About ITMS-91065

In order to facilitate management, we integrate some SDKs such as Firebase into one of our own internally used SDKs. Recently, when submitted to the appstore, we were prompted that FirebaseCrashing included in the SDK lacked the necessary signature (ITMS-91065). The information that can be confirmed is that after packaging the SDK through secondary packaging, the original signature is lost. And we have a static reference. So what I want to ask is whether we can only manually sign our secondary packaging sdk (the signature is our own certificate different from the original Firebase) to solve this ITMS-91065 problem. According to the description of the Apple Developer Conference, Apple only verifies the consistency and security of the SDK and does not record the signature of each SDK on Apple's servers. Therefore, you should only need to ensure that the SDK is in a signed state to comply with Apple's review requirements. (My guess is still being verified)

Answered by zhaojb in 788563022

@DTS Engineer Sorry, my description is wrong. Since the SDK for secondary packaging uses pod to reference Firebase in the form of source code, what ultimately needs to be signed is actually our own SDK. The final summary is as follows:

  • The SDK developer of the binary distribution cannot confirm the source code, so the packager needs to sign it to confirm whether the SDK has been tampered with.
  • Since Firebase pod is a source code reference, when performing secondary distribution of the SDK, the person who ultimately distributes the SDK needs to sign his or her own SDK.

Hope it helps anyone who encounters the same problem.

Hi zhaojb,

Starting May 1, 2024, if an app includes a privacy-impacting SDK or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. You should contact the provider of the SDK to get an updated version with a signature. For details about verifying the code signature for a third-party SDK, visit: https://developer.apple.com/support/third-party-SDK-requirements/.

Your post is a very interesting one. If I understand correctly, you already have a Firebase with a signature file, but you received an error message indicating that the privacy-impacting SDK requires a new signature file. This could means that Firebase needs to provide you with an updated SDK that includes a signature file, but I think the nested library is actually a different issue.

Now, I want to understand more about the secondary packaging and losing the signature file. Are you nesting the SDK inside another SDK that isn't signed? What do you mean by the original signature is lost? I'm guessing you're wrapping Firebase SDK with another library, and that means you should sign your own library as well.

Can you provide me with the file structure of the Frameworks inside the IPA? Are you using Xcode 15.3 to submit the app? Are you using an xcframework?

Let's gather all that information and see if we can help with the validation.

Accepted Answer

@DTS Engineer Sorry, my description is wrong. Since the SDK for secondary packaging uses pod to reference Firebase in the form of source code, what ultimately needs to be signed is actually our own SDK. The final summary is as follows:

  • The SDK developer of the binary distribution cannot confirm the source code, so the packager needs to sign it to confirm whether the SDK has been tampered with.
  • Since Firebase pod is a source code reference, when performing secondary distribution of the SDK, the person who ultimately distributes the SDK needs to sign his or her own SDK.

Hope it helps anyone who encounters the same problem.

About ITMS-91065
 
 
Q