Curio 13.2 Release Notes
October 7, 2019
Curio 13 runs on macOS High Sierra (10.13), Mojave (10.14), or Catalina (10.15).
Features only available in certain editions will be listed with colored tags like , , . For example, next to a feature means that the feature is available only in the Professional edition of Curio.
Several changes were made to better support macOS Catalina (10.15).
Catalina Security Enhancements
Curio now works with Catalina's Enhanced Gatekeeper to prevent malware and infected apps. This actually took a few steps:
- To support Enhanced Gatekeeper, Zengobi is required to submit each build of Curio set for distribution to Apple for notarizing which screens Curio for malware then staples a secure identifier to the Curio app package.
- To support notarizing, Curio is now compiled with Apple's new hardened runtime entitlements which helps protect Curio's code integrity, prevents certain classes of exploits, like code injection, and defines more precisely what resources Curio may request, such as access to Contacts or the camera.
- To support hardened runtime, we needed a recent update to the Sparkle framework which handles Curio's app updates and now supports hardened runtime compilation.
Is this sandboxing?
All of this may sound similar to sandboxing but it's a bit different:
- Protects the integrity of the app and helps prevent malware.
- Imposes file and resource limits on the app itself to limit its ability to access where it shouldn't.
So, an app could be notarized... or sandboxed... or both! In our case we're simply notarizing Curio.
There's actually one level beyond notarizing + sandboxing: passing a Mac App Store Review. This review process may reject an app for certain functionality including valid sandboxing entitlements to further protect the user from potential security issues.
It's important to emphasize that Curio downloaded from our website is notarized but not sandboxed. A version of Curio downloaded from the Mac App Store would be notarized and sandoxed.
- Fixed splitter bar collapsing issues to accommodate changes Apple made to Catalina's interface framework.
- Fixed a Contacts authentication issue which caused an odd hang on launch in Catalina.
A number of improvements have been made to make Curio more secure:
If your default email client is Apple's Mail app, Curio will now use the macOS sharing service framework to send emails from within Curio, instead of using AppleScript. That way the user isn't shown a macOS alert asking for permission the first time they try to mail from within Curio. However, Curio will continue to use AppleScript to support 3rd party email clients since many (like Outlook) don't currently support the sharing service very well. So those users will need to give Curio permission when they see the macOS scripting authorization alert.
Switched to Greatest Quotations for quotes since it supports
https(the old Quotations Page didn't). Updated all remaining Sleuth sites which previously used
https. Removed the old Animations Sleuth site item as it didn't support
- https → https
Changed all remaining internal
httpscalls. In addition, if an URL is entered without a protocol scheme (e.g.
https://www.zengobi.com) Curio now defaults to a
httpsscheme to connect although you can use change this to http if you wish.
Custom site favicons for web link figures are now only retrieved for
httpsURLs for better security.
- App Authentications
Curio will now wait until the user enables syncing before asking for Calendar and Reminders access. Similarly Curio will wait until the user double-clicks a Contact that had been dragged into an idea space before asking for Contacts access.
- Preferences Paths
The various paths stored in Curio's Preferences window (project documents folder, project backups folder, external repository folders) are now stored as secure bookmarks instead of simple text paths. This way a future sandboxed Curio can access the same stored path locations.
Curio's Spotlight plugin now has better support for external asset libraries, where project contents are actually stored within a
.curioLibraryfolder that sits alongside the actual
.curioproject file package. Our Spotlight plugin can now index and return individual idea space
.curioAssetfiles found those external asset libraries. If a file is returned as a Spotlight result and then launched, Curio will automatically open the appropriate containing project file and jump to that specific idea space.
You can now disable the import dialog when you drag in an OPML, Markdown, TaskPaper, MindManager, iThoughts, MindNode, iMindMap, CSV file so it doesn't ask if you'd like to convert it into a native Curio collection type (like list or mind map). Instead it will simply drop in as a normal asset file.
You can now customize the tags export delimiter so instead of
tag1, tag2, tag3it's something else like a semicolon.
Now using the Sparkle 1.22.0 final release for more robust and secure app updates.
Unsplash has been added to the Sleuth shelf.
- Cloud Saving
- Added the iCloud Drive folder to Curio's internal list of cloud-synced folders (which already includes Dropbox, Google Drive, etc) so the user is given a safety tip on first save: wait for sync up to complete before disconnecting, wait for sync down to complete before opening project. Projects there will also automatically gain a .curioLockfile as necessary which prevent simultaneous read-write access to a project.
- The Preferences dialog now shows iCloud-hosted folders for projects and backups with more friendly path names, instead of
~/Library/Mobile Documents/com~apple~CloudDocsfor pre-Catalina, or
~/Library/CloudStorage/iCloud Drivefor Catalina. Similarly a little cloud icon ☁️ is shown at the start of those paths for iCloud, Dropbox, Google Drive, etc, folders so it's obvious this is a cloud-hosted folder.
- Fixed mind map node dropping so the drop indicator is more reliable.
- Fixed asset figure title issue so it has better support for AppleColorEmoji! 😁
- Fixed dark mode to more reliably switch popovers between dark and light mode colorings.
- Fixed the advanced project settings where if you set lock file to yes or no then you can now set it to automatic again.
- Fixed bug where deleting all the children of a parent node (like in a stack, list, or mind map) didn't also remove the parent's resources that it inherited from those now-removed children.
- Fixed redraw issue when undoing the deletion of a stack item that had adornments.
- Fixed a Mojave oddity, where the idea space ruler overlapped the idea space content instead of scooting the content down, as Cocoa's previously done for apps automatically.
- Fixed ⇧⌘ dragging of a selected asset figure to the Mojave Finder so it now works correctly using Apple's new-ish, confusing, and sparsely documented promise file API.
- Fixed issue with empty references submenus.
- Fixed issue where checking a figure's checkbox didn't set the figure's done date value correctly.
- Fixed issue with the restored idea space scroll position if opening project with a different screen setup.
- Fixed issue to ensure Organizer previews are up-to-date.
- Minor tweak to work with Curiota 3.2's new support for iCloud-synced extended attributes. Specifically, the
SourceURLattribute for links dragged into Curiota.
- Minor tweaks so automatic project backups are more robust.
- When editing at very small scale factors (like via Fit to Width), if you encounter a strange issue with a hard-to-see blinking text cursor then try disabling this internal graphics tweak.
Mac App Store Curio
We also built a sandboxed version of Curio for sale at the Mac App Store.
The Mac App Store build has the following limitations or key differences:
AppleScript figure actions are not supported.
- Screen Snapshots
The Screen Snapshot feature is not supported. Instead use the much improved native macOS screenshot feature. Curio's snapshot feature is scheduled to be removed in the next major release of non-sandboxed Curio anyway since the native macOS screenshot feature is so full-featured now.
To enforce secure
httpconnections are not supported in embedded web view figures, as Organizer documents, as Sleuth sites, or during web archive or favicon retrieval. However, you can create
httpweb link figures and figure actions, which will open in your default browser.
- External Asset Folders and Lock Files
These two Curio Professional features require access to the folder that contains the project so it can manage the associated library folder and lock file. Therefore these features are only supported with projects located in the default Projects folder specified in Curio's Preferences.
The internal macOS sharing framework will be used to allow mailing from within Curio, since general AppleScript execution is not supported. Thus, while Apple's Mail client works great, compatibility with certain 3rd party mail clients will depend on their support for Apple's sharing service feature. At the time of this writing, we should note that Microsoft Outlook does not currently support attachments via the sharing service. As a workaround, exports can be made to your Desktop, then you can manually create a mail message and add attachments.
- Markdown Export
During a markdown export, if the user requests exporting images and assets, then Curio will verify it has full access to that destination location. For example, if exporting to
~/Desktop/Exportsthen Curio would need full access to that folder so it can create not just the
Notes.markdownfile but also the
Notes Assetsfolder sitting alongside. This is a bit weird in a sandboxed world.
So, if full access was not possible then Curio will request authorization from the user. This permission is only authorized for this launch session although the user can ask Curio to remember this folder for future exports to the same folder.
All remembered folders are stored as secure bookmarks in an
Authorized Folders.plistfile in the sandbox's application support folder. It's important to note that due to the way secure bookmarks work, folder access technically includes access to subfolders as well.
- Create Archive
Create Archive will ask for the destination location for the archive (via an Open dialog) instead of asking for an archive file name (via a Save dialog). It then places the resulting archive at that location with the same name as the original project. If a file already exists at that location Curio will automatically append 2, 3, etc. This change was required because the resulting archive could dynamically have either a
curio.zipextension, based on whether zipping was requested, which necessitated broader access to that destination that the Save panel allowed. We could revert this change but it would require the Authorized Folders technique mentioned above.