to something outside of the 
> table column is suspect.  It probably doesn't work.
> 
> The views "inside" of a table column are actually in a sub-NIB.  There's a 
> NIB archived to a data blob that's embedded in the NIB holding the outline 
> view.  That NIB is unarchived and loaded by the table/outline view in its 
> -makeViewWithIdentifier:owner: method.  The owner is whatever you pass to 
> that method.  (If you let the table/outline view create views without its 
> delegate being involved, it will pass its own delegate as the owner.)
> 
> When that sub-NIB is loaded, it contains just its own objects.  None of the 
> other objects from the outer NIB.  The menu is presumably in the outer NIB, 
> not the sub-NIB.  So, the cell views won't be able to establish their 
> connection to the menu.
> 
> One exception is the File's Owner placeholder.  A connection to that works, 
> but may give a different result than you expect.  The File's Owner for the 
> sub-NIB is the owner passed to -makeViewWithIdentifier:owner:.  It's not the 
> owner of the outer NIB.
> 
> You will need to connect the menu programmatically, most likely in your 
> delegate's -outlineView:viewForTableColumn:item: method.
> 
> Regards,
> Ken
> 
>> On Feb 10, 2016, at 3:54 PM, Konidaris Christos  wrote:
>> 
>> Yes I did set it, to the outlineView’s delegate object.
>> 
>> 
>>> On 10 Feb 2016, at 23:32, Lee Ann Rucker  wrote:
>>> 
>>> Did you set the menu's delegate? It doesn't know about the outlineView's 
>>> delegate.
>>> 
 On Feb 10, 2016, at 9:10 AM, Konidaris Christos  wrote:
 
 I cannot get contextual menus to work inside the cells of my view-based 
 NSOutlineView. 
 
 In my cell view I have one standard NSImageView and one NSTextFieldCell. I 
 set the menu for the outline view in IB. When I (right) click on a cell 
 outside the two views the contextual menu appears. When I click on one of 
 the two fields it does not. I can see from the logs that the menu 
 delegate's menuNeedsUpdate: is not called in this case.  I tried setting 
 the same menu as the menu for these views in IB with the same result.  I 
 get the same behavior when I implement  -menuForEvent:(NSEvent *)event for 
 my NSOutlineView subclass instead of setting the menu in IB.
 
 I also tried implementing -menuForEvent:(NSEvent *)event for my 
 NSTableCellView subclass with no better luck. This all in Xcode 7.2.1, 
 deployment target set to 10.9, no ARC.
 
 Does anybody know what I am missing for the contextual menu to work for my 
 cell views?
 
 Thanks in advance,
 
 - Christos Konidaris
 
>>> 
>> 
>> 
>> ___
>> 
>> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>> 
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>> 
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/cocoa-dev/ken%40codeweavers.com
>> 
>> This email sent to k...@codeweavers.com
> 


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Contextual menu for NSTableCellView in NSOutlineView

[Lee Ann Rucker]

Did you set the menu's delegate? It doesn't know about the outlineView's 
delegate.

> On Feb 10, 2016, at 9:10 AM, Konidaris Christos  wrote:
> 
> I cannot get contextual menus to work inside the cells of my view-based 
> NSOutlineView. 
> 
> In my cell view I have one standard NSImageView and one NSTextFieldCell. I 
> set the menu for the outline view in IB. When I (right) click on a cell 
> outside the two views the contextual menu appears. When I click on one of the 
> two fields it does not. I can see from the logs that the menu delegate's 
> menuNeedsUpdate: is not called in this case.  I tried setting the same menu 
> as the menu for these views in IB with the same result.  I get the same 
> behavior when I implement  -menuForEvent:(NSEvent *)event for my 
> NSOutlineView subclass instead of setting the menu in IB.
> 
> I also tried implementing -menuForEvent:(NSEvent *)event for my 
> NSTableCellView subclass with no better luck. This all in Xcode 7.2.1, 
> deployment target set to 10.9, no ARC.
> 
> Does anybody know what I am missing for the contextual menu to work for my 
> cell views?
> 
> Thanks in advance,
> 
> - Christos Konidaris
> 


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Contextual menu for NSTableCellView in NSOutlineView

[Konidaris Christos]

Yes I did set it, to the outlineView’s delegate object.


> On 10 Feb 2016, at 23:32, Lee Ann Rucker  wrote:
> 
> Did you set the menu's delegate? It doesn't know about the outlineView's 
> delegate.
> 
>> On Feb 10, 2016, at 9:10 AM, Konidaris Christos  wrote:
>> 
>> I cannot get contextual menus to work inside the cells of my view-based 
>> NSOutlineView. 
>> 
>> In my cell view I have one standard NSImageView and one NSTextFieldCell. I 
>> set the menu for the outline view in IB. When I (right) click on a cell 
>> outside the two views the contextual menu appears. When I click on one of 
>> the two fields it does not. I can see from the logs that the menu delegate's 
>> menuNeedsUpdate: is not called in this case.  I tried setting the same menu 
>> as the menu for these views in IB with the same result.  I get the same 
>> behavior when I implement  -menuForEvent:(NSEvent *)event for my 
>> NSOutlineView subclass instead of setting the menu in IB.
>> 
>> I also tried implementing -menuForEvent:(NSEvent *)event for my 
>> NSTableCellView subclass with no better luck. This all in Xcode 7.2.1, 
>> deployment target set to 10.9, no ARC.
>> 
>> Does anybody know what I am missing for the contextual menu to work for my 
>> cell views?
>> 
>> Thanks in advance,
>> 
>> - Christos Konidaris
>> 
> 


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Contextual menu for NSTableCellView in NSOutlineView

[Ken Thomases]

On Feb 10, 2016, at 4:26 PM, Konidaris Christos  wrote:
> 
> Thanks for the insight Ken. I’ll try setting the menu manually tomorrow (it’s 
> half past midnight here) and let you know. But shouldn’t the 
> -menuForEvent:(NSEvent *)event for my NSTableCellView subclass work instead ?

Well, the -rightMouseDown: ought to go up the responder chain.  Do you 
implement that on any of your view classes?  Also, does a Control-click behave 
differently than a right-click?

Regards,
Ken


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jean-Daniel Dupas]

> Le 10 févr. 2016 à 05:48, Trygve Inda  a écrit :
> 
>> If your hosting provider still charges an arm and a leg for SSL, switch.
> 
> I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr
> for such a certificate. That seems really expensive. What are others paying
> for this? I have been very happy with Pair as we run a complex server setup
> with multiple cron jobs, custom C programs etc.
> 

I pay 0$ and can have as many domains as I want on my certificactes. I’m using 
let'sencrypt  for all my servers. It requires some setup but it’s free and 
works very well.

https://letsencrypt.org 

> I also see no way to add an SSL certificate to a CNAME'd site at Amazon S3:
> 
> download.xericdesign.com CNAME
> s3.amazonaws.com/download.xericdesign.com/
> 
> Trygve
> 
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/mailing%40xenonium.com
> 
> This email sent to mail...@xenonium.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Gary L. Wade]

I just checked to see what happens when visiting your web site at 
https://xenonium.com and found on the current latest release of iOS and OS X 
under Safari I get a "Cannot Verify Server Identity" alert, so maybe you set it 
up wrong, support for that authority is forthcoming, or you get what you pay 
for. Some users will say, "Whoa!" and run away fast.
--
Gary L. Wade (Sent from my iPhone)
http://www.garywade.com/

> On Feb 10, 2016, at 2:58 PM, Jean-Daniel Dupas  wrote:
> 
> 
>>> Le 10 févr. 2016 à 05:48, Trygve Inda  a écrit :
>>> 
>>> If your hosting provider still charges an arm and a leg for SSL, switch.
>> 
>> I need SSL for multiple subdomains. My host (Pair Networks) charges $449/yr
>> for such a certificate. That seems really expensive. What are others paying
>> for this? I have been very happy with Pair as we run a complex server setup
>> with multiple cron jobs, custom C programs etc.
> 
> I pay 0$ and can have as many domains as I want on my certificactes. I’m 
> using let'sencrypt  for all my servers. It requires some setup but it’s free 
> and works very well.
> 
> https://letsencrypt.org 
> 
>> I also see no way to add an SSL certificate to a CNAME'd site at Amazon S3:
>> 
>> download.xericdesign.com CNAME
>> s3.amazonaws.com/download.xericdesign.com/
>> 
>> Trygve
>> 

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Responsiveness issue in WKWebView

[Rick Mann]

We have a very complex Javascript/WebGL app. I've recently had to embed that in 
an iOS app. For that I use WKWebView, and for the most part, it works very 
well, particularly in iOS 9.x.

Unfortunately, on iOS 8.4, changing the device orientation, which causes the 
web view to be resized, results in some of the contained elements not resizing 
properly. You can see that the overall content resizes correctly, and some 
elements move to maintain their margin with the view, but some elements don't.

This problem is not reproducible in Safari on the same device, only in 
WKWebView. It doesn't happen in iOS 9.x.

Of course, the javascript engineers don't want anything to do with figuring 
this out.

Any ideas?

-- 
Rick Mann
rm...@latencyzero.com



___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[sqwarqDev]

On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
tell them how they can find out which apps use
Sparkle??


On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
tell them how they can find out which apps use
Sparkle??


I was thinking of writing a script for this, checking for SUFeedURL for every 
.app bundle, but

i. is there already an easy way to check which apps use Sparkle?

ii. I don’t see an easy way for users to tell what version of Sparkle is 
installed in an app. 
Does anyone know where the Sparkle version number is hidden in the bundle?

ii. given what Roland and Ken both say downthread, vis:

If the release notes are via a separate URL and that URL is HTTP rather than 
HTTPS, then the attacker can spoof it

it looks like just checking the SUFeedURL for http or https won’t be enough to 
determine if the app is safe for any app running older versions than Sparkle 
1.13. Of course, we should all update to the latest version, but I have one app 
that has to be 10.6 compatible and that can’t use anything but an  ***old*** 
version of Sparkle. The app cast and release notes are both https so I’m 
assuming this is secure (at least regarding this particular issue…). 



Best


Phil
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[diederik]

You can do that in the terminal, I found this terminal command online:

find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
-F'.' '{print $1}'

This returns:
Cornerstone
Sequel Pro

on my Mac Book Pro...

Important note: I did not come up with this myself and was a bit nervous
running it in the terminal.

Any Linux guru's on this list that can say whether the above command is OK
to run in all circumstances?




>
> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
> tell them how they can find out which apps use
> Sparkle??
>
>
> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
> tell them how they can find out which apps use
> Sparkle??
>
>
> I was thinking of writing a script for this, checking for SUFeedURL for
> every .app bundle, but
>
> i. is there already an easy way to check which apps use Sparkle?
>
> ii. I don’t see an easy way for users to tell what version of Sparkle is
> installed in an app. 
> Does anyone know where the Sparkle version number is hidden in the bundle?
>
> ii. given what Roland and Ken both say downthread, vis:
>
> If the release notes are via a separate URL and that URL is HTTP rather
> than HTTPS, then the attacker can spoof it
>
> it looks like just checking the SUFeedURL for http or https won’t be
> enough to determine if the app is safe for any app running older versions
> than Sparkle 1.13. Of course, we should all update to the latest version,
> but I have one app that has to be 10.6 compatible and that can’t use
> anything but an  ***old*** version of Sparkle. The app cast and release
> notes are both https so I’m assuming this is secure (at least regarding
> this particular issue…). 
>
>
>
> Best
>
>
> Phil
> ___
>
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/diederik%40tenhorses.com
>
> This email sent to diede...@tenhorses.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[dangerwillrobinsondanger]

An app could also have plugins or embedded frameworks that have distinct 
Sparkle updaters. 

Sent from my iPhone

> On Feb 10, 2016, at 9:39 PM, diede...@tenhorses.com wrote:
> 
> You can do that in the terminal, I found this terminal command online:
> 
> find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
> -F'.' '{print $1}'
> 
> This returns:
> Cornerstone
> Sequel Pro
> 
> on my Mac Book Pro...
> 
> Important note: I did not come up with this myself and was a bit nervous
> running it in the terminal.
> 
> Any Linux guru's on this list that can say whether the above command is OK
> to run in all circumstances?
> 
> 
> 
> 
>> 
>> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>> 
>> 
>> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>> 
>> 
>> I was thinking of writing a script for this, checking for SUFeedURL for
>> every .app bundle, but
>> 
>> i. is there already an easy way to check which apps use Sparkle?
>> 
>> ii. I don’t see an easy way for users to tell what version of Sparkle is
>> installed in an app. 
>> Does anyone know where the Sparkle version number is hidden in the bundle?
>> 
>> ii. given what Roland and Ken both say downthread, vis:
>> 
>> If the release notes are via a separate URL and that URL is HTTP rather
>> than HTTPS, then the attacker can spoof it
>> 
>> it looks like just checking the SUFeedURL for http or https won’t be
>> enough to determine if the app is safe for any app running older versions
>> than Sparkle 1.13. Of course, we should all update to the latest version,
>> but I have one app that has to be 10.6 compatible and that can’t use
>> anything but an  ***old*** version of Sparkle. The app cast and release
>> notes are both https so I’m assuming this is secure (at least regarding
>> this particular issue…). 
>> 
>> 
>> 
>> Best
>> 
>> 
>> Phil
>> ___
>> 
>> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>> 
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>> 
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/cocoa-dev/diederik%40tenhorses.com
>> 
>> This email sent to diede...@tenhorses.com
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/dangerwillrobinsondanger%40gmail.com
> 
> This email sent to dangerwillrobinsondan...@gmail.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Sandor Szatmari]

It looks safe...

> On Feb 10, 2016, at 07:39, diede...@tenhorses.com wrote:
> 
> You can do that in the terminal, I found this terminal command online:
> 
> find /Applications -name Sparkle.framework | awk -F'/' '{print $3}' | awk
> -F'.' '{print $1}'

This finds all files named Sparkle.framework in your applications folder and 
pipes the path as a string to awk, which tokenizes the string first on '/' and 
prints the 3rd token which is piped to awk again which this time tokenizes on 
'.' (This is stripping of '.app') and prints the first token, the application 
name.

Sandor
> 
> This returns:
> Cornerstone
> Sequel Pro
> 
> on my Mac Book Pro...
> 
> Important note: I did not come up with this myself and was a bit nervous
> running it in the terminal.
> 
> Any Linux guru's on this list that can say whether the above command is OK
> to run in all circumstances?
> 
> 
> 
> 
>> 
>> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>> 
>> 
>> On 10 Feb 2016, at 13:59, diede...@tenhorses.com wrote:
>> tell them how they can find out which apps use
>> Sparkle??
>> 
>> 
>> I was thinking of writing a script for this, checking for SUFeedURL for
>> every .app bundle, but
>> 
>> i. is there already an easy way to check which apps use Sparkle?
>> 
>> ii. I don’t see an easy way for users to tell what version of Sparkle is
>> installed in an app. 
>> Does anyone know where the Sparkle version number is hidden in the bundle?
>> 
>> ii. given what Roland and Ken both say downthread, vis:
>> 
>> If the release notes are via a separate URL and that URL is HTTP rather
>> than HTTPS, then the attacker can spoof it
>> 
>> it looks like just checking the SUFeedURL for http or https won’t be
>> enough to determine if the app is safe for any app running older versions
>> than Sparkle 1.13. Of course, we should all update to the latest version,
>> but I have one app that has to be 10.6 compatible and that can’t use
>> anything but an  ***old*** version of Sparkle. The app cast and release
>> notes are both https so I’m assuming this is secure (at least regarding
>> this particular issue…). 
>> 
>> 
>> 
>> Best
>> 
>> 
>> Phil
>> ___
>> 
>> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
>> 
>> Please do not post admin requests or moderator comments to the list.
>> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
>> 
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/cocoa-dev/diederik%40tenhorses.com
>> 
>> This email sent to diede...@tenhorses.com
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/admin.szatmari.net%40gmail.com
> 
> This email sent to admin.szatmari@gmail.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Contextual menu for NSTableCellView in NSOutlineView

[Matt Reagan]

> Also, does a Control-click behave differently than a right-click?

Control-clicks will behave differently than a right-click in NSView (though I'm 
not sure if that's Konidaris' problem). A control click on a child NSView won't 
show the parent's -menuForEvent as a right mouse down does. I wrote a little 
about this when I first hit that same issue: 
http://sound-of-silence.com/?article=20150923 
 

-Matt

> On Feb 10, 2016, at 2:42 PM, Ken Thomases  wrote:
> 
> On Feb 10, 2016, at 4:26 PM, Konidaris Christos  wrote:
>> 
>> Thanks for the insight Ken. I’ll try setting the menu manually tomorrow 
>> (it’s half past midnight here) and let you know. But shouldn’t the 
>> -menuForEvent:(NSEvent *)event for my NSTableCellView subclass work instead ?
> 
> Well, the -rightMouseDown: ought to go up the responder chain.  Do you 
> implement that on any of your view classes?  Also, does a Control-click 
> behave differently than a right-click?
> 
> Regards,
> Ken
> 
> 
> ___
> 
> Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)
> 
> Please do not post admin requests or moderator comments to the list.
> Contact the moderators at cocoa-dev-admins(at)lists.apple.com
> 
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/cocoa-dev/mreagan2652%40gmail.com
> 
> This email sent to mreagan2...@gmail.com

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Revisiting that "(redraw)" NSView property behavior

[Jens Alfke]

A few weeks ago Graham was asking how to make instances of his NSView subclass 
redraw themselves automatically when their custom properties were changed. 
During the discussion he said something like “wouldn’t it be great if you could 
declare a property as “(redraw)” and then it would automatically redraw the 
view when it changed.” Which got shot down (rightly IMHO) for hardcoding 
AppKit/UIKit-specific behavior into the language.

But now there’s a new Swift language proposal to add a general-purpose 
extensible “behaviors” mechanism to properties. It would let Graham do pretty 
much exactly what he described — someone would just have to write a snippet of 
Swift code to implement the “redraw” behavior, which could be done either in 
the app or in the UI framework itself.

Take a look, it’s a pretty cool proposal. Joe Groff gives examples of how it 
can be used to implement existing Swift (and Obj-C) property behaviors like 
atomic, lazy, and copying.


https://github.com/apple/swift-evolution/blob/master/proposals/0030-property-behavior-decls.md

(Discussion should happen on the swift-evolution mailing list, not here, unless 
it’s something specific to a “redraw” behavior. 
https://lists.swift.org/mailman/listinfo/swift-evolution 
 )

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Ben Kennedy]

If you actually took a look at the details, you'd see that the cert is for 
"ssl13.ovh.net" rather than "xenonium.com".  If you visit https://ssl13.ovh.net 
in Safari you will see no such problem.

Jean-Daniel did not expressly state that he's trying to serve anything at 
https://xenonium.com.

-b

> On 10 Feb 2016, at 4:35 pm, Gary L. Wade  wrote:
> 
> I just checked to see what happens when visiting your web site at 
> https://xenonium.com and found on the current latest release of iOS and OS X 
> under Safari I get a "Cannot Verify Server Identity" alert, so maybe you set 
> it up wrong, support for that authority is forthcoming, or you get what you 
> pay for. Some users will say, "Whoa!" and run away fast.


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Jens Alfke]

> On Feb 10, 2016, at 4:35 PM, Gary L. Wade  
> wrote:
> 
> I just checked to see what happens when visiting your web site at 
> https://xenonium.com  and found on the current latest 
> release of iOS and OS X under Safari I get a "Cannot Verify Server Identity" 
> alert, so maybe you set it up wrong, support for that authority is 
> forthcoming, or you get what you pay for. Some users will say, "Whoa!" and 
> run away fast.

It’s a hostname mismatch — the cert is valid, but it's issued to ssl13.ovh.net, 
not xenonium.com.

I’m guessing that Jean-Daniel’s website is hosted on a shared server at 
ovh.net, but the server isn’t configured to return the matching SSL cert for 
the hostname in the client request, so it’s using its default “ssl13.ovh.net” 
one instead. So yeah, it’s set up wrong.

—Jens
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Gary L. Wade]

You've made my point. None of my friends would even bother with looking at the 
certificate for his site (assuming that's his site from his email address) and 
move on. At worst, they'd call me and I'd say don't go there since I don't want 
them to screenshot that and text it to me to figure it out.
--
Gary L. Wade (Sent from my iPhone)
http://www.garywade.com/

> On Feb 10, 2016, at 4:50 PM, Ben Kennedy  wrote:
> 
> If you actually took a look at the details, you'd see that the cert is for 
> "ssl13.ovh.net" rather than "xenonium.com".  If you visit 
> https://ssl13.ovh.net in Safari you will see no such problem.
> 
> Jean-Daniel did not expressly state that he's trying to serve anything at 
> https://xenonium.com.
> 
> -b
> 
>> On 10 Feb 2016, at 4:35 pm, Gary L. Wade  
>> wrote:
>> 
>> I just checked to see what happens when visiting your web site at 
>> https://xenonium.com and found on the current latest release of iOS and OS X 
>> under Safari I get a "Cannot Verify Server Identity" alert, so maybe you set 
>> it up wrong, support for that authority is forthcoming, or you get what you 
>> pay for. Some users will say, "Whoa!" and run away fast.
> 

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: PSA: Does your app use Sparkle? Update it, or use an HTTPS server

[Ben Kennedy]

> On 10 Feb 2016, at 5:00 pm, Gary L. Wade  wrote:
> 
> You've made my point. None of my friends would even bother with looking at 
> the certificate for his site (assuming that's his site from his email 
> address) and move on. At worst, they'd call me and I'd say don't go there 
> since I don't want them to screenshot that and text it to me to figure it out.

No, you are misunderstanding me.  My point is that it may not be valid to 
assume the web server at 213.186.33.24 (to which xenonium.com resolves) will 
answer to HTTPS with a cert for "xenonium.com".

For example, https://213.186.33.24 presents the same "hostname mismatch" alert, 
because the cert is not named for "213.186.33.24".

Conduct the same exercise for any A record returned for www.apple.com, and 
you'll also get this result.  Completely expected.

Now, if Jean-Daniel has stated definitively that https://xenonium.com is 
expected to serve up a matching certificate, you have an argument I would agree 
with.  But for all we know (unless I've missed it), he's serving his material 
at https://ssl13.ovh.net.

b


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com