How do I trust a swift macro target for Xcode Cloud builds?

Question

I just added my first Xcode 15, Swift 5.9 macro from an open source package that I'm referencing via Swift Package Manager. The first time I compiled locally, I had to trust the macro's package via a dialog box, which is fine for a local build. However, now my app doesn't build on Xcode Cloud, with the error "Target must be enabled before it can be used."

How do I tell Xcode Cloud to trust the macro's target?

Answer 1

While others have given partial answers, here's the full copy & passable solution:

1. Right-click your project in Xcode and create a "New Group" named ci_scripts
2. Right-click that folder and create a "New Empty File" named ci_post_clone.sh
3. Copy & paste the following code into that file:

#!/bin/sh

# Exit on error (-e), undefined vars (-u), and pipeline failures (-o pipefail)
set -euo pipefail

# Disable Xcode macro fingerprint validation to prevent spurious build errors
defaults write com.apple.dt.Xcode IDESkipMacroFingerprintValidation -bool YES

4. In terminal within your project folder run chmod +x ci_scripts/ci_post_clone.sh
5. Commit the new file & push (or do whatever is needed) to trigger a new build

The result should look something like this:

Now Xcode Cloud should no longer complain about macros.

P.S.: I do not think that copying the macros.json file is any safer than simply enabling all macros. If you can't trust your team and your release workflow, you have bigger problems than macros running in a sandbox Xcode Cloud environment.

Answer 2

Cobbled together the answers here and elsewhere to get this working with Xcode Cloud and Xcode v16.2

Easiest way to do this is to

1. Create a new group off your project file
2. Name the group 'ci_scripts'
3. Create an empty script file 'ci_pre_xcodebuild.sh'
4. Add a single line to the script file

defaults write com.apple.dt.Xcode IDESkipMacroFingerprintValidation -bool YES

Note: there might be more secure (complicated) ways to achieve this but I would argue that a non-trusted library should be caught before it's added to your git repo.

i.e. when a package is added that has a macro, the macro will need to be approved manually. the human adding the package will always be the weak link here

Answer 3

I stumbled across this question after my Bitrise (not Xcode cloud) builds started failing when I integrated Swiftlint via SPM.

The solution for me was to add the following as a Script step in Bitrise:

defaults write com.apple.dt.Xcode IDESkipPackagePluginFingerprintValidatation -bool YES

The following didn't work:

• adding -skipMacroValidation to the xcodebuild command
• setting the IDESkipMacroFingerprintValidation key

So I wonder if something has changed since the other answers were posted.

Also: IDESkipPackagePluginFingerprintValidatation is not a typo. I suspect this may be fixed at some point 😅

Answer 4

The suggestion provided by slavikus does work, but it poses a security risk because it enables any macro, allowing for the inclusion of malicious code in your Xcode build.

A safer approach could be to inform Xcode Cloud about the Macros you have explicitly enabled in your project, which are stored at ~/Library/org.swift.swiftpm/security/macros.json, by creating a post-clone script that copies this file into an internal location within Xcode Cloud.

Here are the steps to implement this solution:

1. Create a folder called ci_scripts in your project's root directory.
2. In this folder, create a script named ci_post_clone.sh with the following content:

#!/bin/zsh 

mkdir -p ~/Library/org.swift.swiftpm/security/
cp macros.json ~/Library/org.swift.swiftpm/security/

3. Copy file ~/Library/org.swift.swiftpm/security/macros.json into the same folder.

This script will be executed after your project is cloned from the repo and before Xcode Cloud starts building the project.

For more details about writing custom scripts to enhance Xcode Cloud workflows: https://developer.apple.com/documentation/xcode/writing-custom-build-scripts

Answer 5

I ran into same problem, and quickly discovered an additional defaults key that bypasses macro validation (same as -skipMacroValidation xcodebuild command line option):

defaults write com.apple.dt.Xcode IDESkipMacroFingerprintValidation -bool YES