OTA updates
Loach has a built-in updater so you do not have to keep an eye on the releases page. New features, performance work and security patches arrive directly from the app for the install formats that support it.
By install format
- Windows (NSIS) — the updater downloads the new package and a click on Install update runs a passive install in place. No re-download from a browser needed.
- Linux AppImage — same flow. The updater replaces the AppImage on disk.
- Linux .deb / .rpm — updates are managed by your system package manager. The Updates panel detects that you are on one of these and points to the GitHub releases page instead of pretending in-app updates work.
- macOS (.app) — the updater downloads a
.app.tar.gzbundle and replaces the application in place. Apple Silicon only.
What’s new
Every release ships with a markdown notes file that populates both the GitHub release body and the in-app Updates panel when an upgrade is available. Skim it before clicking install if you want to know what is changing.
Signing
Update bundles are cryptographically signed. The updater verifies the signature against a key bundled with the app before replacing any binary on disk, so a man-in-the-middle on the download channel cannot swap in a tampered build.
This Ed25519 signature check is what guards in-app updates on every platform. It is separate from Apple notarization, which only gates the first launch of a freshly downloaded app on macOS. The Loach build is not Apple-notarized, so you will see a Gatekeeper warning once on first install (see Installation → macOS); subsequent in-app updates do not re-prompt.