SDK framework signing certificate expiration

Since 2023 Apple have strongly suggested signing XCFrameworks to verify their origins. This has worked perfectly fine for the last year. Seeing that our certificate was about to expire, we revoked it and created a new one which we will use to sign all future releases. However, because that first certificate has been revoked, all previous releases of our XCFramework now have invalid signatures because the certificate they used no longer exists.

While an update to the latest XCFramework would solve the issue, that's not always a possibility for people with lower minimum deployment targets that can only run an older version of our XCFramework. In the wwdc video on the topic it states:

When the xcframework author's signing certificate expires, Xcode is able to automatically validate that a new certificate for Apple Developer Program identities is from the same developer.

Does this mean that if we had not pre-empted the expiry and instead let the certificate expire, we wouldn't have this backwards compatibility issue?

The course of action we've had to take is to manually go through all of our releases for the last year and re-sign them with the latest certificate. This doesn't seem like a tenable solution each year.

Looking for guidance on how to manage this situation each year.

Up vote post of mapierce Down vote post of mapierce
297 views
Posted by
mapierce
Reply
Add a Comment

Replies

Does this mean that if we had not pre-empted the expiry and instead let the certificate expire, we wouldn't have this backwards compatibility issue?

I think so, yes.

Apple has the ability to create secure timestamps, meaning that we can check that the certificate in the code signature was valid at the time that the code was signed. This is a critical feature for Developer ID apps, but I suspect it’s used for framework signing as well. Indeed, the instructions in Creating a multiplatform binary framework bundle specifically say to use the --timestamp option.

I discuss this concept, in the context of Developer ID, in TN3161 Inside Code Signing: Certificates.

The standard way to test this is to remove your Mac from the Internet, set its clock forward, and see if the item is still usable.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for the response @eskimo! Does that mean that I need to keep expired certificates around forever? For App Store releases revoking expired certificates had no impact, but now when we use a certificate to sign an XCFramework it would seem that that is no longer a safe step to take. Is this correct?

Posted by
mapierce
Up vote reply of mapierce Down vote reply of mapierce
Add a Comment

@eskimo thinking about it I have another question as well. You mentioned how this is a critical feature for Developer ID apps, and digging in more, Developer ID certificates last for 5 years vs iOS certificates only lasting 1. Is it possible to use a Developer ID certificate to sign an XCFramework and reduce the number of expired certificates we would nee to maintain?

Posted by
mapierce
Up vote reply of mapierce Down vote reply of mapierce
Add a Comment

For App Store releases revoking expired certificates had no impact

Right.

Does that mean that I need to keep expired certificates around forever?

I think so. Honestly, I’ve not looked into that in detail.

Is it possible to use a Developer ID certificate to sign an XCFramework

It’s certainly possible to sign an XCFramework with a Developer ID signing identity. It’s all the same code signing machinery. And…

and reduce the number of expired certificates we would nee to maintain?

That’s certainly true. Plus, you can’t easily revoke Developer ID certificates anyway. See Developer > Support > Certificates.

However, I’m not sure whether that’s a path that we actively recommend. I think it’ll be fine, but code signing frameworks is somewhat outside of my area of expertise.

If you want to drive this to a conclusion, I recommend that you open a DTS tech support incident and one of us will get you a definitive answer. If you’re not up for that, the next best thing is to file a bug against Creating a multiplatform binary framework bundle requesting clarification on these points.

IMPORTANT If you do open a DTS tech support incident, make sure to reference this DevForums thread.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment