About ITMS-91065

Hi zhaojb,

Starting May 1, 2024, if an app includes a privacy-impacting SDK or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. You should contact the provider of the SDK to get an updated version with a signature. For details about verifying the code signature for a third-party SDK, visit: https://developer.apple.com/support/third-party-SDK-requirements/.

Your post is a very interesting one. If I understand correctly, you already have a Firebase with a signature file, but you received an error message indicating that the privacy-impacting SDK requires a new signature file. This could means that Firebase needs to provide you with an updated SDK that includes a signature file, but I think the nested library is actually a different issue.

Now, I want to understand more about the secondary packaging and losing the signature file. Are you nesting the SDK inside another SDK that isn't signed? What do you mean by the original signature is lost? I'm guessing you're wrapping Firebase SDK with another library, and that means you should sign your own library as well.

Can you provide me with the file structure of the Frameworks inside the IPA? Are you using Xcode 15.3 to submit the app? Are you using an xcframework?

Let's gather all that information and see if we can help with the validation.

@DTS Engineer Sorry, my description is wrong. Since the SDK for secondary packaging uses pod to reference Firebase in the form of source code, what ultimately needs to be signed is actually our own SDK. The final summary is as follows:

• The SDK developer of the binary distribution cannot confirm the source code, so the packager needs to sign it to confirm whether the SDK has been tampered with.
• Since Firebase pod is a source code reference, when performing secondary distribution of the SDK, the person who ultimately distributes the SDK needs to sign his or her own SDK.

Hope it helps anyone who encounters the same problem.