I’ve blogged a few times about how to not only create, but also deploy & update “Safari Extensions”.
With the release of Safari 9 Apple have stopped all automated deployment methods, & I’m partly to blame.
Contents
What Happened?
Back on 15/10/2014 I posted how to update “Safari Extensions” by replacing them on disk, I updated that method for Safari 8 & posted it on 25/09/15 here.
Safari 9 was released shortly after that last post on 30/9/15. With which, came the expected “About the security content of Safari 9″ article.
Within that article, you’ll find the below:
Erm… Whoops! I didn’t submit anything about my workaround to Apple, so someone either passed it on to Apple or someone at Apple read the post.
There are two main changes affecting Safari Extensions that came in with Safari 9.0 & these are dealt with in the following two sections.
(The starting formatted text in each section are taken from the What’s New In Safari 9 developer documentation).
Hosted by Apple
Secure Extensions Distribution introduces improved security for Safari on OS X. All extensions in the Safari Extensions Gallery are now hosted and signed by Apple.
Fool’s Gold
This might not seem like a massive change, but when you try & manually install an extension that has not come from the Safari Extensions Gallery they are greeted with an alert like the below:
Now, it’s worth noting that that only seems to happen when you manually try & install an extension.
Trying to open the extension as the user via a script, such as the method detailed previously, opens Safari’s Extension preferences window but no prompt to install the extension.
I tried a few bash & AppleScript methods & all produced the same result when attempted programmatically.
If you look at the URL format of some of the extensions available in the Extensions Gallery, the format is like the below:
https://safari-extensions.apple.com/extensions/<identifier>/<Safari extension>
I tried fooling Safari into downloading an extension from this site with a similar URL, but all Safari did was download the file to ~/Downloads. So no luck there either.
I even tried ripping out some of the javascript functions & again in an attempt to install from a similar URL but not the Extensions Gallery, but to no avail. (I’m not very javascript literate, so this could be a failing of mine. Or the install function is limited to attempts from https://extensions.apple.com/).
None of this really came as a surprise, as Apple advise here that the only “permitted ways to install a Safari extension” are:
- By clicking an Install button in the Extensions Gallery.
- By opening the (
.safariextz
) file in Safari. (Safari will prompt the user to confirm the installation.)
Fool Me Once…
Incidentally, Rich Trouton recently blogged on Java 8 Update 65’s failings to install a toolbar. I think the changes detailed above have caused this.
So, every cloud.
Updating Extensions
Only Safari Extensions installed from the Safari Extensions Gallery can be updated automatically. Add the following two lines to each extension's dictionary entry within your Update Manifest to allow existing users to update automatically to the latest version. <key>Update From Gallery</key> <true/> You may still sign your Safari Extensions with your developer certificate for distribution outside of the Safari Extensions Gallery, but it will not be a candidate for automatic updating.
Fool’s Errand
As mentioned at the top of this post, extensions can no longer be updated on disk as a method to update them & the above text details the only method by which extensions can now be automatically updated.
I did say back in 2014 that we should really be following Apple’s methods for updating extensions. Well a year later & another method now obsolete.
I now consider attempts to update extensions outside of Apple’s permitted methods not only as a horse that has well & truly flogged, but now:
Not Suffering Fools Gladly
So what options are left? Well, as linked to previously, the only permitted methods are:
- By clicking an Install button in the Extensions Gallery.
- By opening the (
.safariextz
) file in Safari. (Safari will prompt the user to confirm the installation.)
The latter still gives us an issue when updating the extension, but depending on the extension itself, it’s update frequency & the tools at your disposal, that may work for you.
The first is in my opinion the better method, however if your extension contains sensitive information or links you may not wish for it to be publicly available.
Therefore, I’ve asked Apple if:
- An extension can be on the Extensions Gallery, but not shown.
- An extension can be on the Extensions Gallery, but have an non-public accessible updates URL. This would allow the extension to be downloaded publicly, but would not populate until the installed extension is ran within your organisations network.
Either will still require some manual distribution, but the extension itself could be downloaded via a single URL from Apple, & both would allow an installed extension to be automatically updated.
I’ll update here with more information when I receive it.
I have just managed to trick Safari 9.0.1 (11601.2.7.2) into installing the 1Password Safari extension from my test client’s own localhost web server. From my brief testing it seems to be part of the JavaScript that decides if Safari will install an extension or just trigger a download.
Oh, nice.
Guesses as much.
Can you DM me the JavaScript etc on slack. 🙂
Any updates with browser extensions here? Did @ITMICHAELPAGE ever share his fix?
I have not fully understood the update process from the Gallery. Do we need to submit every new version using https://developer.apple.com/safari/extensions/submission/ ? Or can I do this once and then have it auto-update from my server?
Hi Claes,
Once then auto-update from your server.
Thanks Ben!
Does that mean that Apple fetches updates I put on my server to the Gallery?
I don’t think so. I think the submitted extension is what ever version you upload, then all updates are from your server.
Interesting. Will trying to verify this behavior.
from what i see from our extension : https://safari-extensions.apple.com/?q=fontface%20ninja
the link provided by the gallery looks to be on apple server :
https://safari-extensions.apple.com/extensions/com.creaktif.fontfaceninja-6AFG6428MF/FontFaceNinja.safariextz
and the update is not showing in safari 🙁
Any info on the verifying of the behaviour? I am stuck also on this. I have old version without automatic updates key set to true. I submitted new version – but its still not published on the gallery even after a month…
Yep, this is really problematic. I am pretty sure that the only way to publish updates to the Gallery is by using the web form on their site. And it seems to take 3-4 weeks every time. And no feedback from Apple 🙁
I am currently trying to decide wether to run my own update server and build some kind of update function into the extension. I really need to push updates to users faster then 3-4 weeks, but I don’t trust that they will manually update.
Does anyone know the URL gallery-hosted update manifests are downloaded from when `Update From Gallery` is set to `true`?