Firebase XCFrameworks are not codesigned

[jmagman]

Description

Third-party SDK XCFrameworks now need to be codesigned, not just the framework binaries within them. This will be enforced by Xcode at some point in Spring 2024.

codesign --sign "Apple Developer cert etc" ... path/to/FirebaseAuth.xcframework

Now with signatures for SDKs, when you adopt a new version of a third-party SDK in your app, Xcode will validate that it was signed by the same developer, improving the integrity of your software supply chain.

https://developer.apple.com/support/third-party-SDK-requirements/

Note xcframework is a directory (bundle), not a binary. Though looks like Firebase binaries aren't codesigned either.

Docs

https://developer.apple.com/documentation/xcode/verifying-the-origin-of-your-xcframeworks https://developer.apple.com/videos/play/wwdc2023/10060/

cc @paulb777 (We're working on this for Flutter https://github.com/flutter/flutter/issues/140934)

Reproducing the issue

Download XCFrameworks from https://firebase.google.com/docs/ios/setup#frameworks. Drag into Xcode 15+, see Kind: Unsigned in the inspector.

$ codesign -d -vv Firebase/FirebaseAuth/FirebaseAuth.xcframework
Firebase/FirebaseAuth/FirebaseAuth.xcframework: code object is not signed at all

Firebase SDK Version

10.19

Xcode Version

15

Installation Method

Zip

Firebase Product(s)

All

Targeted Platforms

iOS

Relevant Log Output

No response

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[paulb777]

@jmagman Thanks for the report. @ncooke3 is in progress on meeting the new Apple signing requirements along with the privacy manifests #11490

[jmagman]

👍 I saw the privacy manifest work but I didn't see anything about the signature requirement. Thanks!

[hendri-voodoo]

hello, any ETA when this codesigning will be included?

[ncooke3]

Hi @hendri-voodoo, I do not have an eta to share, but the signing infra is taking longer to set up and may come after the release containing privacy manifests. We will keep this bug updated when we have an eta to share. https://github.com/firebase/firebase-ios-sdk/issues/11490#issuecomment-1936548699

[hendri-voodoo]

@ncooke3 noted. When is your next release cycle?

[pavm035]

Hi Any updates on signing?

[lakshmankreditbee]

Hi Any updates on signing?

[GH-Ong]

Hi is it possible to provide an ETA for release with code signing?

[vksgautam1986]

Hi Team any timeline where we can look for this ?

[paulb777]

The target window is between late March and mid April and we're working to do it as soon as we can in that timespan.

[ncooke3]

Hi everyone, we are still actively working on this, but I do have an update to share. In the upcoming Firebase 10.23.0 (tentatively scheduled for next week), Firestore's SwiftPM binary distribution will feature signed XCFrameworks. In practice, this will apply to all of the XCFrameworks that are used when using Firestore with SPM: FirebaseFirestoreInternal.xcframework, openssl_grpc.xcframework, absl.xcframework, grpc.xcframework, and grpcpp.xcframework.

Support for signed artifacts in other binary distributions will follow in future releases.

[nicolobozzato]

Hi! I saw release 10.23.0 signed xcframeworks for Firestore. Sorry to ask but what is the ETA for the other packages? I'm sure it's already known but all the Firebase sdk are part of the special group that will get scrutiny by Apple https://developer.apple.com/support/third-party-SDK-requirements/

[paulb777]

We're working towards providing signed xcframeworks in the next minor release, due out the week of April 8th

[shingt]

We're working towards providing signed xcframeworks in the next minor release, due out the week of April 8th

Will the non-Firebase xcframeworks such as GoogleSignIn be also a target of the next release? For example, GoogleSignIn supports the privacy manifest in 7.1.0 release. I expect the new version of the xcframework is bundled in the Firebase release and it is codesigned, but am not sure if it is tracked.

[ncooke3]

@shingt, yes. Every framework in the Firebase.zip will have a code signature.

[wojciech-kulik]

Which release will have this fix? 10.23.2?

[ncooke3]

10.24.0, which is scheduled to be released next week. I will update this issue when it is released.

[iOSNinja]

Any update on the signed SDKs release yet?

[wojciech-kulik]

@iOSNinja just a hint: you can use 10.23.0 with Xcode 14.2 as a workaround. I've just sent the app to the review, it passed the validation.

[iOSNinja]

Thanks for the workaround @wojciech-kulik but i've upgraded all our build machines to > Xcode15 and was waiting for firebase to release the signed SDKs today as mentioned above.

[paulb777]

The 10.24.0 zip release is now available.

[techbyte24]

Has the Unity Firebase SDK provided signed xcframeworks for this points to version 10.24.0 of the iOS SDK which provided signed yet? Which version is it?

[ncooke3]

This issue was fixed and released in 10.24.0. The Firebase Unity SDK was updated to use 10.24.0 in v11.9.0 (https://github.com/firebase/firebase-unity-sdk/issues/991).

There is now a newer Firebase version to use, so I recommend upgrading to the latest Firebase version (currently 10.25.0) as that included some additional fixes. The corresponding Firebase Unity SDK release should be the next Firebase Unity SDK release.