Relevant background:
- WWDC23: Get started with privacy manifests
- WWDC23: Verify app dependencies with digital signatures
- Upcoming third-party SDK requirements
Many of the SDKs that will require privacy manifests and signatures are distributed as source and integrated via Swift Package Manager. I recently studied the progress made by ~10 of the listed SDKs and it seems like there's a growing consensus that the solution to including a privacy manifest when distributing via source is to list the manifest as a bundled resource.
However, I've seen little discussion of the signing requirement. This is understandable since, as the forum post Digital signatures available for Swift Packages? points out, the dependency signing talk was focused on binaries. Yet, I'm curious whether signing of some kind will actually be required for SDKs distributed as source (e.g. to enable validating the authenticity of the privacy manifest).
Clarification on this point would help tremendously as we work to ensure we'll be compliant as soon as the new requirement begins to be enforced.
