Skip to content

Firebase XCFrameworks are not codesigned #12238

New issue
New issue
Closed
Closed
Firebase XCFrameworks are not codesigned#12238
Assignees
ncooke3
Labels
api: core
Milestone
10.24.0 - M146
@jmagman

Description

@jmagman
jmagman
opened on Jan 4, 2024

Description

Third-party SDK XCFrameworks now need to be codesigned, not just the framework binaries within them. This will be enforced by Xcode at some point in Spring 2024.

codesign --sign "Apple Developer cert etc" ... path/to/FirebaseAuth.xcframework

Now with signatures for SDKs, when you adopt a new version of a third-party SDK in your app, Xcode will validate that it was signed by the same developer, improving the integrity of your software supply chain.

https://developer.apple.com/support/third-party-SDK-requirements/

Note xcframework is a directory (bundle), not a binary. Though looks like Firebase binaries aren't codesigned either.

Docs

https://developer.apple.com/documentation/xcode/verifying-the-origin-of-your-xcframeworks
https://developer.apple.com/videos/play/wwdc2023/10060/
Screenshot 2024-01-03 at 4 35 03 PM

cc @paulb777
(We're working on this for Flutter flutter/flutter#140934)

Reproducing the issue

Download XCFrameworks from https://firebase.google.com/docs/ios/setup#frameworks. Drag into Xcode 15+, see Kind: Unsigned in the inspector.

Screenshot 2024-01-03 at 4 36 25 PM

$ codesign -d -vv Firebase/FirebaseAuth/FirebaseAuth.xcframework
Firebase/FirebaseAuth/FirebaseAuth.xcframework: code object is not signed at all

Firebase SDK Version

10.19

Xcode Version

15

Installation Method

Zip

Firebase Product(s)

All

Targeted Platforms

iOS

Relevant Log Output

No response

Metadata

Metadata

Assignees

Labels

api: core

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions