Can we use digital signatures for our Swift Packages? Or is this only for XCFrameworks?
Digital signatures available for Swift Packages?
Are you talking about a binary package? Or a package built from source?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
For Swift packages published as source, say version tags referenced in a Github repository, is there a way to provide such supply chain integrity protections, such as via signature on a git tag?
Or are supply chain protections currently only usable when third parties ship binary builds?
The stuff announced during WWDC 2023 Session 10061 Verify app dependencies with digital signatures is focused on binaries. There’s a bunch of infrastructure in place for source code supply chain protection [1] but AFAIK it’s not surfaced with a nice GUI in Xcode.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Things that spring to mind are:
-
Git has support for signed commits
-
You can point SwiftPM to specific commit.