Today I release DfontSplitter 0.4.2 for Mac. This is a critical security update that fixes an issue relating to the Sparkle software update framework when the update pages are served over HTTP. As of 0.4.2, the update pages are now, naturally, served over HTTPS. (It was more than five years ago when the last release was made!)

The vulnerability means that in a scenario where an attacker could launch a man-in-the-middle attack during a Sparkle-enabled app’s update detection process, arbitrary JavaScript could execute in the WebView hosting the release notes. Due to the context that the WebView runs in, the app could then be convinced to run local files, expose local files to a remote server and even execute arbitrary code. More details and a full breakdown are at the post on Vulnerable Security.

This update fixes the Sparkle-related security issue by updating Sparkle and requiring HTTPS for all future DfontSplitter app update communications. Due to new build requirements in Xcode 7.2, the application now requires at least OS X Snow Leopard (10.6) and a 64-bit Intel processor.

The automatic updates feature within DfontSplitter should detect the update, but you can also download and install it manually.

Thanks to Kevin Chen for pointing out the existence of the issue with Sparkle and that it affected DfontSplitter. I had somehow missed the original reporting of the vulnerability, so I particularly appreciate Kevin bringing this to my timely attention.

The astute among you may note that in the Info.plist for this update, I explicitly disable the OS X 10.11 SDK’s check for HTTPS forward secrecy in the HTTPS communications to the update server. Once I figure out a cipher suite configuration that I am happy with, and understand, in Pound (my reverse proxy acting as the TLS terminus), I will update the app again to require forward secrecy.

I am very pleased to announce that Amalia, the content management system I helped to develop for Van Patten Media, has now been released as an open source project!

Amalia is designed to be a content management system ‘for the rest of us’ and to make it easy to manage a small website. Amalia is a database-less CMS, so it doesn’t need the complexity, maintenance, and expense of a MySQL server, making it possible to run on even many of the most limited of web hosting packages.

There are, admittedly, some missing pieces in Amalia — and it certainly isn’t perfect. I am excited, however, about the possibilities of Amalia and its future potential as an open source project. We would certainly love your feedback, ideas, Core code, plugins, and any other contributions you might want to make.

Please head on over to project’s GitHub page for the code and to get involved. You can also check out the install guide (PDF) and an install video on YouTube.

“What? I thought you updated this yesterday?”

Well, I did. 😛

Hot on the heels of yesterday’s auto-update-capable release, is DfontSplitter for Windows 0.3.1. This version includes a single fix, introducing a new method of avoiding the dreaded ‘corrupt font file’ error. For some unknown reason, sometimes Windows simply will refuse to work with the original fondu output file, but if simply DfontSplitter makes a duplicate of the file, it will happily see it as a TrueType font! It is very odd behaviour, and this fix only works in some cases, but it should reduce the incidence of ‘corrupt font files’ being output from DfontSplitter for Windows. This means users will less frequently have to go through a secondary hoop to get Windows to play nicely with DfontSplitter’s outputs.

Here are the official release notes:

New Features and Bugfixes

• Uses a new method to decrease the incidence of ‘invalid font file’ errors on Windows. More fonts should now convert correctly without requiring further intervention.

Known Issues

• Some fonts still require further conversion after DfontSplitter has created the TrueType font file. FontForge is one option for this.

As always, you can always get the latest and greatest version of DfontSplitter by downloading it from the the DfontSplitter project page.

I have just released a new version of DfontSplitter for Windows, version 0.3. The main change here is a brand new automatic update notification system. Like the Mac version, which uses the excellent Sparkle Framework, users of DfontSplitter for Windows can now keep the application up-to-date without having to manually check the website. This makes my development of the software easier, as I can release smaller feature releases more frequently, rather than large releases that must have a longer lifespan.

Unfortunately, because the automatic update feature is new, previous users of DfontSplitter 0.2 are not going to be notified automatically about this new release. 🙁

If you know any other users of DfontSplitter for Windows, please let them know this update is available so they might have the opportunity to keep up-to-date with this new feature too.

Here are the official release notes for this version:

New Features and Bugfixes

• New automatic update facility, similar to that of DfontSplitter for Mac. Users can now be notified of new releases in the future, which may include new features.

Known Issues

• Some versions of Windows report the TTF files that DfontSplitter creates as ‘corrupt’. Please see this workaround — https://peter.upfold.org.uk/blog/2009/08/23/dfontsplitter-solution-to-windows-corrupt-font-error/

As always, you can always get the latest and greatest version of DfontSplitter by downloading it from the the DfontSplitter project page.

I have just released a new version of DfontSplitter for Mac. It is a bugfix-only release, containing a single fix for an issue that affected some non-English versions of Mac OS X.

New Features and Bugfixes

• Fixed a bug where DfontSplitter would report valid files as not being in the correct format on some non-English versions of Mac OS X. File type detection is now done through uniform type identifiers, avoiding this issue.

Known Issues

• Converting TTC files on Mac OS X Leopard (10.5) does sometimes run into problems, where the TTC splitting script can’t open the TTC file. The reason for this is currently unclear.
• Moving TTF files that have been extracted from a .dfont over to Windows — please see this workaround.
• Some Font Suitcase files may not contain TTF data that can be extracted.

Users of DfontSplitter for Mac should update their copy of the application by launching it, and choosing DfontSplitter > Check for Updates from the menu bar. Alternatively, you can always download a fresh copy from the DfontSplitter project page.

I have released a new update to DfontSplitter for Mac. Here are the release notes for this version:

New Features and Bugfixes

• The Font Suitcase format is now supported. TrueType font data inside a FFIL Font Suitcase can now be extracted with DfontSplitter.

Known Issues

• Converting TTC files on Mac OS X Leopard (10.5) does sometimes run into problems, where the TTC splitting script can’t open the TTC file. The reason for this is currently unclear.
• Moving TTF files that have been extracted from a .dfont over to Windows — please see this workaround.
• Some Font Suitcase files may not contain TTF data that can be extracted.

As always, go across to the DfontSplitter project page to download the new release.

If you’re already using DfontSplitter for Mac, simply go to DfontSplitter > Check for Updates within the application to upgrade to the new release.

Yeah, so, I just released some Windows software.

My program for converting and splitting Mac OS X .dfont files into TTF files, DfontSplitter has been a pretty popular route in to my website for some time now.

While the original program is written for OS X, it became apparent from my website statistics that many people who needed to convert .dfont to .ttf were Windows users.

So, today, I have released DfontSplitter for Windows, version 0.1. This program is, again, simply a wrapper script for fondu, which does the real work. It has a completely unique GUI, custom built for the Windows platform.

There is also a brand new project page for DfontSplitter, with links to both the Mac and Windows versions of the software and the documentation too.

Hopefully this can serve the need of Windows users who need to convert those filetypes, and don’t want expensive or spyware-ridden software. Enjoy!

A quick footnote – this is a bit of a licensing quagmire. There are lots of different licenses that apply to different bits of DfontSplitter for Windows, including GPL 3.0, GPL 2.0, BSD and Creative Commons. That’s all explained on the project page, and in further depth in readme and licence files in the downloads.

Oh and it’s also slightly ugly, in terms of how it interacts with fondu. But it works. 🙂

I’ve just pushed out a new version of WPGet, to fix an issue with its category support that has been there for quite some time.

For those not in the know, WPGet is a script that is designed to allow you to include a short summary of your recent blog posts on your website. Specifically, it works with WordPress and is great for integrating a WordPress blog into a site that isn’t completely powered by the WP platform.

The new version of WPGet brings the following to the table:

• The ability to retrieve posts only from specific categories that you choose is now fixed*, and works with WordPress 2.3.x, 2.5 and higher.
• The ability to retrieve posts that match certain tags. This is an all-new feature.
• Support for WordPress version prior to 2.3 is dropped. It might still work (except Categories and Tags), but I can’t help you if it doesn’t.

If you’re not using the Category and/or Tag features, there’s probably not a compelling reason to upgrade, but if you do want to include a summary of blog posts from a certain category (or categories) or that match certain tags, WPGet can now do that for you.

* WordPress 2.3’s new database structure for categories and tags is what broke WPGet in the first place. I’ve been slow in releasing a fix, I know.

How do I get it?

The easy way: Run the installer and it will walk you through the process. There’s more help here as well if you need it.

The not-so-easy way: Download the code yourself, and run the installer on your own server (or just set it up manually).

The WPGet section of the documentation wiki is alive again and should be featuring some more documentation pretty soon.

If you have any feedback or comments, please do leave a comment on this post, or you can get in contact another way. I would love to hear from anyone successfully using WPGet!