The update asked for my password, why?

kryptonianson · November 6, 2013, 3:21pm

When I launched total terminal today it informed me of the update. Once it downloaded it, I got a dialog saying the installer was locked by a password. This was not the OS dialog for username and password, it was a total terminal dialog that ONLY asked for a password. Then as you would normally expect the app installer later asked me for the admin username and password.

Why was I asked by the app for a password? (Not the system prompt for admin, just the first one) Did I get dooped here? Did this happen to everyone? This makes me very very nervous. Please help.

darwin · November 6, 2013, 3:34pm

This was reported by some users. I was unable to reproduce it on my machines.

I don’t know why it is happening. I’m using Sparkle updater. I’m suspicious that this is something with DMG file. It can have some flag asking for password and for some users it gets confused and asks for password. Empty password will work.

Are you able to reproduce it? Can you use the same DMG file and install it again? Does it prompt again? If yes, can you send me md5 or sha1 of the DMG file? Maybe it got corrupted by some caching proxy or something? I’m puzzled.

kryptonianson · November 6, 2013, 4:38pm

I can not reproduce it. However, I did look up the string for the message it gave and saw some references to the sparkle update framework. I noticed someone on twitter had a similar prompt when using one of your products as well. The sparkle message is coming from their supasswordprompt.xib file. However it of course does not explain why. I find it very suspicious.

The string I looked up is “this update is locked with a password”. Hope that helps get a comforting answer.

darwin · November 6, 2013, 4:46pm

Thanks for uncovering possible source. I’m probably using edge version of Sparkle which might have some quirks. I will try to resolve soon, because this is really bad prompt.

Shadow6363 · November 7, 2013, 2:35am

Just wanted to echo that I too received this prompt.

darwin · November 7, 2013, 9:45pm

I just hacked Sparkle to not ask for the password. They have implemented some heuristics which will ask for password if normal DMG mounting fails for some reason. It looks like this heuristics is buggy.

Leyton4114 · November 16, 2013, 10:23pm

I got the password request, too. Just click on “unlock” to continue the installation

After there was no error or anything else.

The new version has been installed.

LEy’

chad78 · November 17, 2013, 1:30am

I also had the statement “This update is locked with a password” I just X-ed out of the window, and the update installed like normal.

darwin · November 17, 2013, 12:11pm

Guys, do you speak about 1.5.4 and 1.5.5 or older versions?

I believe I have fixed it in 1.5.4.

jessor · November 18, 2013, 1:04pm

Just got this dialogue when updating from 1.5.2 to 1.5.4.
Tried an empty password, got lucky

darwin · November 18, 2013, 2:11pm

FYI: this is the fix I did in Sparkle.

Sparkle tries to mount the DMG and if it fails for some reason it considers the DMG to be password-protected. This is my understanding of the issue.

The fix is effective since 1.5.4 for future updates to new versions. So it is expected that 1.5.2 is still asking for the password.

Ernie_A_Oporto · December 6, 2013, 5:45pm

It did for me too on 10.9. Using no password worked for me.

qrczak · December 6, 2013, 8:34pm

It did the same to me today on 10.9 and I use “no password” - it’s works

darwin · December 6, 2013, 8:41pm

Yes, people upgrading today from 1.5.2 (on stable channel) could still experience this bug. The code which fixes it will be effective when updating next time (to version 1.5.7 or higher).

Brandon_C · December 7, 2013, 1:22am

Password request for me today as well.

dr00_b · February 5, 2014, 2:32pm

I enabled FileVault disk encryption since the last TT update, could that be the reason for prompt?