10000 XCFramework expected sigature missing from generated projects · Issue #7385 · tuist/tuist · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
XCFramework expected sigature missing from generated projects #7385
New issue
New issue
Closed
#7411
Closed
XCFramework expected sigature missing from generated projects#7385
#7411
Assignees
pepicrftfortmarek
Labels
domain:dependenciesFor issues and PRs related to integrating third-party dependenciestype:bugSomething isn't working
@TamarMilchtaich

Description

@TamarMilchtaich
TamarMilchtaich
opened on Mar 6, 2025

What happened?

Background

XCFrameworks have an expected signature, as explained in this Apple documentation:
Verifying the origin of your XCFrameworks

Support for this was added to xcodeproj via this PR: CocoaPods/Xcodeproj#924.

Issue

It appears that Tuist does not support the expectedSignature property when adding an XCFramework dependency. When a project is generated that includes an XCFramework, the framework is added without this signature. Additionally, there doesn’t seem to be any reference to expectedSignature in Tuist’s codebase.

Expected Behavior

Tuist should allow specifying an expectedSignature for XCFramework dependencies, ensuring that projects generated by Tuist conform to Apple’s security requirements.

How do we reproduce it?

  1. Download the zip file attached here and unzip it.
  2. Download RxSwift.xcframwork from https://github.com/ReactiveX/RxSwift, and drag it into the xcframeworks directory. Make sure it is signed (you can compare the signature to the one in the README of this repo, see Apple's doc).
  3. (Optional) Run git init in the extracted directory to track changes more easily.
  4. With the .xcodeproj from this directory closed, run:
tuist generate --no-open
  1. Observe the changes in the .xcodeproj file.

The provided directory contains an .xcodeproj file that is not the one generated by Tuist, but rather the one that Xcode automatically modifies to include the missing signature. Running tuist generate will highlight the differences between the Tuist-generated project and the expected format (which Xcode tries to revert to automatically).

xcframework-signature-example.zip

Error log

Example of the difference:

- 5CA7963E2D8E037E81425C42 /* RxSwift.xcframework */ = {isa = PBXFileReference; expectedSignature = "SelfSigned:BD802E794C8ABDDA4C3F5D92B3E4C4FBFAE4734410B9AD73442EF1CEB0276140"; lastKnownFileType = wrapper.xcframework; path = RxSwift.xcframework; sourceTree = "<group>"; };
+ 5CA7963E2D8E037E81425C42 /* RxSwift.xcframework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.xcframework; path = RxSwift.xcframework; sourceTree = "<group>"; };
  • - -> before running tuist generate
  • + -> after running tuist generate

macOS version

Saquia

Tuist version

4.43.2

Xcode version

16.1 (but also observed in other versions)

Metadata

Metadata

Assignees

Labels

domain:dependenciesFor issues and PRs related to integrating third-party dependenciestype:bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    0