Support XCFramework Signatures

[andre-alves]

Starting on May 1st, Apple will require that the frameworks on this list are signed (if they are distributed as binary).

I didn't find any documentation showing how this validation will be done by Apple, but I did a demo with Xcode + Lottie 4.4.1 (which is already being distributed with signature and privacy manifest).

There is a new directory Signatures inside the .ipa that Xcode 15 creates:

Seems likely that Apple will use this Signatures directory to validate frameworks in AppStoreConnect. If that's true, Bazel will need to support this directory to avoid blocking the upload of apps.

I still haven't found how to generate this .signature file. I just know that it is a plist containing certificate data.

My demo is available here: https://github.com/andre-alves/privacy_demo

[andre-alves]

It's still unknown if Apple is going to these .signature files for validation. I tried asking them but got no answer.

However, I did some research and figured out how to create .signature files. Let me share what I have learned so far.

First, there is no public command line for generating these files directly. Xcode uses the private builtin-process-xcframework to do the work:

ProcessXCFramework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/SourcePackages/artifacts/lottie-spm/Lottie/Lottie.xcframework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/Build/Intermediates.noindex/ArchiveIntermediates/PrivacyDemo/BuildProductsPath/Release-iphoneos/Lottie.framework ios
    cd /Users/andre.alves/Documents/Works/privacy_demo/xcode/PrivacyDemo/PrivacyDemo.xcodeproj
    builtin-process-xcframework --xcframework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/SourcePackages/artifacts/lottie-spm/Lottie/Lottie.xcframework --platform ios --target-path /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/Build/Intermediates.noindex/ArchiveIntermediates/PrivacyDemo/BuildProductsPath/Release-iphoneos

Not surprisingly, I couldn't find public documentation on this file spec either. The best documentation is the WWDC23 session: https://developer.apple.com/videos/play/wwdc2023/10061/ explaining the 3 identity types:

• AppleDeveloperProgram
• SelfSigned
• Unsigned

Here is an example: Lottie.xcframework-ios.signature (which is SelfSigned) as generated by Xcode 15.3

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>bundleIndentifier</key>
	<string>Lottie</string>
	<key>cdhashes</key>
	<array>
		<data>
		w0cmYl37knoMwCZkMkAulbpwtFU=
		</data>
		<data>
		Nv8UWkw/O8QOWGHI/HcGq7akcSs=
		</data>
	</array>
	<key>certificates</key>
	<array>
		<data>
		MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDETMBEGA1UEAwwK
		TG90dGllIGlPUzEPMA0GA1UECgwGQWlyYm5iMQswCQYDVQQIDAJDQTELMAkG
		A1UEBhMCVVMxFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xJjAkBgkqhkiG9w0B
		CQEWF2NhbC5zdGVwaGVuc0BhaXJibmIuY29tMB4XDTIzMTIxNDIzMDczMVoX
		DTM5MDIyODIzMDczMVowgYAxEzARBgNVBAMMCkxvdHRpZSBpT1MxDzANBgNV
		BAoMBkFpcmJuYjELMAkGA1UECAwCQ0ExCzAJBgNVBAYTAlVTMRYwFAYDVQQH
		DA1TYW4gRnJhbmNpc2NvMSYwJAYJKoZIhvcNAQkBFhdjYWwuc3RlcGhlbnNA
		YWlyYm5iLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUT
		MrsPnFiax7fVj+0VgfugRcTfalt27eVq1Fa8IIaFjBbS30QLDZejeRBg7i5c
		dVM5//blKSXWEGdUECyBFpD3QYoIVWBcI8uBd4aJh7CL0Cz9FAiJkLSr5zrR
		cb9sHAyssvy7pyxaTJX3C9DmC13cVhefe9qDkDLPUpuBLKiJflDsgq3wzRSt
		BMGe5B+21pnRs899WzJaONirMw5Y4XDqVRAgK18HHTQjvRF0p54qb0D7miWz
		a1TIDMSVuEiiycXJGARRxBf3+5EdirQc7dW8vugtinH00spTKwexhoRgDpxW
		WwLvfsgQE7Z/5TuTTi8EZ6dV/VjzGXN+xVxPdd0CAwEAAaNJMEcwDgYDVR0P
		AQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBSc
		fyDfLp3ND/UU4RgWasRGnqDh0TANBgkqhkiG9w0BAQsFAAOCAQEAlihUB+a3
		yfP/1/cidRxD0oSyz7ChjVeBoDH1GBi7hzeFRc0ojzo7vL++uW0sQE2YU3iY
		vSpxjdhM1fHuaKyxXQsdX3h7kAooneBVoRu9fMP2S1Ek/igu4r0ZDqheQXac
		dEUc8nZMlcG1qo6eOd7ojn/En7wqEmGX71wX71aVFyrlC7quHeqxaOQD1yKk
		QarPi15T7zxHRYUP/1NfJuLPAdJMIDtFeweU758v1KNhuni3e+EV4d/ORhrh
		RQ53qTLr3TMGyj71cNlgmuAIWzp7QEfnsuLs/jcQ63OBWw1aaGnMJgWrtMdG
		oBOIi9XTWFCGpuuIubyFmYx239eY8APHlQ==
		</data>
	</array>
	<key>isSecureTimestamp</key>
	<false/>
	<key>metadata</key>
	<dict>
		<key>library</key>
		<string>Lottie.framework</string>
		<key>platform</key>
		<string>ios</string>
	</dict>
	<key>signatureIdentifier</key>
	<string>892F1B43047B50538F2F46EAD92900DD3D4811F3582178C061A5FB20F111CB26</string>
	<key>signatureType</key>
	<string>SelfSigned</string>
	<key>signed</key>
	<true/>
	<key>source</key>
	<string>embedded</string>
</dict>
</plist>

After playing around with codesign, I was able to successfully generate .signature files with the following script:

https://gist.github.com/andre-alves/af8795e77b9d7cc533ddfd381022fa54

Pass the .xcframework as input, and it outputs the .signature. Supports all 3 identity types.

I tried to make it easy to integrate with rules_apple by using python and only importing the standard library (very similar to rules_apple's tools/ directory). I don't have plans to make this integration for now, since it's not trivial and we don't know if it is required.

[acecilia]

Also, seems to me a per-framework-signature only applies to dynamic frameworks.

The binary of a static framework ends up as part of the main app binary, so there wont be a standalone binary/framework to be used for signature validation: I cannot think of a way to implement signature validation when linking statically. And the most common linkage in Bazel is static 😄

[andre-alves]

Xcode 15.3 generates .signature files for XCFrameworks with static linking too... but yeah, not sure how Apple will use it.

[luispadron]

Anyone able to add the signature tool to the existing xcramework rules? Happy to review / help with PRs that do that.

[andre-alves]

upstream will add support for XCFramework Signatures 106a743 👀