Where should privacy manifests (PrivacyInfo.xcprivacy file) for 3rd party static frameworks be located in the built app

Hello!

In our applications we consume several 3rd party libraries that use one or more API from this list - https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/describing_use_of_required_reason_api?language=objc. These XCFrameworks contain static frameworks (a framework with a statically linked binary inside), so after linking, the machine code inside these frameworks becomes either a part of the app's executable or a part of a dynamic library.

We integrate these libraries using Swift Package Manager's ".binaryTarget" feature and have been having trouble understanding where should the privacy manifest be located in the final app, so that we can pass the App Store review process. It seems that with SPM the privacy manifest (PrivacyInfo.xcprivacy file) is lost - https://github.com/apple/swift-package-manager/issues/7317

If the static framework is linked as a part of the app's executable, does that mean we have to manually merge the app's privacy manifest with that of a 3rd party static library?

If the static framework is linked as a part of a dynamic library within the app, where should the privacy manifest be located? And what should happen if there are multiple static frameworks each with a privacy manifest being linked into this dynamic library?

Thank you very much!

Apple has updated the documentation some time in the last week. The location is now spelled out in these pages:

For static libraries, see section "Distribute your static library with a privacy manifest"

Otherwise:

macOS app:

  • Contents/Resources/

macOS framework

  • Versions/A/Resources/

iOS, watchOS, tvOS, visionOS (apps and frameworks)

  • /
    • meaning the root of the bundle
Where should privacy manifests (PrivacyInfo.xcprivacy file) for 3rd party static frameworks be located in the built app
 
 
Q