search

nanopb / nanopb

Protocol Buffers with small code size
https://jpa.kapsi.fi/nanopb/
zlib License
4.09k stars 813 forks source link

iOS developer signature #955

Open markt-bigfish opened 1 month ago

markt-bigfish commented 1 month ago

I saw this pull request addresses Apple's Privacy Manifest requirement. However, there is an requirement discussed here Upcoming third-party SDK requirements, nanopb is on "the list", about the requirement of developer signatures: "Signatures are also required in these cases where the listed SDKs are used as binary dependencies". We don't use nanopb directly, but I have noticed that Firebase Analytics does use as a dependency. Just curious if this is being addressed or what action we all may have to take.

PetteriAimonen commented 1 month ago

@ncooke3 @paulb777 Any thoughts?

Also, if anyone can "explain like I'm 5 years old" to me what all this is about, i.e. what is Apple's goal with this and why does it affect nanopb in the first place, I would appreciate it.

ncooke3 commented 1 month ago

We don't use nanopb directly, but I have noticed that Firebase Analytics does use as a dependency. Just curious if this is being addressed or what action we all may have to take.

This repo's Package.swift distro distributes nanopb from source for Apple platforms. Firebase manages a source distro of nanopb for CocoaPods and a binary distribution of nanopb for the Zip option. @markt-bigfish, Firebase will be signing the binary distributions to meet the requirements (follow https://github.com/firebase/firebase-ios-sdk/issues/12238).

Also, if anyone can "explain like I'm 5 years old" to me what all this is about, i.e. what is Apple's goal with this...

In June 2023, Apple introduced privacy manifests to standardize privacy practices for the Apple Developer ecosystem in an enforceable, extendable format.

Privacy manifests are property list files that record (a) the type of data collected by a given app or SDK, and (b) the required reasons APIs the given app or SDK uses, and (c) two other fields related to tracking.

...why does it affect nanopb in the first place...

In December 2023, Apple published a list of "commonly used SDKs in apps on the App Store" that require a privacy manifest. Nanopb is on the list.

This bug can be closed because this repo does not release a binary distro of nanopb for Apple platforms.

markt-bigfish commented 1 month ago

Thank you for clarification @ncooke3. Overall, this Privacy Manifest stuff has been a bit confusing for most. Apple's messaging, and documentation to extent, has been subpar in my opinion.