We have a closed-source SDK distributed as a static framework. We are experiencing some difficulty in incorporating Privacy Manifests. We added the Privacy Manifest as a resource in the xcframework using the Copy Bundle Resources phase. Our expectation was that the developer could then add the xcframework to their application and select the Embed Without Signing embed option. Even though it's a static framework, Xcode removes the static archive from the framework when it is embedded in the target bundle as described here:
Embedding a static framework using a Copy Files build phase now removes the static archive from the framework when it is embedded in the target bundle. The REMOVE_STATIC_EXECUTABLES_FROM_EMBEDDED_BUNDLES build setting can be set to NO to opt out of this behavior. The COPY_RESOURCES_FROM_STATIC_FRAMEWORKS build setting, previously used in the legacy build system to extract and copy the resources from a static framework to the target bundle, no longer has any effect with the new build system as the entire framework is copied instead (minus the static archive as described above)
The problem is that by doing this, the Info.plists present in the platform folder (.framework) is also embedded into the host app. The Info.plist now references the binary that was removed, causing a validation error when uploading to iTunes Connect. Similarly, if we remove the Info.plist from the xcframework platforms folders, it is not possible to run the host application on the simulator. Firebase is facing the same problem as they prepare to incorporate Privacy Manifests into their frameworks.
When distributing via CocoaPods and SPM, we do not have this problem since it is possible to reference an external .xcprivacy to the xcframework in the package itself. So, in summary, how do we incorporate Privacy Manifests into a static framework?