I have gone through (many times) the videos and documentation around adding privacy manifest support to applications and SDKs etc - specifically via the expected PrivacyInfo.xcprivacy file.
I am across adding it to the application, and to libraries that produce an xcframework (and signing those etc), however, I also have a series of Swift Package libraries available on GitHub which afaict will also require the privacy info file to declare the libraries privacy related intentions.
So my questions are:
- Where should I add this file within the package setup?
- Should there be a privacy info file per importable target?
- Is it expected that the generated privacy report of an application will show info about the library?
I have tried within the sources area, and in the root/manifest section, but when I generate a privacy report on the archived application that utilities this library, I can't see any indication that the info is included in the report.
This is the generated privacy report from Xcode organiser:
My libraries do not actually track or access anything in the required API's list, however I also added some user tracking and linking etc to the privacy info file as a test, and it does not indicate that these are happening in the generated privacy report on the application.
Quick example/clarification:
I have tried putting the file here:
MyPackage
- Package.swift
> Sources
> TargetName
- PrivacyInfo.xcprivacy
and here
MyPackage
- Package.swift
- PrivacyInfo.xcprivacy
> Sources
> TargetName
If there are docs that I have missed running through this, please link me 😅- I have searched for some clear answers through docs and forum questions but I can't seem to get clarification.
Yes the resources is the correct place, however I did want Apple to confirm some additional things. I got a response to my questions, and have been able to confirm some things too which is good:
So the original question of `Where should I add this file within the package setup?
You should add it as a resource file as described in Bundling resources with a Swift package.
Should there be a privacy info file per importable target? Or is it per library/package project?
It is per target. The target that builds the app or third-party SDK requiring a privacy manifest should only contain one privacy manifest. If your app links against a third-party SDK requiring a privacy manifest but doesn't collect data and use required reason API, then their target doesn't need to contain a privacy manifest file.
Is it expected that the generated privacy report of an application will show info based on flags within the package's manifest file? The generated privacy report will show all information inputted into the privacy manifest file.
However, it is worth noting that during my testing/validating - it only showed up in the report if there were tracking items.
For example, I purposely added a tracking item and included it in a sample project:
however, when the libraries privacy report had Privacy Tracking as NO and also no additional items or required reason api's it did not include in the report:
am assuming this is due to the report only highlighting flagged trackings/collections (at least that is my understanding of the available documentation)