Automatically verify integrity of your dependencies, thru signature verification. This is trying to address the supply chain security attacks that have been happening.
Just like the discussion on privacy reporting, it is ultimately each developer’s responsibility to ensure all your signatures are correct and you are not using maliciously modified code.
Dependency Signatures
- This is code signing is done by linking the binary, info.plist and privacy manifest to your developer identity. This is done via a CDHash and your Dev. Identify from your Certificate. This hash allows for validation that the object has not been modified and was signed by your key.
- New Signature verification will automatically handle the dependencies in your project
- It tracks identities of frameworks in your project.
- Note the chain of trust will help across changes in certificates, etc.
- A revoked certificate will trigger an alert to allow you to resolve or remove the framework from your application.
App developers
- Demo with Backyard Birds app.- for any XCFrameworks you can see the signing information
- Notice the Kind and Status. When you build the app all signatures are validated in the app.
- You will get an error if they don’t match and get an alert with an option to accept the change or trash the framework. Be careful with any self signed certificate.
- You should start using only signed SDKs
SDK Authors
- For SDK Authors, it becomes important to sign your SDKs so that developers can confirm that the code has not been manipulated
- You can either use Apple Developer program (ADP) or Self Signed certificates.
- For ADP you should use Apple Distribution and Development Certificates
- Apple is attestation is provided by Apple for these certificates
- Validation is handled automatically
- You can sing your code with codesign —timestamp -v —sign “YOUR CERTIFICATE Apple Distribution: (XXXX)” App.xcframework
- This is using self signed certificate if you are a ADP member
- You should start signing right away either with ADP or self-signed