You’ve read the Mule, you’ve read Ars, and folks like Mactracker have gone out and moved their feed to https like good citizens. But what about those old, abandoned apps we still want to keep using? Well, this is why it’s called risk management and not fire-proofing. Just like physical therapy, you still need to have these tools in use, but that doesn’t mean you have to sit around waiting for a MiTM attack or hack the app bundle and re-sign all the apps you use.
Extinguish is the name of my profile generation script that allows you to drag an app into the terminal window and have it pop out a mobileconfig that disables the automated checks/updates, and overrides the SUFeedURL to https://127.0.0.1. You can get it here: https://github.com/arubdesu/Extinguish
It doesn’t cover every permutation of how Sparkle may have been configured by the app developer, and if a fix does come out you’d need to find out about it some other way, but hopefully this helps folks mitigate the exposure this could cause if not effectively disabled in this manner. Check out the README for more details.