XCFrameworks are not codesigned

[ori-hime]

Third-party SDK XCFrameworks now need to be codesigned, not just the framework binaries within them.
This will be enforced by Xcode at some point in Spring 2024.
https://developer.apple.com/news/?id=r1henawx
https://developer.apple.com/news/?id=3d8a9yyh

I am using FMDB (v2.7.8) using Carthage.

I checked whether the SDK was signed using the command and Xcode15's Signature field to check the signature below, but
SDK signature could not be verified.

I used the following command:
❯ codesign -dvvv --display --deep [library path omitted]FMDB.xcframework
[Library path omitted]FMDB.xcframework: code object is not signed at all

When will the SDK signature be released?

[ccgus]

I think you should just sign this yourself?

[ori-hime]

Apple has mandated that FMDB, all need to include privacy manifest and signature.
They're specifically called out in Upcoming third-party SDK requirements.
https://developer.apple.com/support/third-party-SDK-requirements/

https://developer.apple.com/videos/play/wwdc2023/10060
Judging from the announcement,, it seems that SDK signing should be done by the SDK developer.
Quotes from the video＞SDK developers: Adopt signatures and manifests. These are super helpful to your customers.

For the reasons listed above, we would like you to sign the SDK.

[ori-hime]

@ccgus
We would like you to sign the SDK?

[wackey39]

@ccgus
There is a demand for me as well. Can you release a stable version of FMDB .xcframework signed by the FMDB developers?

Thanks

[zhaojb9]

@ ori-hime
After my analysis, Apple's purpose is to prevent the SDK from being accidentally tampered with when updating the SDK. Therefore, if the SDK is signed by itself, it means that it must ensure the security of the source of the SDK. After my testing, when the SDK signature changes, xcoode will interrupt compilation and issue a warning. I think I should have no problem signing open source SDKs. We are reviewing the test and I will share any progress.

[zhaojb9]

After my continued investigation, I will share the following information with you
Whether a signature is required varies depending on how the SDK is introduced.

• If the SDK is imported from source code, no signature is required, because you have to bear the responsibility of trusting the source code yourself (such as pod introduction)
• If you download the Xcode project file of this SDK and compile it yourself, and then introduce it through xcframework (officially said binary), this xcframework needs to be signed. The signatures mentioned here can be signed by yourself. Because the open source is the source code, and the signature should be done by the person who generated xcframework. If you don't want to sign, you can introduce it through pod (source code).

I hope to be helpful.

[rickharrison]

@zhaojb9 Is it possible to use FMDB via Carthage right now? Or will Apple now let you submit it with any xcframeworks

[zhaojb9]

@rickharrison
I have not used Carthage, but according to Apple's regulations, it only cares whether you use source code or compiled binary files when introducing the SDK into your own app. If it is a binary file, it must be signed (you can sign it yourself). If it is directly introduced with source code, no signature is required.