Tunnelblick developer

Um, so an application using Sparkle is an Issue? Why? I understand that some applications that use Sparkle use it insecurely, but not all do. [Tunnelblick](https://tunnelblick.net), for example, uses https:...

Thanks, @pornel -- so would a PR be considered because you just don't have time to work on stuff that isn't your main focus? Or would you not want one...

@zorgiepoo - Thanks. An optional Info.plist key/value pair (boolean SUAppcastMustBeSigned, defaulting to false) is fine with me. If true and if the appcast's signature wasn't correct, the appcast fetch would...

@pornel - Thanks. If you can't get a validly-signed appcast, then, as you say, it could be a network problem or it could be an attack. But if you _do_...

pornel wrote: > Not even that. If there's no expiration date in the signature, an attacker could have saved an old version of your signed appcast and perform a replay...

This has come up repeatedly. See #427 and #905. Since #905, Sparkle has added an appcast-generating script.

Thanks, @selvanair and @cron2. I have developed a fix for this Tunnelblick problem. @mika and anyone who would like to test it may email [email protected] for a link to download...

I'm sorry to be debugging a Tunnelblick problem in an OpenVPN Issue, but it's very helpful to have the comments from the OpenVPN developers! @cron2 wrote > my guess is...

@selvanair - Thanks for all your help! > How is this test done -- Is the server made unreachable by firewall or server is shutdown or something else? After connecting,...

Thanks to all: @mika and his user, @selvanair, @cron2 -- I couldn't have fixed it without you! I don't need log files, but thanks for offering. As far as I'm...