Deploying & Updating Safari Extensions For Safari 9+

Standard
Extension

I’ve blogged a few times about how to not only create, but also deploy & update “Safari Extensions”.

With the release of Safari 9 Apple have stopped all automated deployment methods, & I’m partly to blame.

What Happened?

Back on 15/10/2014 I posted how to update “Safari Extensions” by replacing them on disk, I updated that method for Safari 8 & posted it on 25/09/15 here.

Safari 9 was released shortly after that last post on 30/9/15. With which, came the expected “About the security content of Safari 9″ article.

Within that article, you’ll find the below:

Screenshot 2015-11-14 19.15.24

Erm… Whoops! I didn’t submit anything about my workaround to Apple, so someone either passed it on to Apple or someone at Apple read the post.

There are two main changes affecting Safari Extensions that came in with Safari 9.0 & these are dealt with in the following two sections.

(The starting formatted text in each section are taken from the What’s New In Safari 9 developer documentation).

Hosted by Apple

Secure Extensions Distribution introduces improved security for Safari on OS X. All extensions in the Safari Extensions Gallery are now hosted and signed by Apple.

Fool’s Gold

This might not seem like a massive change, but when you try & manually install an extension that has not come from the Safari Extensions Gallery they are greeted with an alert like the below:

Screen Shot 2015-11-13 at 15.34.28

Now, it’s worth noting that that only seems to happen when you manually try & install an extension.

Trying to open the extension as the user via a script, such as the method detailed previously, opens Safari’s Extension preferences window but no prompt to install the extension.

I tried a few bash & AppleScript methods & all produced the same result when attempted programmatically.

Screenshot 2015-11-14 14.41.24

If you look at the URL format of some of the extensions available in the Extensions Gallery, the format is like the below:

https://safari-extensions.apple.com/extensions/<identifier>/<Safari extension>

I tried fooling Safari into downloading an extension from this site with a similar URL, but all Safari did was download the file to ~/Downloads. So no luck there either.

I even tried ripping out some of the javascript functions & again in an attempt to install from a similar URL but not the Extensions Gallery, but to no avail. (I’m not  very javascript literate, so this could be a failing of mine. Or the install function is limited to attempts from https://extensions.apple.com/).

None of this really came as a surprise, as Apple advise here that the only “permitted ways to install a Safari extension” are:

  • By clicking an Install button in the Extensions Gallery.
  • By opening the (.safariextz) file in Safari. (Safari will prompt the user to confirm the installation.)

Fool Me Once…

Incidentally, Rich Trouton recently blogged on Java 8 Update 65’s failings to install a toolbar. I think the changes detailed above have caused this.

So, every cloud.

Updating Extensions

Only Safari Extensions installed from the Safari Extensions Gallery can be updated automatically. Add the following two lines to each extension's dictionary entry within your Update Manifest to allow existing users to update automatically to the latest version.

<key>Update From Gallery</key>
<true/>

You may still sign your Safari Extensions with your developer certificate for distribution outside of the Safari Extensions Gallery, but it will not be a candidate for automatic updating.

Fool’s Errand

As mentioned at the top of this post, extensions can no longer be updated on disk as a method to update them & the above text details the only method by which extensions can now be automatically updated.

I did say back in 2014 that we should really be following Apple’s methods for updating extensions. Well a year later & another method now obsolete.

I now consider attempts to update extensions outside of Apple’s permitted methods not only as a horse that has well & truly flogged, but now:

3b2

Not Suffering Fools Gladly

So what options are left? Well, as linked to previously, the only permitted methods are:

  • By clicking an Install button in the Extensions Gallery.
  • By opening the (.safariextz) file in Safari. (Safari will prompt the user to confirm the installation.)

The latter still gives us an issue when updating the extension, but depending on the extension itself, it’s update frequency & the tools at your disposal, that may work for you.

The first is in my opinion the better method, however if your extension contains sensitive information or links you may not wish for it to be publicly available.

Therefore, I’ve asked Apple if:

  • An extension can be on the Extensions Gallery, but not shown.
  • An extension can be on the Extensions Gallery, but have an non-public accessible updates URL. This would allow the extension to be downloaded publicly, but would not populate until the installed extension is ran within your organisations network.

Either will still require some manual distribution, but the extension itself could be downloaded via a single URL from Apple, & both would allow an installed extension to be automatically updated.

I’ll update here with more information when I receive it.

12 thoughts on “Deploying & Updating Safari Extensions For Safari 9+

  1. I have just managed to trick Safari 9.0.1 (11601.2.7.2) into installing the 1Password Safari extension from my test client’s own localhost web server. From my brief testing it seems to be part of the JavaScript that decides if Safari will install an extension or just trigger a download.

  2. Stephan Schuster

    Does anyone know the URL gallery-hosted update manifests are downloaded from when `Update From Gallery` is set to `true`?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.