From 1224d0f586500337a65787a571dcf36f89b22f2b Mon Sep 17 00:00:00 2001
From: Yee Cheng Chin <ychin.git@gmail.com>
Date: Mon, 6 Apr 2026 17:01:21 -0700
Subject: [PATCH] Force Sparkle updater to always verify update and to use
 signed appcast

Sparkle 2.9 introduced the ability to verify appcast feeds using a
signature. Turn that on to prevent MITM attacks.

This requires the appcast on the server side to be re-generated with
signature at the end. This was done in
macvim-dev/macvim-dev.github.io#5.
---
 src/MacVim/Info.plist | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/MacVim/Info.plist b/src/MacVim/Info.plist
index 99d16e3aef..50a6cd916d 100644
--- a/src/MacVim/Info.plist
+++ b/src/MacVim/Info.plist
@@ -1311,6 +1311,10 @@
 	</array>
 	<key>MMWhatsNewURL</key>
 	<string>https://macvim.org/release-notes/whatsnew.html</string>
+	<key>SUVerifyUpdateBeforeExtraction</key>
+	<string>YES</string>
+	<key>SURequireSignedFeed</key>
+	<string>YES</string>
 	<key>SUEnableJavaScript</key>
 	<string>YES</string>
 	<key>SUFeedURL</key>