Flutter iOS XCFrameworks now need to be codesigned, not just the framework binaries within them. This will be enforced by Xcode at some point in Spring 2024.
codesign --sign "Apple Developer cert etc" ... path/to/Flutter.xcframework
Now with signatures for SDKs, when you adopt a new version of a third-party SDK in your app, Xcode will validate that it was signed by the same developer, improving the integrity of your software supply chain.
https://developer.apple.com/support/third-party-SDK-requirements/
In Xcode Flutter.xcframework is marked as unsigned:
Note xcframework is a directory (bundle), not a binary. Also the extension_safe XCFramework needs to be signed as well.
Relevant code
Conductor:
|
Future<List<String>> get binariesWithoutEntitlements async { |
|
final String frameworkCacheDirectory = await framework.cacheDirectory; |
|
return <String>[ |
|
'artifacts/engine/darwin-x64-profile/FlutterMacOS.framework/Versions/A/FlutterMacOS', |
|
'artifacts/engine/darwin-x64-release/FlutterMacOS.framework/Versions/A/FlutterMacOS', |
|
'artifacts/engine/darwin-x64/FlutterMacOS.framework/Versions/A/FlutterMacOS', |
|
'artifacts/engine/darwin-x64/font-subset', |
|
'artifacts/engine/darwin-x64/impellerc', |
|
'artifacts/engine/darwin-x64/libpath_ops.dylib', |
|
'artifacts/engine/darwin-x64/libtessellator.dylib', |
|
'artifacts/engine/ios-profile/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', |
|
'artifacts/engine/ios-profile/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', |
|
'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', |
|
'artifacts/engine/ios-profile/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', |
|
'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', |
|
'artifacts/engine/ios-release/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', |
|
'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', |
|
'artifacts/engine/ios-release/extension_safe/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', |
|
'artifacts/engine/ios/Flutter.xcframework/ios-arm64/Flutter.framework/Flutter', |
|
'artifacts/engine/ios/Flutter.xcframework/ios-arm64_x86_64-simulator/Flutter.framework/Flutter', |
Engine:
https://github.com/flutter/engine/blob/ab4098c742f85518ae5e9773b8a2c1be181cef32/sky/tools/create_full_ios_framework.py#L212-L217
And then wherever the codesigning actually happens.
Docs
https://developer.apple.com/documentation/xcode/verifying-the-origin-of-your-xcframeworks
https://developer.apple.com/videos/play/wwdc2023/10060/
https://developer.apple.com/videos/play/wwdc2023/10061/?time=878
cc @XilaiZhang @vashworth @stuartmorgan
Related to privacy manifest work #131494
