rules_apple
rules_apple copied to clipboard
bazelbuild
Support XCFramework Signatures
Starting on May 1st, Apple will require that the frameworks on this list are signed (if they are distributed as binary).
I didn't find any documentation showing how this validation will be done by Apple, but I did a demo with Xcode + Lottie 4.4.1 (which is already being distributed with signature and privacy manifest).
There is a new directory Signatures inside the .ipa that Xcode 15 creates:
Seems likely that Apple will use this Signatures directory to validate frameworks in AppStoreConnect. If that's true, Bazel will need to support this directory to avoid blocking the upload of apps.
I still haven't found how to generate this .signature file. I just know that it is a plist containing certificate data.
My demo is available here: https://github.com/andre-alves/privacy_demo
It's still unknown if Apple is going to these .signature files for validation. I tried asking them but got no answer.
However, I did some research and figured out how to create .signature files. Let me share what I have learned so far.
First, there is no public command line for generating these files directly. Xcode uses the private builtin-process-xcframework to do the work:
ProcessXCFramework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/SourcePackages/artifacts/lottie-spm/Lottie/Lottie.xcframework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/Build/Intermediates.noindex/ArchiveIntermediates/PrivacyDemo/BuildProductsPath/Release-iphoneos/Lottie.framework ios
cd /Users/andre.alves/Documents/Works/privacy_demo/xcode/PrivacyDemo/PrivacyDemo.xcodeproj
builtin-process-xcframework --xcframework /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/SourcePackages/artifacts/lottie-spm/Lottie/Lottie.xcframework --platform ios --target-path /Users/andre.alves/Library/Developer/Xcode/DerivedData/PrivacyDemo-asbbylacalqzukgbxiibeztzjvug/Build/Intermediates.noindex/ArchiveIntermediates/PrivacyDemo/BuildProductsPath/Release-iphoneos
Not surprisingly, I couldn't find public documentation on this file spec either. The best documentation is the WWDC23 session: https://developer.apple.com/videos/play/wwdc2023/10061/ explaining the 3 identity types:
- AppleDeveloperProgram
- SelfSigned
- Unsigned
Here is an example: Lottie.xcframework-ios.signature (which is SelfSigned) as generated by Xcode 15.3
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>bundleIndentifier</key>
<string>Lottie</string>
<key>cdhashes</key>
<array>
<data>
w0cmYl37knoMwCZkMkAulbpwtFU=
</data>
<data>
Nv8UWkw/O8QOWGHI/HcGq7akcSs=
</data>
</array>
<key>certificates</key>
<array>
<data>
MIIDxjCCAq6gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgDETMBEGA1UEAwwK
TG90dGllIGlPUzEPMA0GA1UECgwGQWlyYm5iMQswCQYDVQQIDAJDQTELMAkG
A1UEBhMCVVMxFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xJjAkBgkqhkiG9w0B
CQEWF2NhbC5zdGVwaGVuc0BhaXJibmIuY29tMB4XDTIzMTIxNDIzMDczMVoX
DTM5MDIyODIzMDczMVowgYAxEzARBgNVBAMMCkxvdHRpZSBpT1MxDzANBgNV
BAoMBkFpcmJuYjELMAkGA1UECAwCQ0ExCzAJBgNVBAYTAlVTMRYwFAYDVQQH
DA1TYW4gRnJhbmNpc2NvMSYwJAYJKoZIhvcNAQkBFhdjYWwuc3RlcGhlbnNA
YWlyYm5iLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALUT
MrsPnFiax7fVj+0VgfugRcTfalt27eVq1Fa8IIaFjBbS30QLDZejeRBg7i5c
dVM5//blKSXWEGdUECyBFpD3QYoIVWBcI8uBd4aJh7CL0Cz9FAiJkLSr5zrR
cb9sHAyssvy7pyxaTJX3C9DmC13cVhefe9qDkDLPUpuBLKiJflDsgq3wzRSt
BMGe5B+21pnRs899WzJaONirMw5Y4XDqVRAgK18HHTQjvRF0p54qb0D7miWz
a1TIDMSVuEiiycXJGARRxBf3+5EdirQc7dW8vugtinH00spTKwexhoRgDpxW
WwLvfsgQE7Z/5TuTTi8EZ6dV/VjzGXN+xVxPdd0CAwEAAaNJMEcwDgYDVR0P
AQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMDMB0GA1UdDgQWBBSc
fyDfLp3ND/UU4RgWasRGnqDh0TANBgkqhkiG9w0BAQsFAAOCAQEAlihUB+a3
yfP/1/cidRxD0oSyz7ChjVeBoDH1GBi7hzeFRc0ojzo7vL++uW0sQE2YU3iY
vSpxjdhM1fHuaKyxXQsdX3h7kAooneBVoRu9fMP2S1Ek/igu4r0ZDqheQXac
dEUc8nZMlcG1qo6eOd7ojn/En7wqEmGX71wX71aVFyrlC7quHeqxaOQD1yKk
QarPi15T7zxHRYUP/1NfJuLPAdJMIDtFeweU758v1KNhuni3e+EV4d/ORhrh
RQ53qTLr3TMGyj71cNlgmuAIWzp7QEfnsuLs/jcQ63OBWw1aaGnMJgWrtMdG
oBOIi9XTWFCGpuuIubyFmYx239eY8APHlQ==
</data>
</array>
<key>isSecureTimestamp</key>
<false/>
<key>metadata</key>
<dict>
<key>library</key>
<string>Lottie.framework</string>
<key>platform</key>
<string>ios</string>
</dict>
<key>signatureIdentifier</key>
<string>892F1B43047B50538F2F46EAD92900DD3D4811F3582178C061A5FB20F111CB26</string>
<key>signatureType</key>
<string>SelfSigned</string>
<key>signed</key>
<true/>
<key>source</key>
<string>embedded</string>
</dict>
</plist>
After playing around with codesign, I was able to successfully generate .signature files with the following script:
https://gist.github.com/andre-alves/af8795e77b9d7cc533ddfd381022fa54
Pass the .xcframework as input, and it outputs the .signature. Supports all 3 identity types.
I tried to make it easy to integrate with rules_apple by using python and only importing the standard library (very similar to rules_apple's tools/ directory). I don't have plans to make this integration for now, since it's not trivial and we don't know if it is required.
Also, seems to me a per-framework-signature only applies to dynamic frameworks.
The binary of a static framework ends up as part of the main app binary, so there wont be a standalone binary/framework to be used for signature validation: I cannot think of a way to implement signature validation when linking statically. And the most common linkage in Bazel is static 😄
Xcode 15.3 generates .signature files for XCFrameworks with static linking too... but yeah, not sure how Apple will use it.
Anyone able to add the signature tool to the existing xcramework rules? Happy to review / help with PRs that do that.
upstream will add support for XCFramework Signatures https://github.com/bazelbuild/rules_apple/commit/106a743f53783e358430640ff60cb6a653c481af 👀