Curio 13.2 Release Notes

๐Ÿ‘‰ Look for features added in the latest build below.

Release Date

October 7, 2019

Requirements

Curio 13 runs on macOS High Sierra (10.13), Mojave (10.14), or Catalina (10.15).

Editions

Features only available in certain editions will be listed with colored tags like , , . For example, next to a feature means that the feature is available only in the Professional edition of Curio.

Features

Catalina Support

Several changes were made to better support macOS Catalina (10.15).

Catalina Security Enhancements

Curio now works with Catalina's Enhanced Gatekeeper to prevent malware and infected apps. This actually took a few steps:

  1. To support Enhanced Gatekeeper, Zengobi is required to submit each build of Curio set for distribution to Apple for notarizing which screens Curio for malware then staples a secure identifier to the Curio app package.
  2. To support notarizing, Curio is now compiled with Apple's new hardened runtime entitlements which helps protect Curio's code integrity, prevents certain classes of exploits, like code injection, and defines more precisely what resources Curio may request, such as access to Contacts or the camera.
  3. To support hardened runtime, we needed a recent update to the Sparkle framework which handles Curio's app updates and now supports hardened runtime compilation.
Is this sandboxing?

All of this may sound similar to sandboxing but it's a bit different:

Notarizing
Protects the integrity of the app and helps prevent malware.
Sandboxing
Imposes file and resource limits on the app itself to limit its ability to access where it shouldn't.

So, an app could be notarized... or sandboxed... or both! In our case we're simply notarizing Curio.

There's actually one level beyond notarizing + sandboxing: passing a Mac App Store Review. This review process may reject an app for certain functionality including valid sandboxing entitlements to further protect the user from potential security issues.

It's important to emphasize that Curio downloaded from our website is notarized but not sandboxed. A version of Curio downloaded from the Mac App Store would be notarized and sandoxed.

Catalina Fixes

  • Fixed splitter bar collapsing issues to accommodate changes Apple made to Catalina's interface framework.
  • Fixed a Contacts authentication issue which caused an odd hang on launch in Catalina.

Security Improvements

A number of improvements have been made to make Curio more secure:

  • Mail
    If your default email client is Apple's Mail app, Curio will now use the macOS sharing service framework to send emails from within Curio, instead of using AppleScript. That way the user isn't shown a macOS alert asking for permission the first time they try to mail from within Curio. However, Curio will continue to use AppleScript to support 3rd party email clients since many (like Outlook) don't currently support the sharing service very well. So those users will need to give Curio permission when they see the macOS scripting authorization alert.
  • Sleuth
    Switched to Greatest Quotations for quotes since it supports https (the old Quotations Page didn't). Updated all remaining Sleuth sites which previously used http to https. Removed the old Animations Sleuth site item as it didn't support https.
  • https โ†’ https
    Changed all remaining internal http calls to https calls. In addition, if an URL is entered without a protocol scheme (e.g. www.zengobi.com instead of https://www.zengobi.com) Curio now defaults to a https scheme to connect although you can use change this to http if you wish.
  • Favicons
    Custom site favicons for web link figures are now only retrieved for https URLs for better security.

Miscellaneous Tweaks

  • App Authentications
    Curio will now wait until the user enables syncing before asking for Calendar and Reminders access. Similarly Curio will wait until the user double-clicks a Contact that had been dragged into an idea space before asking for Contacts access.
  • Preferences Paths
    The various paths stored in Curio's Preferences window (project documents folder, project backups folder, external repository folders) are now stored as secure bookmarks instead of simple text paths. This way a future sandboxed Curio can access the same stored path locations.
  • Spotlight
    Curio's Spotlight plugin now has better support for external asset libraries, where project contents are actually stored within a .curioLibrary folder that sits alongside the actual .curio project file package. Our Spotlight plugin can now index and return individual idea space .curioAsset files found those external asset libraries. If a file is returned as a Spotlight result and then launched, Curio will automatically open the appropriate containing project file and jump to that specific idea space.
  • Importing
    You can now disable the import dialog when you drag in an OPML, Markdown, TaskPaper, MindManager, iThoughts, MindNode, iMindMap, CSV file so it doesn't ask if you'd like to convert it into a native Curio collection type (like list or mind map). Instead it will simply drop in as a normal asset file.
  • Exporting
    You can now customize the tags export delimiter so instead of tag1, tag2, tag3 it's something else like a semicolon.
  • Sparkle
    Now using the Sparkle 1.22.0 final release for more robust and secure app updates.
  • Sleuth
    Unsplash has been added to the Sleuth shelf.
  • Cloud Saving
    • Added the iCloud Drive folder to Curio's internal list of cloud-synced folders (which already includes Dropbox, Google Drive, etc) so the user is given a safety tip on first save: wait for sync up to complete before disconnecting, wait for sync down to complete before opening project. Projects there will also automatically gain a .curioLockfile as necessary which prevent simultaneous read-write access to a project.
    • The Preferences dialog now shows iCloud-hosted folders for projects and backups with more friendly path names, instead of ~/Library/Mobile Documents/com~apple~CloudDocs for pre-Catalina, or ~/Library/CloudStorage/iCloud Drive for Catalina. Similarly a little cloud icon โ˜๏ธ is shown at the start of those paths for iCloud, Dropbox, Google Drive, etc, folders so it's obvious this is a cloud-hosted folder.

Fixes

  • Fixed mind map node dropping so the drop indicator is more reliable.
  • Fixed asset figure title issue so it has better support for AppleColorEmoji! ๐Ÿ˜
  • Fixed dark mode to more reliably switch popovers between dark and light mode colorings.
  • Fixed the advanced project settings where if you set lock file to yes or no then you can now set it to automatic again.
  • Fixed bug where deleting all the children of a parent node (like in a stack, list, or mind map) didn't also remove the parent's resources that it inherited from those now-removed children.
  • Fixed redraw issue when undoing the deletion of a stack item that had adornments.
  • Fixed a Mojave oddity, where the idea space ruler overlapped the idea space content instead of scooting the content down, as Cocoa's previously done for apps automatically.
  • Fixed โ‡งโŒ˜ dragging of a selected asset figure to the Mojave Finder so it now works correctly using Apple's new-ish, confusing, and sparsely documented promise file API.
  • Fixed issue with empty references submenus.
  • Fixed issue where checking a figure's checkbox didn't set the figure's done date value correctly.
  • Fixed issue with the restored idea space scroll position if opening project with a different screen setup.
  • Fixed issue to ensure Organizer previews are up-to-date.
  • Minor tweak to work with Curiota 3.2's new support for iCloud-synced extended attributes. Specifically, the SourceURL attribute for links dragged into Curiota.
  • Minor tweaks so automatic project backups are more robust.
  • When editing at very small scale factors (like via Fit to Width), if you encounter a strange issue with a hard-to-see blinking text cursor then try disabling this internal graphics tweak.

Mac App Store Curio

We also built a sandboxed version of Curio for sale at the Mac App Store.

Limitations/Differences

The Mac App Store build has the following limitations or key differences:

  • AppleScript
    AppleScript figure actions are not supported.
  • Screen Snapshots
    The Screen Snapshot feature is not supported. Instead use the much improved native macOS screenshot feature. Curio's snapshot feature is scheduled to be removed in the next major release of non-sandboxed Curio anyway since the native macOS screenshot feature is so full-featured now.
  • Insecure http Connections
    To enforce secure https connections, insecure http connections are not supported in embedded web view figures, as Organizer documents, as Sleuth sites, or during web archive or favicon retrieval. However, you can create http web link figures and figure actions, which will open in your default browser.
  • External Asset Folders and Lock Files
    These two Curio Professional features require access to the folder that contains the project so it can manage the associated library folder and lock file. Therefore these features are only supported with projects located in the default Projects folder specified in Curio's Preferences.
  • Mail
    The internal macOS sharing framework will be used to allow mailing from within Curio, since general AppleScript execution is not supported. Thus, while Apple's Mail client works great, compatibility with certain 3rd party mail clients will depend on their support for Apple's sharing service feature. At the time of this writing, we should note that Microsoft Outlook does not currently support attachments via the sharing service. As a workaround, exports can be made to your Desktop, then you can manually create a mail message and add attachments.
  • Markdown Export

    During a markdown export, if the user requests exporting images and assets, then Curio will verify it has full access to that destination location. For example, if exporting to ~/Desktop/Exports then Curio would need full access to that folder so it can create not just the Notes.markdown file but also the Notes Assets folder sitting alongside. This is a bit weird in a sandboxed world.

    So, if full access was not possible then Curio will request authorization from the user. This permission is only authorized for this launch session although the user can ask Curio to remember this folder for future exports to the same folder.

    All remembered folders are stored as secure bookmarks in an Authorized Folders.plist file in the sandbox's application support folder. It's important to note that due to the way secure bookmarks work, folder access technically includes access to subfolders as well.


  • Create Archive
    Create Archive will ask for the destination location for the archive (via an Open dialog) instead of asking for an archive file name (via a Save dialog). It then places the resulting archive at that location with the same name as the original project. If a file already exists at that location Curio will automatically append 2, 3, etc. This change was required because the resulting archive could dynamically have either a curio or a curio.zip extension, based on whether zipping was requested, which necessitated broader access to that destination that the Save panel allowed. We could revert this change but it would require the Authorized Folders technique mentioned above.