Version 1.4.1 of AutoPkgr is now available, and it has a larger-than-your-average-point-release number of improvements and changes. Take a look:

Added

• AutoPkgr now allows you to customize the template used to generate notifications when new actions have occurred. Check it out at the bottom of the Notifications tab. (#184)

Fixed

• Fixed a long-standing issue that caused an incorrect prompt for the AutoPkgr keychain password! (#469)
• Addressed several issues that may have prevented notifications from working reliably in version 1.4. (#508, #515)
• Fixed a crash caused by the SMTP server setting being blank. (#502)
• AutoPkgr launches a bit faster now. (#500)
• AutoPkgr now reports InstallFromDMG processor results in addition to Installer processor results.
• Fixed an issue that would cause the email notification subject to be blank.

Changed

• Adjusted default formatting of email and Slack notifications. (#507)
• Added logging for SMTP operations.
• Prevented password field from wrapping to a "new line." (#481)
• Increased width of active recipe list picker.
• Updated versions of MMMarkdown and MailCore2 used in AutoPkgr.

Security

• A note on keychain security in AutoPkgr 1.4.1:

  The fix for issue #469 requires AutoPkgr to be less aggressive when locking the AutoPkgr keychain (a separate keychain stored in ~/Library/Keychains that stores your SMTP credentials for email notifications). It's possible for somebody with access to your AutoPkgr Mac to obtain your SMTP password using the security command while the AutoPkgr keychain is unlocked.

  Here's why AutoPkgr exceeds our security requirements, even with less aggressive keychain locking:

  • AutoPkgr's locking behavior is still more restrictive than your login keychain's behavior.
  • Physical access or VNC to your AutoPkgr Mac is necessary to use the security command to obtain the SMTP password.
  • AutoPkgr goes to great lengths to keep the actual AutoPkgr keychain password both unknown and unnecessary to know, which prevents password exposure via the Keychain Access app.

  Taking common sense security steps should mitigate any risks introduced by this change. Here are three to consider:

  • Use an SMTP account dedicated to AutoPkgr for email notifications.
  • Run AutoPkgr on a dedicated Mac or VM, rather than using one shared by other services.
  • Unless necessary, don't leave the Mac logged in. AutoPkgr works great at the login window (which is why it has its own keychain in the first place), and a Mac at the login window is magnitudes safer than one with an active user session.

As always, please submit any issues you find on GitHub, or find us on Slack or Google Groups if you have questions. Have a great week!