Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firebase XCFrameworks are not codesigned #12238

Closed
jmagman opened this issue Jan 4, 2024 · 24 comments
Closed

Firebase XCFrameworks are not codesigned #12238

jmagman opened this issue Jan 4, 2024 · 24 comments
Assignees

Comments

@jmagman
Copy link

jmagman commented Jan 4, 2024

Description

Third-party SDK XCFrameworks now need to be codesigned, not just the framework binaries within them. This will be enforced by Xcode at some point in Spring 2024.

codesign --sign "Apple Developer cert etc" ... path/to/FirebaseAuth.xcframework

Now with signatures for SDKs, when you adopt a new version of a third-party SDK in your app, Xcode will validate that it was signed by the same developer, improving the integrity of your software supply chain.

https://developer.apple.com/support/third-party-SDK-requirements/

Note xcframework is a directory (bundle), not a binary. Though looks like Firebase binaries aren't codesigned either.

Docs

https://developer.apple.com/documentation/xcode/verifying-the-origin-of-your-xcframeworks
https://developer.apple.com/videos/play/wwdc2023/10060/
Screenshot 2024-01-03 at 4 35 03 PM

cc @paulb777
(We're working on this for Flutter flutter/flutter#140934)

Reproducing the issue

Download XCFrameworks from https://firebase.google.com/docs/ios/setup#frameworks. Drag into Xcode 15+, see Kind: Unsigned in the inspector.

Screenshot 2024-01-03 at 4 36 25 PM

$ codesign -d -vv Firebase/FirebaseAuth/FirebaseAuth.xcframework
Firebase/FirebaseAuth/FirebaseAuth.xcframework: code object is not signed at all

Firebase SDK Version

10.19

Xcode Version

15

Installation Method

Zip

Firebase Product(s)

All

Targeted Platforms

iOS

Relevant Log Output

No response

@google-oss-bot
Copy link

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@paulb777
Copy link
Member

paulb777 commented Jan 4, 2024

@jmagman Thanks for the report. @ncooke3 is in progress on meeting the new Apple signing requirements along with the privacy manifests #11490

@jmagman
Copy link
Author

jmagman commented Jan 4, 2024

👍 I saw the privacy manifest work but I didn't see anything about the signature requirement. Thanks!

@hendri-voodoo
Copy link

hello, any ETA when this codesigning will be included?

@ncooke3
Copy link
Member

ncooke3 commented Feb 14, 2024

Hi @hendri-voodoo, I do not have an eta to share, but the signing infra is taking longer to set up and may come after the release containing privacy manifests. We will keep this bug updated when we have an eta to share. #11490 (comment)

@hendri-voodoo
Copy link

@ncooke3 noted. When is your next release cycle?

@pavm035
Copy link

pavm035 commented Mar 7, 2024

Hi Any updates on signing?

1 similar comment
@lakshmankreditbee
Copy link

Hi Any updates on signing?

@GH-Ong
Copy link

GH-Ong commented Mar 11, 2024

Hi is it possible to provide an ETA for release with code signing?

@vksgautam1986
Copy link

Hi Team any timeline where we can look for this ?

@paulb777
Copy link
Member

The target window is between late March and mid April and we're working to do it as soon as we can in that timespan.

@ncooke3
Copy link
Member

ncooke3 commented Mar 15, 2024

Hi everyone, we are still actively working on this, but I do have an update to share. In the upcoming Firebase 10.23.0 (tentatively scheduled for next week), Firestore's SwiftPM binary distribution will feature signed XCFrameworks. In practice, this will apply to all of the XCFrameworks that are used when using Firestore with SPM: FirebaseFirestoreInternal.xcframework, openssl_grpc.xcframework, absl.xcframework, grpc.xcframework, and grpcpp.xcframework.

Support for signed artifacts in other binary distributions will follow in future releases.

@nicolobozzato
Copy link

Hi! I saw release 10.23.0 signed xcframeworks for Firestore. Sorry to ask but what is the ETA for the other packages?
I'm sure it's already known but all the Firebase sdk are part of the special group that will get scrutiny by Apple
https://developer.apple.com/support/third-party-SDK-requirements/

@paulb777 paulb777 added this to the 10.24.0 - M146 milestone Mar 28, 2024
@paulb777
Copy link
Member

We're working towards providing signed xcframeworks in the next minor release, due out the week of April 8th

@shingt
Copy link

shingt commented Apr 5, 2024

We're working towards providing signed xcframeworks in the next minor release, due out the week of April 8th

Will the non-Firebase xcframeworks such as GoogleSignIn be also a target of the next release?
For example, GoogleSignIn supports the privacy manifest in 7.1.0 release. I expect the new version of the xcframework is bundled in the Firebase release and it is codesigned, but am not sure if it is tracked.

@ncooke3
Copy link
Member

ncooke3 commented Apr 5, 2024

@shingt, yes. Every framework in the Firebase.zip will have a code signature.

@wojciech-kulik
Copy link

Which release will have this fix? 10.23.2?

@ncooke3
Copy link
Member

ncooke3 commented Apr 5, 2024

10.24.0, which is scheduled to be released next week. I will update this issue when it is released.

@iOSNinja
Copy link

iOSNinja commented Apr 8, 2024

Any update on the signed SDKs release yet?

@wojciech-kulik
Copy link

wojciech-kulik commented Apr 8, 2024

@iOSNinja just a hint: you can use 10.23.0 with Xcode 14.2 as a workaround. I've just sent the app to the review, it passed the validation.

@iOSNinja
Copy link

iOSNinja commented Apr 8, 2024

Thanks for the workaround @wojciech-kulik but i've upgraded all our build machines to > Xcode15 and was waiting for firebase to release the signed SDKs today as mentioned above.

@paulb777
Copy link
Member

paulb777 commented Apr 9, 2024

The 10.24.0 zip release is now available.

@techbyte24
Copy link

techbyte24 commented Apr 10, 2024

Has the Unity Firebase SDK provided signed xcframeworks for this points to version 10.24.0 of the iOS SDK which provided signed yet? Which version is it?

@ncooke3
Copy link
Member

ncooke3 commented May 7, 2024

This issue was fixed and released in 10.24.0. The Firebase Unity SDK was updated to use 10.24.0 in v11.9.0 (firebase/firebase-unity-sdk#991).

There is now a newer Firebase version to use, so I recommend upgrading to the latest Firebase version (currently 10.25.0) as that included some additional fixes. The corresponding Firebase Unity SDK release should be the next Firebase Unity SDK release.

@firebase firebase locked and limited conversation to collaborators May 10, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.