Use Github Releases for hosting and fetching update files. Enables our fork of Atom to update in-app.
DeeDeeG opened this issue · 5 comments
For Windows, see: https://github.com/Squirrel/Squirrel.Windows/blob/develop/docs/using/github.md
There are no separate docs files I could see for macOS, but here is the repo: https://github.com/Squirrel/Squirrel.Mac
We should look into some higher-level abstractions already available to do this kind of thing:
- https://www.electronjs.org/docs/tutorial/updates#using-updateelectronjsorg
- Requires that we code sign our app, so this is sadly not an option for the time being.
- https://www.electronjs.org/docs/tutorial/updates#deploying-an-update-server
-
Depending on your needs, you can choose from one of these:
- Hazel – Update server for private or open-source apps which can be deployed for free on
NowVercel. It pulls from GitHub Releases and leverages the power of GitHub's CDN.
- Hazel – Update server for private or open-source apps which can be deployed for free on
-
Actually, I think the requirement to have signed apps is just so we don't get "this app is unauthorized" warnings, and so we don't have our updater stopped with a warning by the OS. (See this documentation.)
We won't get far attempting auto-updating without code signing. (I assume update.electronjs.org probably lets you use it without code signing, but then the users would have a very hard time actually installing the updates.)
Maybe we should disable auto-updating (which is basically broken on this fork until we code sign), and instead show users the GitHub Releases page URL.
For example: we could use the GitHub API, check for updates, and just display a URL to download the new version in "About Atom". And perhaps display a bubble notification instead of running the auto-update mechanism.
We will get this kind of error in the first installation, and it will happen again during updating. So I don't think codesign is a determining factor here.
I think seeing this kind of errors at all is an issue, right? Many users aren't technical enough to understand what the error means or why it's happening. And their antivirus quarantines the update file.
I think seeing this kind of errors at all is an issue, right? Many users aren't technical enough to understand what the error means or why it's happening. And their antivirus quarantines the update file.
This will also be a significant issue for programmers working on work machines as most help desk teams will require only verified software be used, with proper signings for the purposes of auditing