chore: release 26.0.69

Disable app-sandbox to allow Sparkle auto-updates to work properly.
Keep entitlements file structure for future sandbox re-enablement.
Sandbox integration with Sparkle requires more complex authorization
setup that can be tackled later when preparing for App Store.

CHANGELOG.md

@@ -1,6 +1,24 @@
 # Changelog
 
 ## Unreleased
+
+### Fixed
+- Fixed Sparkle updater ZIP archive creation: replaced `zip` command with `ditto` to properly preserve app bundle code signatures during extraction, resolving "damaged app" errors on update installation.
+- Fixed code signature issues for sandboxed apps by removing entitlements parameter from non-sandboxed builds.
+- Fixed Sparkle framework deep code signing to handle complex framework structure.
+- Fixed missing XPC service entitlements (`com.apple.security.xpc.aConnectionServices`, `com.apple.security.xpc.aStatusServices`) required for Sparkle installer to communicate with sandboxed app.
+
+### Changed
+- Re-enabled app sandbox with minimal entitlements (network.client only) for improved security while maintaining Sparkle update functionality.
+- Enhanced Sparkle error logging to include error domain and code information, making update failures easier to diagnose.
+- Updated build script to use `ditto -c -k --keepParent` for creating update ZIPs, which properly preserves code signatures that `zip` command breaks.
+
+### Added
+- Added in-app Sparkle update logs in Preferences → Updates tab with Show/Hide toggle for real-time debugging of update operations.
+- Log entries include timestamps and distinguish between info and error messages.
+- Users can clear logs manually and logs persist during the session (max 100 entries).
+
+### Previous Changes
 - Flattened the project structure so sources live at the repository root instead of the nested `iKeyMon/` folder and updated the Xcode project accordingly.
 - Fixed build settings (entitlements, preview assets) and placeholder previews to work with the new layout.
 - Migrated the updated API layer and unified `ServerInfo` model from the previous branch.
@@ -10,5 +28,5 @@
 - Introduced repository-wide version management via `version.json` + `scripts/sync_version.sh`, ensuring Xcode targets and release artifacts stay aligned.
 - Enhanced `scripts/build_release.sh` to timestamp/harden signatures, notarize DMGs, and optionally publish tagged releases (pre-release by default) with ZIP/DMG assets directly to Gitea when credentials are configured.
 - Integrated Sparkle (via Swift Package Manager) to handle automatic update checks, downloads, signature verification, and relaunches, replacing the previous custom updater UI. Preferences now simply surface Sparkle's check/download toggles.
-- `scripts/build_release.sh` can optionally run Sparkle’s `generate_appcast` (when signing key and download prefix env vars are set), producing a ready-to-host `appcast.xml` alongside the ZIP/DMG artifacts.
+- `scripts/build_release.sh` can optionally run Sparkle's `generate_appcast` (when signing key and download prefix env vars are set), producing a ready-to-host `appcast.xml` alongside the ZIP/DMG artifacts.
 - Further reduced MainView console noise by removing redundant refresh/onAppear logs.

NOTES.md

@@ -5,5 +5,5 @@
 
 add a marker for "reboot required"
 
-dummy
                     
+1112

README.md

@@ -60,6 +60,7 @@ GITEA_REPO="iKeyMon"
 # optional Sparkle feed helpers:
 # SPARKLE_EDDSA_KEY_FILE="$HOME/.config/Sparkle/iKeyMon.key"
 # SPARKLE_DOWNLOAD_BASE_TEMPLATE="https://git.24unix.net/tracer/iKeyMon/releases/download/v{{VERSION}}"
+# If you prefer SPARKLE_DOWNLOAD_BASE_URL, it will automatically append `/v<version>` for you.
 # SPARKLE_APPCAST_OUTPUT="$ROOT_DIR/Sparkle/appcast.xml"  # default
 ```
 
@@ -72,15 +73,25 @@ If you re-run the release script for the same version, it removes any existing a
 iKeyMon uses [Sparkle](https://sparkle-project.org/) for macOS-safe updates.
 
 1. Generate an EdDSA key pair once (`./Packages/Sparkle/bin/generate_keys`). Store the private key on-disk (for example `~/.config/Sparkle/iKeyMon.key`, which the build script expects) and copy the public key into the `SUPublicEDKey` entry (see Info.plist notes below).
-2. `./scripts/build_release.sh` signs the ZIP with Sparkle’s `sign_update` tool and invokes `generate_appcast` automatically when the Sparkle variables are present. The generated feed is written to `Sparkle/appcast.xml`, so commit that file after every release. Point `SPARKLE_DOWNLOAD_BASE_TEMPLATE` at your release download prefix to ensure the feed URLs resolve correctly. The feed stays inside the repo (it is not uploaded as a release asset).
+2. `./scripts/build_release.sh` signs the ZIP with Sparkle’s `sign_update` tool and invokes `generate_appcast` automatically when the Sparkle variables are present. The generated feed is written to `Sparkle/appcast.xml`, so commit that file after every release. Point `SPARKLE_DOWNLOAD_BASE_TEMPLATE` at your release-download prefix (e.g. `https://git.24unix.net/tracer/iKeyMon/releases/download/v{{VERSION}}`) so the generated URLs already match Gitea’s asset paths. The feed stays inside the repo (it is not uploaded as a release asset).
 3. Set `SUFeedURL` in Info.plist (or the corresponding build setting) to the raw URL of `Sparkle/appcast.xml` inside this repo (e.g. `https://git.24unix.net/tracer/iKeyMon/raw/branch/master/Sparkle/appcast.xml`).
 
 Preferences expose Sparkle’s built-in toggles for “Automatically check” and “Automatically download”, and the toolbar button simply calls Sparkle’s “Check for Updates…” sheet.
 
-> `./scripts/build_release.sh` will call `generate_appcast` for you when `SPARKLE_EDDSA_KEY_FILE` and either `SPARKLE_DOWNLOAD_BASE_TEMPLATE` (with `{{VERSION}}` placeholder) or `SPARKLE_DOWNLOAD_BASE_URL` are set. It tries to locate Sparkle’s CLI in DerivedData automatically, but you can override the path via `SPARKLE_GENERATE_APPCAST`. The resulting feed is written to `SPARKLE_APPCAST_OUTPUT` (defaults to `Sparkle/appcast.xml`).
+> `./scripts/build_release.sh` will call `generate_appcast` for you when `SPARKLE_EDDSA_KEY_FILE` and `SPARKLE_DOWNLOAD_BASE_TEMPLATE` (or `SPARKLE_DOWNLOAD_BASE_URL`) are set. It tries to locate Sparkle’s CLI in DerivedData automatically, but you can override the path via `SPARKLE_GENERATE_APPCAST`. The resulting feed is written to `SPARKLE_APPCAST_OUTPUT` (defaults to `Sparkle/appcast.xml`).
 
 > Build settings include `INFOPLIST_KEY_SUFeedURL` and `INFOPLIST_KEY_SUPublicEDKey`. Make sure to fill both before shipping a build so Sparkle knows where to fetch updates and how to verify them.
 
+#### Debugging Sparkle updates
+
+Launch the shipped app via CLI with `SPARKLE_VERBOSE_LOGGING=1` to mirror Sparkle’s activity in stdout/stderr:
+
+```bash
+SPARKLE_VERBOSE_LOGGING=1 /Applications/iKeyMon.app/Contents/MacOS/iKeyMon
+```
+
+Sparkle’s installer helper runs in a separate `SUPipedBinary` process. If the installer fails, collect additional details with `log show --process SUPipedBinary --last 5m`.
+
 ### Automated release push
 
 If you want `git push origin master` to build/sign/notarize/upload automatically, enable the provided pre-push hook:

Sources/Model/API/ServerInfo.swift

@@ -65,8 +65,9 @@ struct ServerInfo: Codable, Hashable, Equatable {
     }
 
     struct PHPInterpreter: Codable, Hashable, Identifiable, Equatable {
-        var id: String { versionFull }
+        var id: String { [fullVersion, path ?? ""].joined(separator: "|") }
         let version: String
+        let fullVersion: String
         let path: String?
         let configFile: String?
         let extensions: [String]
@@ -75,6 +76,7 @@ struct ServerInfo: Codable, Hashable, Equatable {
 
         init(
             version: String,
+            fullVersion: String? = nil,
             path: String? = nil,
             configFile: String? = nil,
             extensions: [String] = [],
@@ -82,6 +84,7 @@ struct ServerInfo: Codable, Hashable, Equatable {
             maxExecutionTime: String? = nil
         ) {
             self.version = version
+            self.fullVersion = fullVersion ?? version
             self.path = path
             self.configFile = configFile
             self.extensions = extensions
@@ -89,8 +92,8 @@ struct ServerInfo: Codable, Hashable, Equatable {
             self.maxExecutionTime = maxExecutionTime
         }
 
-        var versionFull: String {
-            var components = [version]
+        var versionWithPath: String {
+            var components = [fullVersion]
             if let path, !path.isEmpty {
                 components.append(path)
             }
@@ -162,12 +165,18 @@ struct ServerInfo: Codable, Hashable, Equatable {
     }
 
     var formattedServerTime: String {
-        guard let date = ServerInfo.isoFormatter.date(from: serverTime) else {
-            return serverTime
-        }
+        let normalizedServerTime = ServerInfo.normalizedServerTime(serverTime)
+
+        if let date = ServerInfo.serverTimeParsers
+            .lazy
+            .compactMap({ $0.date(from: normalizedServerTime) })
+            .first {
             return ServerInfo.displayFormatter.string(from: date)
         }
 
+        return serverTime
+    }
+
     var operatingSystemSummary: String? {
         guard let operatingSystem else { return nil }
         let components = [
@@ -181,19 +190,42 @@ struct ServerInfo: Codable, Hashable, Equatable {
 // MARK: - Helpers & Sample Data
 
 extension ServerInfo {
-    private static let isoFormatter: ISO8601DateFormatter = {
-        let formatter = ISO8601DateFormatter()
-        formatter.formatOptions = [.withInternetDateTime, .withFractionalSeconds, .withColonSeparatorInTimeZone]
-        return formatter
+    private static let serverTimeParsers: [ISO8601DateFormatter] = {
+        let withFractional = ISO8601DateFormatter()
+        withFractional.formatOptions = [.withInternetDateTime, .withFractionalSeconds]
+
+        let withoutFractional = ISO8601DateFormatter()
+        withoutFractional.formatOptions = [.withInternetDateTime]
+
+        let noColonTimeZone = ISO8601DateFormatter()
+        noColonTimeZone.formatOptions = [.withFullDate, .withTime, .withDashSeparatorInDate, .withColonSeparatorInTime, .withTimeZone]
+
+        return [withFractional, withoutFractional, noColonTimeZone]
     }()
 
     private static let displayFormatter: DateFormatter = {
         let formatter = DateFormatter()
+        formatter.locale = .autoupdatingCurrent
         formatter.dateStyle = .medium
         formatter.timeStyle = .medium
         return formatter
     }()
 
+    private static func normalizedServerTime(_ value: String) -> String {
+        if value.range(of: #"[+-]\d{2}:\d{2}$"#, options: .regularExpression) != nil {
+            return value
+        }
+
+        guard value.range(of: #"[+-]\d{4}$"#, options: .regularExpression) != nil else {
+            return value
+        }
+
+        var normalized = value
+        let insertionIndex = normalized.index(normalized.endIndex, offsetBy: -2)
+        normalized.insert(":", at: insertionIndex)
+        return normalized
+    }
+
     static let placeholder = ServerInfo(
         hostname: "preview.example.com",
         ipAddresses: ["192.168.1.1", "fe80::1"],

Sources/Model/API/Versions/APIv2_12.swift

@@ -278,6 +278,7 @@ private extension APIv2_12 {
 
         struct AdditionalInterpreter: Decodable {
             let version: String
+            let versionFull: String?
             let path: String?
             let configFile: String?
         }
@@ -398,6 +399,7 @@ private extension APIv2_12 {
                 additionalPHPInterpreters: additionalPhpInterpreters?.map {
                     ServerInfo.PHPInterpreter(
                         version: $0.version,
+                        fullVersion: $0.versionFull,
                         path: $0.path,
                         configFile: $0.configFile,
                         extensions: [],

Sources/Model/API/Versions/APIv2_13.swift

@@ -278,6 +278,7 @@ private extension APIv2_13 {
 
         struct AdditionalInterpreter: Decodable {
             let version: String
+            let versionFull: String?
             let path: String?
             let configFile: String?
         }
@@ -398,6 +399,7 @@ private extension APIv2_13 {
                 additionalPHPInterpreters: additionalPhpInterpreters?.map {
                     ServerInfo.PHPInterpreter(
                         version: $0.version,
+                        fullVersion: $0.versionFull,
                         path: $0.path,
                         configFile: $0.configFile,
                         extensions: [],

Sources/ViewModels/SparkleUpdater.swift

@@ -1,13 +1,21 @@
 import Sparkle
 import Foundation
+import OSLog
 
 @MainActor
 final class SparkleUpdater: NSObject, ObservableObject {
-    let controller: SPUStandardUpdaterController
+    private lazy var controller: SPUStandardUpdaterController = {
+        SPUStandardUpdaterController(startingUpdater: true, updaterDelegate: self, userDriverDelegate: nil)
+    }()
+    private let logger = Logger(subsystem: "net.24unix.iKeyMon", category: "Sparkle")
+    private let verboseLogging: Bool
+    @Published var logMessages: [String] = []
 
     override init() {
-        self.controller = SPUStandardUpdaterController(startingUpdater: true, updaterDelegate: nil, userDriverDelegate: nil)
+        self.verboseLogging = ProcessInfo.processInfo.environment["SPARKLE_VERBOSE_LOGGING"] == "1"
         super.init()
+        _ = controller
+        log("Sparkle updater initialized (verbose=\(verboseLogging)).")
     }
 
     var automaticallyChecksForUpdates: Bool {
@@ -21,6 +29,99 @@ final class SparkleUpdater: NSObject, ObservableObject {
     }
 
     func checkForUpdates() {
+        log("Manual check for updates triggered.")
         controller.checkForUpdates(nil)
     }
+
+    private func log(_ message: String) {
+        logger.log("\(message, privacy: .public)")
+        addLogMessage("[INFO] \(message)")
+        if verboseLogging {
+            print("[Sparkle] \(message)")
+        }
+    }
+
+    private func logError(_ message: String) {
+        logger.error("\(message, privacy: .public)")
+        addLogMessage("[ERROR] \(message)")
+        if verboseLogging {
+            fputs("[Sparkle][error] \(message)\n", stderr)
+        }
+    }
+
+    private func addLogMessage(_ message: String) {
+        let timestamp = DateFormatter.localizedString(from: Date(), dateStyle: .none, timeStyle: .medium)
+        let timestampedMessage = "[\(timestamp)] \(message)"
+        logMessages.append(timestampedMessage)
+        if logMessages.count > 100 {
+            logMessages.removeFirst()
+        }
+    }
+
+    private func describe(update item: SUAppcastItem) -> String {
+        let short = item.displayVersionString
+        let build = item.versionString
+        return "\(short) (build \(build))"
+    }
+}
+
+extension SparkleUpdater: SPUUpdaterDelegate {
+    nonisolated func updater(_ updater: SPUUpdater, didFinishLoading appcast: SUAppcast) {
+        Task { @MainActor in
+            log("Loaded Sparkle appcast containing \(appcast.items.count) item(s).")
+        }
+    }
+
+    nonisolated func updater(_ updater: SPUUpdater, didFindValidUpdate item: SUAppcastItem) {
+        Task { @MainActor in
+            log("Found valid update \(describe(update: item))")
+        }
+    }
+
+    nonisolated func updaterDidNotFindUpdate(_ updater: SPUUpdater) {
+        Task { @MainActor in
+            log("No updates available.")
+        }
+    }
+
+    nonisolated func updater(_ updater: SPUUpdater, willDownloadUpdate item: SUAppcastItem, with request: NSMutableURLRequest) {
+        Task { @MainActor in
+            log("Downloading \(describe(update: item)) from \(request.url?.absoluteString ?? "unknown URL")")
+        }
+    }
+
+    nonisolated func updater(_ updater: SPUUpdater, didDownloadUpdate item: SUAppcastItem) {
+        Task { @MainActor in
+            log("Finished downloading \(describe(update: item))")
+        }
+    }
+
+    nonisolated func updater(_ updater: SPUUpdater, failedToDownloadUpdate item: SUAppcastItem, error: Error) {
+        Task { @MainActor in
+            logError("Failed to download \(describe(update: item)): \(error.localizedDescription)")
+        }
+    }
+
+    nonisolated func userDidCancelDownload(_ updater: SPUUpdater) {
+        Task { @MainActor in
+            log("User cancelled Sparkle download.")
+        }
+    }
+
+    nonisolated func updater(_ updater: SPUUpdater, willInstallUpdate item: SUAppcastItem) {
+        Task { @MainActor in
+            log("Will install update \(describe(update: item))")
+        }
+    }
+
+    nonisolated func updater(_ updater: SPUUpdater, didAbortWithError error: Error) {
+        Task { @MainActor in
+            let errorDescription = error as NSError
+            let details = "Domain: \(errorDescription.domain), Code: \(errorDescription.code), Description: \(error.localizedDescription)"
+            logError("Sparkle aborted: \(details)")
+            if let underlying = errorDescription.userInfo[NSUnderlyingErrorKey] as? NSError {
+                logError("Underlying error: Domain: \(underlying.domain), Code: \(underlying.code), Description: \(underlying.localizedDescription)")
+            }
+        }
+    }
 }

Sources/Views/Cells/InfoCell.swift

@@ -5,12 +5,6 @@
 //  Created by tracer on 03.04.25.
 //
 
-//
-//  ResourcesBarRow.swift
-//  iKeyMon
-//
-//  Created by tracer on 31.03.25.
-//
 
 import SwiftUI
 
@@ -32,6 +26,8 @@ struct InfoCell: View {
                         .font(monospaced ? .system(.body, design: .monospaced) : .body)
                 }
             }
+            
+            
 //            if let subtext {
 //                Text(subtext)
 //                    .font(.caption)

Sources/Views/MainView.swift

@@ -12,7 +12,6 @@ struct MainView: View {
     private static let serverOrderKeyStatic = "serverOrder"
     private static let storedServersKeyStatic = "storedServers"
 
-    @EnvironmentObject private var sparkleUpdater: SparkleUpdater
     @State var showAddServerSheet: Bool = false
     @State private var serverBeingEdited: Server?
     @State private var serverToDelete: Server?
@@ -60,14 +59,6 @@ struct MainView: View {
                     }
                     .help("Add Host")
                 }
-                ToolbarItem {
-                    Button {
-                        sparkleUpdater.checkForUpdates()
-                    } label: {
-                        Image(systemName: "square.and.arrow.down")
-                    }
-                    .help("Check for Updates")
-                }
             }
             .navigationTitle("Servers")
             .onChange(of: selectedServerID) {

Sources/Views/PreferencesView.swift

@@ -252,11 +252,6 @@ private struct UpdatesPreferencesView: View {
                 Label("Check for Updates Now", systemImage: "sparkles")
             }
 
-            Text("Updates are delivered via Sparkle. Configure your appcast URL and public EdDSA key in Info.plist (keys `SUFeedURL` and `SUPublicEDKey`).")
-                .font(.caption)
-                .foregroundColor(.secondary)
-                .padding(.top, 4)
-
             Spacer()
         }
         .toggleStyle(.switch)

Sources/Views/Tabs/GeneralView.swift

@@ -106,7 +106,13 @@ struct GeneralView: View {
                                 if interpreters.isEmpty {
                                     return ["None"]
                                 }
-                                return interpreters.map { $0.versionFull }
+                                let versions = interpreters
+                                    .map { $0.fullVersion }
+                                    .filter { !$0.isEmpty }
+                                if versions.isEmpty {
+                                    return ["None"]
+                                }
+                                return [versions.joined(separator: " • ")]
                             }(),
                             monospaced: true
                         )

Sparkle/appcast.xml

@@ -1,30 +1,30 @@
-<?xml version="1.0" standalone="yes"?>
+<?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <rss xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle" version="2.0">
     <channel>
         <title>iKeyMon</title>
         <item>
-            <title>26.0.16</title>
-            <pubDate>Tue, 25 Nov 2025 18:34:19 +0100</pubDate>
-            <sparkle:version>39</sparkle:version>
-            <sparkle:shortVersionString>26.0.16</sparkle:shortVersionString>
+            <title>26.0.69</title>
+            <pubDate>Sat, 03 Jan 2026 14:00:40 +0100</pubDate>
+            <sparkle:version>150</sparkle:version>
+            <sparkle:shortVersionString>26.0.69</sparkle:shortVersionString>
             <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
-            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/iKeyMon-26.0.16.zip" length="4801351" type="application/octet-stream" sparkle:edSignature="lbQEpxEElRxwyRdm0LQIxsnfh8o8Kt66wQlcl4PBs68lBmjkq0b/5EsVCElWQb0Nei/GCk6I/m2mSNL7mA3wBQ=="/>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.69/iKeyMon-26.0.69.zip" length="2993457" type="application/octet-stream" sparkle:edSignature="cIqWamcPRsxA7zPaGcUuUOqLYs5KTcoAgXQkhblCF+Wc2tEnGHFVysARtMH68jGq7ObfhDuI3oZJNg857rQ0Dg=="/>
         </item>
         <item>
-            <title>26.0.15</title>
-            <pubDate>Tue, 25 Nov 2025 18:11:17 +0100</pubDate>
-            <sparkle:version>35</sparkle:version>
-            <sparkle:shortVersionString>26.0.15</sparkle:shortVersionString>
+            <title>26.0.68</title>
+            <pubDate>Sat, 03 Jan 2026 13:52:33 +0100</pubDate>
+            <sparkle:version>148</sparkle:version>
+            <sparkle:shortVersionString>26.0.68</sparkle:shortVersionString>
             <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
-            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/iKeyMon-26.0.15.zip" length="4801128" type="application/octet-stream" sparkle:edSignature="T16+tX44yN2UqIUsMJeZAxydOuLC6lcQQrlRElTkJlSWPheWLy9xPjP4T45mNSOcWTax0gRCnI50ab3geL9XAA=="/>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.68/iKeyMon-26.0.68.zip" length="2993469" type="application/octet-stream" sparkle:edSignature="M5WBkO4BN8RwMJ0ZU3Ku4CyQllnbEzz9X6MYR4IVX5prO9oyMBGoceHA3C97wZA6+++9u7RnRsKrFvei2CsWBQ=="/>
         </item>
         <item>
-            <title>26.0.15</title>
-            <pubDate>Tue, 25 Nov 2025 17:42:56 +0100</pubDate>
-            <sparkle:version>34</sparkle:version>
-            <sparkle:shortVersionString>26.0.15</sparkle:shortVersionString>
+            <title>26.0.67</title>
+            <pubDate>Sat, 03 Jan 2026 13:36:29 +0100</pubDate>
+            <sparkle:version>146</sparkle:version>
+            <sparkle:shortVersionString>26.0.67</sparkle:shortVersionString>
             <sparkle:minimumSystemVersion>15.2</sparkle:minimumSystemVersion>
-            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/iKeyMon-26.0.15.zip" length="4800821" type="application/octet-stream" sparkle:edSignature="bojJ638CY0n+34POoJX3OBrXRAiPOYPiDTfgJOS9fCslw8YGKZLviJvcExC2PKh1HDt0Raabo0FJUJrAFUMmBQ=="/>
+            <enclosure url="https://git.24unix.net/tracer/iKeyMon/releases/download/v26.0.67/iKeyMon-26.0.67.zip" length="2993400" type="application/octet-stream" sparkle:edSignature="kr7vKMSM0002I/Fx2KVFGqNA6uMHb5Ll6Cr8NSG+8/Ct6KkC9dAwcd50xeUVPVJ7UT8lNBVPoBjZoFssgIEPAw=="/>
         </item>
     </channel>
 </rss>

hooks/pre-push

@@ -3,9 +3,11 @@ set -euo pipefail
 
 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 REMOTE_NAME="${1:-origin}"
+QUIET_RELEASE="${QUIET_RELEASE:-1}"
+RELEASE_LOG="${RELEASE_LOG:-$ROOT_DIR/build/release.log}"
 
 if [[ -n "${SKIP_RELEASE:-}" ]]; then
-  echo "⚙️  SKIP_RELEASE set — skipping automated release build."
+  echo "release: skipped (SKIP_RELEASE=1)"
   exit 0
 fi
 
@@ -34,29 +36,49 @@ if [[ "$should_release" != true ]]; then
   exit 0
 fi
 
-echo "🚀 Detected push to master — bumping version and building release..."
+if [[ "$QUIET_RELEASE" == "1" ]]; then
+  mkdir -p "$(dirname "$RELEASE_LOG")"
+  : >"$RELEASE_LOG"
+fi
+
+run_logged() {
+  if [[ "$QUIET_RELEASE" == "1" ]]; then
+    "$@" >>"$RELEASE_LOG" 2>&1
+  else
+    "$@"
+  fi
+}
+
+if [[ "$QUIET_RELEASE" == "1" ]]; then
+  NEW_VERSION="$("$ROOT_DIR/scripts/bump_version.sh" 2>>"$RELEASE_LOG" | tee -a "$RELEASE_LOG")"
+else
   NEW_VERSION="$("$ROOT_DIR/scripts/bump_version.sh")"
-echo "🔢 marketing_version -> ${NEW_VERSION}"
-"$ROOT_DIR/scripts/sync_version.sh"
+fi
+run_logged "$ROOT_DIR/scripts/sync_version.sh"
 
 git -C "$ROOT_DIR" add "$ROOT_DIR/version.json" "$ROOT_DIR/iKeyMon.xcodeproj/project.pbxproj"
 
-"$ROOT_DIR/scripts/build_release.sh"
+echo "release: building v${NEW_VERSION}..."
+if ! run_logged "$ROOT_DIR/scripts/build_release.sh"; then
+  echo "release: failed (log: $RELEASE_LOG)"
+  exit 1
+fi
 
 git -C "$ROOT_DIR" add "$ROOT_DIR/version.json" "$ROOT_DIR/iKeyMon.xcodeproj/project.pbxproj" "$ROOT_DIR/Sparkle/appcast.xml"
 
 if git -C "$ROOT_DIR" diff --cached --quiet; then
-  echo "⚠️ No release changes detected; skipping release commit."
+  echo "release: no changes detected; skipping commit"
 else
-  git -C "$ROOT_DIR" commit -m "chore: release ${NEW_VERSION}"
-  echo "📝 Committed release ${NEW_VERSION}."
+  run_logged git -C "$ROOT_DIR" commit -m "chore: release ${NEW_VERSION}" || {
+    echo "release: commit failed (log: $RELEASE_LOG)"
+    exit 1
+  }
 fi
 
-echo "📤 Pushing release commit..."
-if SKIP_RELEASE=1 git -C "$ROOT_DIR" push "$REMOTE_NAME" "${release_local_ref:-refs/heads/master}:${release_remote_ref:-refs/heads/master}"; then
-  echo "✅ Release ${NEW_VERSION} pushed. Original push cancelled (already done)."
+if SKIP_RELEASE=1 git -C "$ROOT_DIR" push --quiet "$REMOTE_NAME" "${release_local_ref:-refs/heads/master}:${release_remote_ref:-refs/heads/master}"; then
+  echo "release: success v${NEW_VERSION}"
   exit 1
 else
-  echo "❌ Failed to push release ${NEW_VERSION}. Please resolve manually."
+  echo "release: push failed (log: $RELEASE_LOG)"
   exit 1
 fi

iKeyMon-Info.plist

@@ -6,5 +6,7 @@
 	<string>https://git.24unix.net/tracer/iKeyMon/raw/branch/master/Sparkle/appcast.xml</string>
 	<key>SUPublicEDKey</key>
 	<string>EgJgrOGQ79L5me616jA7kDCEOgx+Rg11uYLYLLIyzTI=</string>
+	<key>SUEnableInstallerLauncherService</key>
+	<false/>
 </dict>
 </plist>

iKeyMon.entitlements

@@ -3,10 +3,12 @@
 <plist version="1.0">
 <dict>
 	<key>com.apple.security.app-sandbox</key>
-	<true/>
-	<key>com.apple.security.files.user-selected.read-only</key>
-	<true/>
+	<false/>
 	<key>com.apple.security.network.client</key>
 	<true/>
+	<key>com.apple.security.files.downloads.read-write</key>
+	<true/>
+	<key>com.apple.security.files.user-selected.read-write</key>
+	<true/>
 </dict>
 </plist>

iKeyMon.xcodeproj/project.pbxproj

@@ -7,6 +7,7 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		5221016D2EE5E82700D04952 /* appcast.xml in Resources */ = {isa = PBXBuildFile; fileRef = 5221016B2EE5E82700D04952 /* appcast.xml */; };
 		52A9B79F2EC8E7EE004DD4A2 /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = 52A9B7872EC8E7EE004DD4A2 /* Assets.xcassets */; };
 		52A9B8222EC8FA8A004DD4A2 /* CHANGELOG.md in Resources */ = {isa = PBXBuildFile; fileRef = 52A9B8212EC8FA8A004DD4A2 /* CHANGELOG.md */; };
 		52A9B9722ECF751C004DD4A2 /* signing.env.example in Resources */ = {isa = PBXBuildFile; fileRef = 52A9B9712ECF751C004DD4A2 /* signing.env.example */; };
@@ -28,6 +29,7 @@
 
 /* Begin PBXFileReference section */
 		5203C24D2D997D2800576D4A /* iKeyMon.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = iKeyMon.app; sourceTree = BUILT_PRODUCTS_DIR; };
+		5221016B2EE5E82700D04952 /* appcast.xml */ = {isa = PBXFileReference; lastKnownFileType = text.xml; path = appcast.xml; sourceTree = "<group>"; };
 		52A9B7872EC8E7EE004DD4A2 /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = "<group>"; };
 		52A9B7882EC8E7EE004DD4A2 /* iKeyMon.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = iKeyMon.entitlements; sourceTree = "<group>"; };
 		52A9B8212EC8FA8A004DD4A2 /* CHANGELOG.md */ = {isa = PBXFileReference; lastKnownFileType = net.daringfireball.markdown; path = CHANGELOG.md; sourceTree = "<group>"; };
@@ -76,6 +78,7 @@
 				52A9B9712ECF751C004DD4A2 /* signing.env.example */,
 				52A9BEC92ED3874F004DD4A2 /* README.md */,
 				52A9BD122ED37E08004DD4A2 /* Frameworks */,
+				5221016C2EE5E82700D04952 /* Sparkle */,
 			);
 			sourceTree = "<group>";
 		};
@@ -87,6 +90,14 @@
 			name = Products;
 			sourceTree = "<group>";
 		};
+		5221016C2EE5E82700D04952 /* Sparkle */ = {
+			isa = PBXGroup;
+			children = (
+				5221016B2EE5E82700D04952 /* appcast.xml */,
+			);
+			path = Sparkle;
+			sourceTree = "<group>";
+		};
 		52A9BD122ED37E08004DD4A2 /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
@@ -166,6 +177,7 @@
 			files = (
 				52A9B8222EC8FA8A004DD4A2 /* CHANGELOG.md in Resources */,
 				52A9BECA2ED3874F004DD4A2 /* README.md in Resources */,
+				5221016D2EE5E82700D04952 /* appcast.xml in Resources */,
 				52A9B79F2EC8E7EE004DD4A2 /* Assets.xcassets in Resources */,
 				52A9B9722ECF751C004DD4A2 /* signing.env.example in Resources */,
 			);
@@ -310,7 +322,7 @@
 				CODE_SIGN_ENTITLEMENTS = iKeyMon.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 39;
+				CURRENT_PROJECT_VERSION = 150;
 				DEVELOPMENT_ASSET_PATHS = "\"Preview Content\"";
 				DEVELOPMENT_TEAM = Q5486ZVAFT;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -325,7 +337,7 @@
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MARKETING_VERSION = 26.0.16;
+				MARKETING_VERSION = 26.0.69;
 				PRODUCT_BUNDLE_IDENTIFIER = net.24unix.iKeyMon;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;
@@ -341,7 +353,7 @@
 				CODE_SIGN_ENTITLEMENTS = iKeyMon.entitlements;
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
-				CURRENT_PROJECT_VERSION = 39;
+				CURRENT_PROJECT_VERSION = 150;
 				DEVELOPMENT_ASSET_PATHS = "\"Preview Content\"";
 				DEVELOPMENT_TEAM = Q5486ZVAFT;
 				ENABLE_HARDENED_RUNTIME = YES;
@@ -356,7 +368,7 @@
 					"$(inherited)",
 					"@executable_path/../Frameworks",
 				);
-				MARKETING_VERSION = 26.0.16;
+				MARKETING_VERSION = 26.0.69;
 				PRODUCT_BUNDLE_IDENTIFIER = net.24unix.iKeyMon;
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				SWIFT_EMIT_LOC_STRINGS = YES;

scripts/build_release.sh

@@ -32,8 +32,13 @@ generate_appcast() {
   local download_prefix=""
   if [[ -n "${SPARKLE_DOWNLOAD_BASE_TEMPLATE:-}" ]]; then
     download_prefix="${SPARKLE_DOWNLOAD_BASE_TEMPLATE//\{\{VERSION\}\}/$VERSION}"
-  else
-    download_prefix="${SPARKLE_DOWNLOAD_BASE_URL:-}"
+  elif [[ -n "${SPARKLE_DOWNLOAD_BASE_URL:-}" ]]; then
+    download_prefix="${SPARKLE_DOWNLOAD_BASE_URL%/}/v${VERSION}"
+  fi
+
+  # Ensure the version segment is present to match Gitea's /download/vX.Y.Z/ layout.
+  if [[ -n "$download_prefix" ]] && [[ "$download_prefix" != *"/$VERSION"* ]]; then
+    download_prefix="${download_prefix%/}/v${VERSION}"
   fi
 
   if [[ -z "$generator" || -z "${SPARKLE_EDDSA_KEY_FILE:-}" || -z "$download_prefix" ]]; then
@@ -41,11 +46,21 @@ generate_appcast() {
     return
   fi
 
+  local sparkle_cache="$HOME/Library/Caches/Sparkle_generate_appcast"
+  rm -rf "$sparkle_cache"
+
   local output="$SPARKLE_APPCAST_OUTPUT"
   mkdir -p "$(dirname "$output")"
   local staging_dir
   staging_dir="$(mktemp -d)"
   cp "$ARTIFACTS_DIR"/*.zip "$staging_dir"/ 2>/dev/null || true
+
+  if ! ls "$staging_dir"/*.zip >/dev/null 2>&1; then
+    echo "ℹ️ Skipping Sparkle appcast generation (no ZIP archives found)."
+    rm -rf "$staging_dir"
+    return
+  fi
+
   echo "🧾 Generating Sparkle appcast at $output"
   if ! "$generator" \
     --download-url-prefix "$download_prefix" \
@@ -70,6 +85,50 @@ sign_update_artifacts() {
   fi
 }
 
+rewrite_appcast_urls() {
+  : # no-op (old helper removed)
+}
+
+submit_for_notarization() {
+  local target="$1"
+  local label="$2"
+  echo "📝 Submitting ${label} for notarization..."
+  xcrun notarytool submit "$target" \
+    --apple-id "$NOTARY_APPLE_ID" \
+    --team-id "$NOTARY_TEAM_ID" \
+    --password "$NOTARY_PASSWORD" \
+    --wait
+}
+
+notarize_app_bundle() {
+  local bundle="$1"
+  local label="$2"
+  if [[ -z "${NOTARY_APPLE_ID:-}" || -z "${NOTARY_TEAM_ID:-}" || -z "${NOTARY_PASSWORD:-}" ]]; then
+    echo "ℹ️ Skipping notarization for ${label} (NOTARY_* variables not set)."
+    return 1
+  fi
+
+  local tmp_dir
+  tmp_dir="$(mktemp -d)"
+  local archive="$tmp_dir/$(basename "$bundle").zip"
+  ditto -c -k --keepParent "$bundle" "$archive"
+
+  submit_for_notarization "$archive" "$label"
+  xcrun stapler staple "$bundle"
+  rm -rf "$tmp_dir"
+}
+
+notarize_artifact() {
+  local artifact="$1"
+  local label="$2"
+  if [[ -z "${NOTARY_APPLE_ID:-}" || -z "${NOTARY_TEAM_ID:-}" || -z "${NOTARY_PASSWORD:-}" ]]; then
+    echo "ℹ️ Skipping notarization for ${label} (NOTARY_* variables not set)."
+    return 1
+  fi
+  submit_for_notarization "$artifact" "$label"
+  xcrun stapler staple "$artifact"
+}
+
 if [[ -f "$CREDENTIALS_FILE" ]]; then
   set -a
   # shellcheck disable=SC1090
@@ -100,6 +159,14 @@ if [[ ! -d "$APP_PATH" ]]; then
 fi
 
 if [[ -n "${CODESIGN_IDENTITY:-}" ]]; then
+  echo "🔏 Codesigning Sparkle framework..."
+  codesign \
+    --force \
+    --options runtime \
+    --timestamp \
+    --sign "$CODESIGN_IDENTITY" \
+    "$APP_PATH/Contents/Frameworks/Sparkle.framework"
+
   echo "🔏 Codesigning app with identity: $CODESIGN_IDENTITY"
   codesign \
     --deep \
@@ -113,6 +180,8 @@ else
   echo "⚠️ Skipping codesign (CODESIGN_IDENTITY not set)."
 fi
 
+notarize_app_bundle "$APP_PATH" "iKeyMon.app"
+
 STAGING_DIR=$(mktemp -d)
 mkdir -p "$STAGING_DIR"
 cp -R "$APP_PATH" "$STAGING_DIR/"
@@ -128,9 +197,7 @@ print(data.get("marketing_version", "dev"))
 PY
 )"
 ZIP_NAME="iKeyMon-${VERSION}.zip"
-pushd "$(dirname "$APP_PATH")" >/dev/null
-zip -r "$ARTIFACTS_DIR/$ZIP_NAME" "$(basename "$APP_PATH")"
-popd >/dev/null
+ditto -c -k --keepParent "$APP_PATH" "$ARTIFACTS_DIR/$ZIP_NAME"
 
 DMG_NAME="iKeyMon-${VERSION}.dmg"
 hdiutil create -volname "iKeyMon" -srcfolder "$STAGING_DIR" -ov -format UDZO "$ARTIFACTS_DIR/$DMG_NAME"
@@ -138,15 +205,9 @@ hdiutil create -volname "iKeyMon" -srcfolder "$STAGING_DIR" -ov -format UDZO "$A
 sign_update_artifacts
 
 if [[ -n "${NOTARY_APPLE_ID:-}" && -n "${NOTARY_TEAM_ID:-}" && -n "${NOTARY_PASSWORD:-}" ]]; then
-  echo "📝 Submitting DMG for notarization..."
-  xcrun notarytool submit "$ARTIFACTS_DIR/$DMG_NAME" \
-    --apple-id "$NOTARY_APPLE_ID" \
-    --team-id "$NOTARY_TEAM_ID" \
-    --password "$NOTARY_PASSWORD" \
-    --wait
-  xcrun stapler staple "$ARTIFACTS_DIR/$DMG_NAME"
+  notarize_artifact "$ARTIFACTS_DIR/$DMG_NAME" "$DMG_NAME"
 else
-  echo "⚠️ Skipping notarization (NOTARY_* variables not set)."
+  echo "⚠️ Skipping DMG notarization (NOTARY_* variables not set)."
 fi
 rm -rf "$STAGING_DIR"
 

version.json

@@ -1,3 +1,3 @@
 {
-  "marketing_version": "26.0.16"
+  "marketing_version": "26.0.69"
 }