Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XCFrameworks are not codesigned #863

Open
ori-hime opened this issue Mar 7, 2024 · 6 comments
Open

XCFrameworks are not codesigned #863

ori-hime opened this issue Mar 7, 2024 · 6 comments

Comments

@ori-hime
Copy link

ori-hime commented Mar 7, 2024

Third-party SDK XCFrameworks now need to be codesigned, not just the framework binaries within them.
This will be enforced by Xcode at some point in Spring 2024.
https://developer.apple.com/news/?id=r1henawx
https://developer.apple.com/news/?id=3d8a9yyh

I am using FMDB (v2.7.8) using Carthage.

I checked whether the SDK was signed using the command and Xcode15's Signature field to check the signature below, but
SDK signature could not be verified.

I used the following command:
❯ codesign -dvvv --display --deep [library path omitted]FMDB.xcframework
[Library path omitted]FMDB.xcframework: code object is not signed at all

When will the SDK signature be released?
@ccgus
Copy link
Owner

ccgus commented Mar 7, 2024

I think you should just sign this yourself?

@ori-hime
Copy link
Author

Apple has mandated that FMDB, all need to include privacy manifest and signature.
They're specifically called out in Upcoming third-party SDK requirements.
https://developer.apple.com/support/third-party-SDK-requirements/

https://developer.apple.com/videos/play/wwdc2023/10060
Judging from the announcement,, it seems that SDK signing should be done by the SDK developer.
Quotes from the video>SDK developers: Adopt signatures and manifests. These are super helpful to your customers.

For the reasons listed above, we would like you to sign the SDK.

@ori-hime
Copy link
Author

@ccgus
We would like you to sign the SDK?

@wackey39
Copy link

wackey39 commented Apr 13, 2024
edited

@ccgus
There is a demand for me as well. Can you release a stable version of FMDB .xcframework signed by the FMDB developers?

Thanks

@zhaojb9
Copy link

zhaojb9 commented May 21, 2024

@ ori-hime
After my analysis, Apple's purpose is to prevent the SDK from being accidentally tampered with when updating the SDK. Therefore, if the SDK is signed by itself, it means that it must ensure the security of the source of the SDK. After my testing, when the SDK signature changes, xcoode will interrupt compilation and issue a warning. I think I should have no problem signing open source SDKs. We are reviewing the test and I will share any progress.

@zhaojb9
Copy link

zhaojb9 commented May 22, 2024
edited

After my continued investigation, I will share the following information with you
Whether a signature is required varies depending on how the SDK is introduced.

  • If the SDK is imported from source code, no signature is required, because you have to bear the responsibility of trusting the source code yourself (such as pod introduction)
  • If you download the Xcode project file of this SDK and compile it yourself, and then introduce it through xcframework (officially said binary), this xcframework needs to be signed. The signatures mentioned here can be signed by yourself. Because the open source is the source code, and the signature should be done by the person who generated xcframework. If you don't want to sign, you can introduce it through pod (source code).

I hope to be helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ccgus @zhaojb9 @ori-hime @wackey39