RxSwift icon indicating copy to clipboard operation
RxSwift copied to clipboard
verified publisher icon ReactiveX

Incorrect signitures on published releases

Open oryonatan opened this issue 7 months ago • 0 comments

Seems like the published xcframeworks contain incorrect signatures in version 6.9.0, 6.8.0 and 6.7.1.

This is:

  1. Deeply troubling from security perspective, did anyone meddle with the published binaries?
  2. Annoying for integrating in Xcode, as you need to manually re-sign the binaries.

you can quickly verify this by running

for file in (ls)                                                                                                                                                                                                                    
  codesign --verify --deep $file 
end

which will give you this troubling output:

RxBlocking.xcframework: a sealed resource is missing or invalid
RxCocoa.xcframework: a sealed resource is missing or invalid
RxRelay.xcframework: a sealed resource is missing or invalid
RxSwift.xcframework: invalid Info.plist (plist or signature have been modified)
RxTest.xcframework: a sealed resource is missing or invalid

oryonatan avatar Jun 12 '25 07:06 oryonatan