Version 10.47.0 AppStore Connect issues: ITMS-91065: Missing signature

[cuongtv51]

How frequently does the bug occur?

Always

Description

Today, My app use Carthage version 10.47.0 with xcode 15.2, when I upload new app, AppStore Connect issues:
ITMS-91065: Missing signature - Your app includes “Frameworks/RealmSwift.framework/RealmSwift”, which includes RealmSwift, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. If a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a signature. For details about verifying the code signature for a third-party SDK, visit: https://developer.apple.com/documentation/xcode/verifying-the-origin-of-your-xcframeworks.
Please have me fix this bug

Stacktrace & log output

No response

Can you reproduce the bug?

Always

Reproduction Steps

No response

Version

10.47.0

What Atlas Services are you using?

Local Database only

Are you using encryption?

No

Platform OS and version(s)

iOS 17.4

Build environment

Xcode version: 15.2
Dependency manager and version: Realm 10.47.0

[sync-by-unito]

➤ PM Bot commented:

Jira ticket: RCOCOA-2357

[cuongtv51]

My app working fine on device & simulator, only have problem when submit on AppStore
I see in that documentation https://developer.apple.com/support/third-party-SDK-requirements/ that RealmSwift is in list of SDK that AppStore require 2 thing:

• Privacy Manifests ( I confirm version 10.47.0 contain that file )
• Signatures for SDKs: as documentation sad Now with signatures for SDKs, when you adopt a new version of a third-party SDK in your app, Xcode will validate that it was signed by the same developer, improving the integrity of your software supply chain. ---> I think sdk need include signature file

[cuongtv51]

I use OneSignal with no problem, and seem framework has signed :

[Jaycyn]

With the privacy manifest - this has been a work in progress over the last several releases. Check out the 10.50.0 release which notes:

When RealmSwift is built as a static library you must supply your own manifest, as Xcode does not build static libraries in a way compatible with xcprivacy embedding.

With the 10.47.0 Release

Enable building RealmSwift as a dynamic framework when installing via SPM, which lets us supply a privacy manifest.

So there have been some changes - I suggest upgrading to the latest release, adjusting the frameworks per the notes and see if that makes a difference.

[cuongtv51]

My app use Carthage method, so your suggestion not work for me :(
Can Realm provide a .xcframework that have code signed as same OneSignal

[BJBeecher-PearSports]

Any Update on this?

[AminHeidariD]

I am experiencing the same issue with new apps. I tried using version 10.50.0 with Carthage because I have to use Carthage for my project. Is there any way to fix this issue?

[cuongtv51]

I try to codesign xcframework before upload to appstore and it work
you can see more detail at : https://developer.apple.com/videos/play/wwdc2023/10061

[alexanderwe]

@cuongtv51 @tgoyne I hope its okay to ask this in a closed issue, but will it be the official way of self-signing the binaries when including Realm as a binary framework or will there be officially signed .xcframework files in the future ?

[tgoyne]

We'll start signing our release artifacts at some point in the future now that it's possible.

[alexanderwe]

Great news, thanks lot for that information