Code signing for the open source SDKs

Hi everyone, I'm studying the changes in App Privacy. I'm interested in new rules for the SDKs. From the WWDC videos and Apple tutorials, I see that the privacy-impacting SDKs must have a code signature:

A lot of aspects of how code signature works and how to make it are described in Verify app dependencies with digital signatures tutorial.

However, I didn't understand how to implement code signatures for open-source SDK that are shipped in the form of the source files but not a prebuild framework. So, the app developers build the SDK in their environment.

Please help to understand this aspect. Thanks!

This endeavour is focused on SDKs distributed as binaries. It currently has no impact on libraries that you build from source. From the perspective of this effort, code that you build from source is the same as your code.

Note that most folks access open source libraries using Git, and Git has its own mechanism for handling source code integrity and signing.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi @eskimo ! Thanks for the reply!

What about privacy manifest in this case? Should the open-source SDK include its own manifest, or should it just provide (in the README) the values for the respective nutrition labels and tracking domains to app developers so they add values to the app's privacy manifest manually?

I believe the open-source SDK should still have its own manifest, but I would like to confirm this.

Thanks in advance!

What about privacy manifest in this case?

I don’t know. I’ve not had cause to dig into the whole privacy manifest story; it’s handled by other folks here in DTS.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi @eskimo Is this also the case if we take the source code of let's say AFNetworking and build it into a binary dependency in our environment for our app to consume. Does this mean that we are able to provide our own privacymanifest and code signing?

Code signing for the open source SDKs
 
 
Q