In order to facilitate management, we integrate some SDKs such as Firebase into one of our own internally used SDKs. Recently, when submitted to the appstore, we were prompted that FirebaseCrashing included in the SDK lacked the necessary signature (ITMS-91065). The information that can be confirmed is that after packaging the SDK through secondary packaging, the original signature is lost. And we have a static reference. So what I want to ask is whether we can only manually sign our secondary packaging sdk (the signature is our own certificate different from the original Firebase) to solve this ITMS-91065 problem. According to the description of the Apple Developer Conference, Apple only verifies the consistency and security of the SDK and does not record the signature of each SDK on Apple's servers. Therefore, you should only need to ensure that the SDK is in a signed state to comply with Apple's review requirements. (My guess is still being verified)
@DTS Engineer Sorry, my description is wrong. Since the SDK for secondary packaging uses pod to reference Firebase in the form of source code, what ultimately needs to be signed is actually our own SDK. The final summary is as follows:
- The SDK developer of the binary distribution cannot confirm the source code, so the packager needs to sign it to confirm whether the SDK has been tampered with.
- Since Firebase pod is a source code reference, when performing secondary distribution of the SDK, the person who ultimately distributes the SDK needs to sign his or her own SDK.
Hope it helps anyone who encounters the same problem.