Users of Codebook for macOS who download today’s update, version 4.4, will see that the app is being distributed in a new format! We are now using a code-signed and Apple-notarized Disk Image (.dmg) file to package Codebook for macOS.
Unlike the Installer Package (.pkg) format we were using before, which is sort of like a mini-application that installs the app for you, the .dmg file is more of a container like a .zip file, but with the advantage that we can sign and notarize it, and these two properties allows us to do some other cool stuff I’ll get to in a second.
In any event, this time when you open the file you downloaded, a window will appear instructing you to drag Codebook into your Applications folder:
That’s all you need to do! macOS may ask you if you wish to replace the Codebook that’s already there: definitely click the Replace button. Then go ahead and launch Codebook as before.
Now, you may wish to discard the downloaded .dmg file. Disk images are mounted as Volumes in macOS, so first we need to eject it. Simply type ⌘ E while focused on the disk image window that opened, or select the Volume icon in Finder (it’s titled “Install Codebook”) and select Eject from the File menu:
Now I know what you may be thinking: the previous installer used to take care of installation for me, will I have to do this every time?
No! Part of the reason for this transition was so we could update the Software Update library we use in Codebook for macOS (Sparkle) to provide Download, Install, and Relaunch capabilities in all future updates. So you’ll only need to do this once! In the future when Codebook checks for updates, you’ll see you no longer have to even download the new version yourself: instead there will be an Install Update button. Future updates will look like this:
Switching to the Disk Image format helps a great deal with being able to provide this functionality to you, and will make it easier to get everybody updated to the latest version when an important new release comes out. We believe this updated delivery method is more secure over all and less prone to error. Firstly because downloading future updates, putting them in the right place (the Applications folder), and discarding the disk image when done is all taken care of for you.
Secondly, in addition to signing and notarizing the .dmg format distribution, which allows macOS to verify the update is really from us, we are now also using a separate EdDSA (ed25519) key pair to create an additional signature on the final build product that Codebook can verify with a public key. This allows the Check For Updates mechanism to do an additional check to be sure that what gets downloaded has the same signature as what is advertised to it on the website, and that it came from us.
If you have any trouble installing today’s update, or concerns or questions, please let us know!