kornelski/sparklecheck.sh

## sparklecheck.sh
#!/bin/bash
set -o pipefail
IFS=$'\n'
REPORT=''

checkapp() {
    local APPPATH=$1
    local PLIST="$APPPATH/Contents/Info.plist"
    local SPARKLEPLIST="$APPPATH/Contents/Frameworks/Sparkle.framework/Resources/Info.plist"
    local SPARKLEBIN="$APPPATH/Contents/Frameworks/Sparkle.framework/Sparkle"
    local VER=$(defaults read "$PLIST" CFBundleShortVersionString 2>/dev/null || defaults read "$PLIST" CFBundleVersion 2>/dev/null)
    local APP="$(basename -s .app "$APPPATH") $VER"
    FEED=$(defaults read "$PLIST" SUFeedURL 2>/dev/null)
    local RESULT=$?
    if [ -d "$APPPATH/Contents/_MASReceipt" -a ! -e "$SPARKLEBIN" ]; then
        echo "ok: $APP does not use Sparkle";
    elif [ "$RESULT" -ne 0 -a ! -e "$SPARKLEPLIST" ]; then
        echo "ok: $APP does not seem to use Sparkle";
    elif [[ $FEED == "https://"* ]]; then
        echo "ok: $APP uses HTTPS for updates - safe";
    elif fgrep 2>/dev/null -q "about:blank" "$SPARKLEBIN"; then
        echo "ok: $APP has a patched version Sparkle - safe"
    else
        SPARKLEVER=$(defaults read "$SPARKLEPLIST" CFBundleVersion 2>/dev/null)
        local RESULT=$?
        if [ $RESULT -eq 0 -a -n "$FEED" ]; then
            REPORT+="
!!: $APP uses insecure feed URL '$FEED' and an unpatched version of Sparkle ($SPARKLEVER) - it is UNSAFE"
        elif [ $RESULT -ne 0 ]; then
            REPORT+="
!!: $APP uses insecure feed URL '$FEED' and an unknown version of Sparkle - may be UNSAFE"
        else
            echo "!!: $APP uses unknown feed URL and an unknown version of Sparkle - unable to tell"
        fi

    fi
}

for i in $({ mdfind kind:application; find /Applications -maxdepth 2 -name '*.app'; } | sort -u ); do
    checkapp "$i"
done

if [ -n "$REPORT" ]; then
echo "
Unsafe applications found!
$REPORT

Please ask the apps' developers to update Sparkle to the secure version,
as described at: https://sparkle-project.org/documentation/security
"
fi
	#!/bin/bash
	set -o pipefail
	IFS=$'\n'
	REPORT=''

	checkapp() {
	local APPPATH=$1
	local PLIST="$APPPATH/Contents/Info.plist"
	local SPARKLEPLIST="$APPPATH/Contents/Frameworks/Sparkle.framework/Resources/Info.plist"
	local SPARKLEBIN="$APPPATH/Contents/Frameworks/Sparkle.framework/Sparkle"
	local VER=$(defaults read "$PLIST" CFBundleShortVersionString 2>/dev/null \|\| defaults read "$PLIST" CFBundleVersion 2>/dev/null)
	local APP="$(basename -s .app "$APPPATH") $VER"
	FEED=$(defaults read "$PLIST" SUFeedURL 2>/dev/null)
	local RESULT=$?
	if [ -d "$APPPATH/Contents/_MASReceipt" -a ! -e "$SPARKLEBIN" ]; then
	echo "ok: $APP does not use Sparkle";
	elif [ "$RESULT" -ne 0 -a ! -e "$SPARKLEPLIST" ]; then
	echo "ok: $APP does not seem to use Sparkle";
	elif [[ $FEED == "https://"* ]]; then
	echo "ok: $APP uses HTTPS for updates - safe";
	elif fgrep 2>/dev/null -q "about:blank" "$SPARKLEBIN"; then
	echo "ok: $APP has a patched version Sparkle - safe"
	else
	SPARKLEVER=$(defaults read "$SPARKLEPLIST" CFBundleVersion 2>/dev/null)
	local RESULT=$?
	if [ $RESULT -eq 0 -a -n "$FEED" ]; then
	REPORT+="
	!!: $APP uses insecure feed URL '$FEED' and an unpatched version of Sparkle ($SPARKLEVER) - it is UNSAFE"
	elif [ $RESULT -ne 0 ]; then
	REPORT+="
	!!: $APP uses insecure feed URL '$FEED' and an unknown version of Sparkle - may be UNSAFE"
	else
	echo "!!: $APP uses unknown feed URL and an unknown version of Sparkle - unable to tell"
	fi

	fi
	}

	for i in $({ mdfind kind:application; find /Applications -maxdepth 2 -name '*.app'; } \| sort -u ); do
	checkapp "$i"
	done

	if [ -n "$REPORT" ]; then
	echo "
	Unsafe applications found!
	$REPORT

	Please ask the apps' developers to update Sparkle to the secure version,
	as described at: https://sparkle-project.org/documentation/security
	"
	fi