Mostly yes — auto-updating is usually safer than running old, unpatched software. But “safe” depends entirely on where the update comes from and how it is verified. The short version: trust auto-updates from the App Store and from properly signed, notarized sources, and be more careful with direct downloads and unverified vendor updaters.
Why auto-updating is usually a good idea
Most updates fix security bugs. Delaying them leaves known vulnerabilities open longer than the update itself would ever risk. For the App Store, automatic updates are a safe default because Apple reviews and signs every build.
The risks that make people nervous
The legitimate worries are not about updating in general, they are about a specific bad update slipping through:
- Downgrade attacks. An attacker serves an older version with a known vulnerability and calls it an update.
- Tampered downloads. A download is modified in transit, or the metadata is delivered over cleartext HTTP and redirected somewhere else.
- Lookalike replacements. Something that is not really the same app — a different developer or bundle identity — replaces the app you trusted.
- Broken releases. Not malicious, just buggy: a new version that crashes or breaks compatibility, with no easy way back.
What makes an update trustworthy
A safe auto-update is one where these checks pass before anything is replaced:
- HTTPS metadata. Update feeds and download URLs use HTTPS, and redirects are re-checked rather than blindly followed.
- Signature verification. Sparkle updates are verified against the installed app's public key; direct releases are Developer ID signed and Apple-notarized.
- Matching identity. The replacement has the same bundle identifier and signing team as the installed app.
- Forward version only. The new build is newer than the installed one, so a downgrade is rejected.
When to review instead of auto-install
Let low-risk, well-verified updates install automatically. Slow down and review when an update is a direct download with no signature, when the installed app's signing team cannot be verified, when an installer package comes from an unknown source, or when a release is large or changes how the app handles your data. In those cases, handing off to the vendor's own updater or installing manually is often the safer call.
How macCurrent handles this
macCurrent rejects cleartext update metadata, verifies Sparkle archives against the installed app's EdDSA public key, refuses served downgrades, and only performs an automatic replacement when the bundle identifier and signing team match. Updates that cannot be verified that way are opened for review instead of installed silently. The full detail is in the security model.
It is a free beta for Apple Silicon Macs on macOS 15 or later — download it here.