Switch AutoPkg Recipes to HTTPS
Jan 1, 2021
2 minute read

AutoPkg recipes automate and codify the often tedious tasks involved in packaging and distributing Mac software. Central to AutoPkg’s greatness are the many built-in security measures that verify you’re getting the software you intend — including code signature verification, embedded trust information in overrides, and the autopkg audit command.

AutoPkg recipe authors should also follow another important security practice: use HTTPS URLs instead of HTTP whenever possible. Whether downloading actual software or downloading metadata about the software, using an HTTPS URL helps prevent person-in-the-middle attacks and keep your organization’s software pipeline secure.

In particular, the arguments and input variables used by the URLDownloader, URLTextSearcher, and SparkleUpdateInfoProvider processors should use HTTPS if the option is available, and recipe authors should perform periodic checks to detect when software developers (or their CDNs) begin offering HTTPS downloads.

The security benefits aren’t just theoretical; a few years ago, security researchers demonstrated an attack targeting Mac apps using insecure Sparkle feeds. Ben Toms wrote a good article detailing the Mac admin community’s response to the vulnerability.

HTTPS Spotter

Checking for the existence of HTTPS URLs can be tedious if you manage more than a handful of AutoPkg recipes, so I’ve written a Python tool called HTTPS Spotter that will automate the process for you. The source code is on GitHub and embedded below.

Requirements

To use the script, you’ll need Git and AutoPkg installed.

Steps

  1. Clone the script to your Mac (substitute the path to your source, if not ~/Developer).

    git clone https://gist.github.com/66d1c8772baf5f731bb8ddf263f33401.git ~/Developer/https_spotter
    
  2. Run the script with --help to see usage information.

    /usr/local/autopkg/python ~/Developer/https_spotter/https_spotter.py --help
    
  3. Now run the script again, pointing it to your repository of AutoPkg recipes:

    /usr/local/autopkg/python ~/Developer/https_spotter/https_spotter.py ~/Developer/your-autopkg-recipes
    

    You’ll see output that might look like this:

    ../homebysix-recipes/NeoFinder/NeoFinder.download.recipe
     Replace: http://www.cdfinder.de/en/downloads.html
        With: https://www.cdfinder.de/en/downloads.html
    ../homebysix-recipes/FontFinagler/FontFinagler.download.recipe
     Replace: http://www.markdouma.com/fontfinagler/version.xml
        With: https://www.markdouma.com/fontfinagler/version.xml
    
    2 suggested changes. To apply, run again with --auto.
    
  4. Run the script again with the --auto flag in order to automatically apply the changes, or apply the changes manually in your preferred text editor.

  5. Test the modified recipes prior to committing/pushing the changes to your public repo on GitHub.

    tip

    Here's a one-liner that will run recently-modified recipes in "check only" mode:

    find * -iname "*.recipe" -mtime -1 -exec autopkg run -vvcq "{}" '+'

Source code

The script is below. Suggestions or improvements are welcome!