Digital signatures available for Swift Packages?

Can we use digital signatures for our Swift Packages? Or is this only for XCFrameworks?

Up vote post of LH16 Down vote post of LH16
1.3k views
Posted by
LH16
Reply
Add a Comment

Replies

Are you talking about a binary package? Or a package built from source?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo

  • Package built from source

    LH16
Add a Comment

For Swift packages published as source, say version tags referenced in a Github repository, is there a way to provide such supply chain integrity protections, such as via signature on a git tag?

Or are supply chain protections currently only usable when third parties ship binary builds?

Posted by
dwaite
Up vote reply of dwaite Down vote reply of dwaite
Add a Comment

The stuff announced during WWDC 2023 Session 10061 Verify app dependencies with digital signatures is focused on binaries. There’s a bunch of infrastructure in place for source code supply chain protection [1] but AFAIK it’s not surfaced with a nice GUI in Xcode.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Things that spring to mind are:

  • Git has support for signed commits

  • You can point SwiftPM to specific commit.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment