XCFramework SDK signing

We're distributing an XCFramework to a customer to create their own apps. With the new XCFramework signing requirements, we have a question with regards the way how to implement it.

We're using a few of the frameworks on the list https://developer.apple.com/support/third-party-SDK-requirements/ including [AFNetworking], as a dependencies for our framework.

We are building those frameworks from source code and not using any binaries provided by any third-party. We also modify the open source code, so that it is different from the original open source code in a way so that it won't lead to runtime conflicts in case the customers is including similar frameworks in their application. We're using those derivatives of the open source frameworks as a statically linked libraries to our SDK.

Questions:

  1. Do we need to sign the third party frameworks of which we have cloned source code and using it within our SDK Framework?
  2. Is it required that the XCFramework built this way is signed when it is delivered to a third party and they use it in their app?
Up vote post of LookoutGanesh Down vote post of LookoutGanesh
422 views
Posted by
LookoutGanesh
Reply
Add a Comment

Replies

1. Do we need to sign the third party frameworks of which we have cloned source code and using it within our SDK Framework?

No. Assuming I understand your setup correctly (-:

My reading of that is you build these third-party libraries from source and statically link them into your framework. Thus, the only component that you distribute to your clients is the XCFramework itself. If so, that’s the only thing to sign.

For more background to this, see my comments at the end of this post.

2. Is it required that the XCFramework built this way is signed when it is delivered to a third party and they use it in their app?

AFAIK this signing is still optional. You can see the expected use case in Verifying the origin of your XCFrameworks.

Of course, a potential client is more likely to trust your framework if it’s signed.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

IMPORTANT All of the following is meant to be an informative description of the core idea, not some sort of official statement of policy.

The general trust model here is that the person who signs the code vouches for the code. When an app developer integrates your framework into their app, they re-sign it as part of the App Store submission process. At that point they’re vouching that the framework will behave itself. If it doesn’t, Apple will contact them, not you.

And the same applies to your framework. By signing it, you’re vouching that all the code in the framework will behave itself. If one of the third-party libraries you use does something bad, the app developer is going to contact you.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • @eskimo - Since the AFNetworking is now deprecated - does continue using this in the source code as mentioned above will have any impact on app submission on App store?

    singhsoumya06
Add a Comment