A popup should now be available in GUI v0.17.1.x that automatically downloads and verifies the new release as well as store it in your desired folder / directory. Note that you still have to do the extraction ('install') yourself. As a reminder, the auto-updater contains the following security features:
We added the following security features:
- 3 out of 4 DNS server must indicate a new update is available.
- The hash of the downloaded binary must be the same as here: > https://web.getmonero.org/downloads/hashes.txt
- hashes.txt must be signed by a maintainer.
- An extra valid signature by a second maintainer is also required.
- The GPG keys of the maintainers are hardcoded and can’t be changed by an attacker.
Only if all those points are successful the GUI will download the new update.
This means in the future once a user has downloaded the GUI safely they can always update in app and don’t have to worry about hashes and GPG signatures.
Note that the points above only apply the the update tool inside the GUI and those who manually download still have to verify hashes and signatures.