(I don’t know how Sparkle operates; if it only does the extraction after signature validation I guess an attack would be pretty hard to pull off even if you have a zero day in the archive decompressor.)