andre-alves
commented
8 months ago It's still unknown if Apple is going to these .signature files for validation. I tried asking them but got no answer.
However, I did some research and figured out how to create .signature files. Let me share what I have learned so far.
First, there is no public command line for generating these files directly. Xcode uses the private builtin-process-xcframework to do the work:
ProcessXCFramework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/SourcePackages/artifacts/lottie-spm/Lottie/Lottie.xcframework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/Build/Intermediates.noindex/ArchiveIntermediates/PrivacyDemo/BuildProductsPath/Release-iphoneos/Lottie.framework ios
cd /Users/andre.alves/Documents/Works/privacy_demo/xcode/PrivacyDemo/PrivacyDemo.xcodeproj
builtin-process-xcframework --xcframework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/SourcePackages/artifacts/lottie-spm/Lottie/Lottie.xcframework --platform ios --target-path /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/Build/Intermediates.noindex/ArchiveIntermediates/PrivacyDemo/BuildProductsPath/Release-iphoneosNot surprisingly, I couldn't find public documentation on this file spec either. The best documentation is the WWDC23 session: https://developer.apple.com/videos/play/wwdc2023/10061/ explaining the 3 identity types:
- AppleDeveloperProgram
- SelfSigned
- Unsigned
Here is an example: Lottie.xcframework-ios.signature (which is SelfSigned) as generated by Xcode 15.3
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>bundleIndentifier</key>
<string>Lottie</string>
<key>cdhashes</key>
<array>
<data>
w0cmYl37knoMwCZkMkAulbpwtFU=
</data>
<data>
Nv8UWkw/O8QOWGHI/HcGq7akcSs=
</data>
</array>
<key>certificates</key>
<array>
<data>
MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDETMBEGA1UEAwwK
TG90dGllIGlPUzEPMA0GA1UECgwGQWlyYm5iMQswCQYDVQQIDAJDQTELMAkG
A1UEBhMCVVMxFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xJjAkBgkqhkiG9w0B
CQEWF2NhbC5zdGVwaGVuc0BhaXJibmIuY29tMB4XDTIzMTIxNDIzMDczMVoX
DTM5MDIyODIzMDczMVowgYAxEzARBgNVBAMMCkxvdHRpZSBpT1MxDzANBgNV
BAoMBkFpcmJuYjELMAkGA1UECAwCQ0ExCzAJBgNVBAYTAlVTMRYwFAYDVQQH
DA1TYW4gRnJhbmNpc2NvMSYwJAYJKoZIhvcNAQkBFhdjYWwuc3RlcGhlbnNA
YWlyYm5iLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUT
MrsPnFiax7fVj+0VgfugRcTfalt27eVq1Fa8IIaFjBbS30QLDZejeRBg7i5c
dVM5//blKSXWEGdUECyBFpD3QYoIVWBcI8uBd4aJh7CL0Cz9FAiJkLSr5zrR
cb9sHAyssvy7pyxaTJX3C9DmC13cVhefe9qDkDLPUpuBLKiJflDsgq3wzRSt
BMGe5B+21pnRs899WzJaONirMw5Y4XDqVRAgK18HHTQjvRF0p54qb0D7miWz
a1TIDMSVuEiiycXJGARRxBf3+5EdirQc7dW8vugtinH00spTKwexhoRgDpxW
WwLvfsgQE7Z/5TuTTi8EZ6dV/VjzGXN+xVxPdd0CAwEAAaNJMEcwDgYDVR0P
AQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBSc
fyDfLp3ND/UU4RgWasRGnqDh0TANBgkqhkiG9w0BAQsFAAOCAQEAlihUB+a3
yfP/1/cidRxD0oSyz7ChjVeBoDH1GBi7hzeFRc0ojzo7vL++uW0sQE2YU3iY
vSpxjdhM1fHuaKyxXQsdX3h7kAooneBVoRu9fMP2S1Ek/igu4r0ZDqheQXac
dEUc8nZMlcG1qo6eOd7ojn/En7wqEmGX71wX71aVFyrlC7quHeqxaOQD1yKk
QarPi15T7zxHRYUP/1NfJuLPAdJMIDtFeweU758v1KNhuni3e+EV4d/ORhrh
RQ53qTLr3TMGyj71cNlgmuAIWzp7QEfnsuLs/jcQ63OBWw1aaGnMJgWrtMdG
oBOIi9XTWFCGpuuIubyFmYx239eY8APHlQ==
</data>
</array>
<key>isSecureTimestamp</key>
<false/>
<key>metadata</key>
<dict>
<key>library</key>
<string>Lottie.framework</string>
<key>platform</key>
<string>ios</string>
</dict>
<key>signatureIdentifier</key>
<string>892F1B43047B50538F2F46EAD92900DD3D4811F3582178C061A5FB20F111CB26</string>
<key>signatureType</key>
<string>SelfSigned</string>
<key>signed</key>
<true/>
<key>source</key>
<string>embedded</string>
</dict>
</plist>After playing around with codesign, I was able to successfully generate .signature files with the following script:
https://gist.github.com/andre-alves/af8795e77b9d7cc533ddfd381022fa54
Pass the .xcframework as input, and it outputs the .signature. Supports all 3 identity types.
I tried to make it easy to integrate with rules_apple by using python and only importing the standard library (very similar to rules_apple's tools/ directory). I don't have plans to make this integration for now, since it's not trivial and we don't know if it is required.
acecilia
luispadron
Starting on May 1st, Apple will require that the frameworks on this list are signed (if they are distributed as binary).
I didn't find any documentation showing how this validation will be done by Apple, but I did a demo with Xcode + Lottie 4.4.1 (which is already being distributed with signature and privacy manifest).
There is a new directory
Signaturesinside the.ipathat Xcode 15 creates:Seems likely that Apple will use this
Signaturesdirectory to validate frameworks in AppStoreConnect. If that's true, Bazel will need to support this directory to avoid blocking the upload of apps.I still haven't found how to generate this
.signaturefile. I just know that it is a plist containing certificate data.My demo is available here: https://github.com/andre-alves/privacy_demo