ITMS-91065: Missing Signature in Privacy Impacting SDK

Question

I submitted my app to the App Review and got the following message.

ITMS-91065: Missing signature - Your app includes “Frameworks/OpenSSL.framework/OpenSSL”, which includes BoringSSL / openssl_grpc, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. If a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a signature.

Context

• I used the nextcloud/ios

• OpenSSL version used 1.1.2200

From what I have searched, it seems like an issue with the OpenSSL version - source, which may not include the privacy manifest yet.

Answer 1

So after banging my head for hours I finally resolved the issue on my end. Here's the story, It's now necessary that These list of SDKs should have a Privacy Manifest, and yeah! It should be included on the SDK itself, you cant add it on your app level.

Since a lot of react native apps are using flipper, the flipper uses OpenSSL-Universal 1.1.1100 that doesn't have this Privacy Manifest. The creator of the OpenSSL-Universal released 1.1.2300 a few days back and it contains the manifest, The thing is you cant just update this (Well, I couldn't). The only thing that worked for me is to remove the flipper from the app completely (Remove from Podfile and AppDelegate) and run a pod install.

Now remove podfile.lock and manifest.lock (inside Pods folder if available).

After that add the

pod 'OpenSSL-Universal', :git => 'https://github.com/krzyzanowskim/OpenSSL.git', :tag => '1.1.2300'

to the podfile (At the outermost level) and do a pod install again, it will install 1.1.2300 and you're good to go!

Answer 2

The cause of problem was the older OpenSSL version (1.1.22.00), which didn't include the Privacy Manifest file.

I upgraded it to 3.1.5004 as per the repo, which resolved the issue.

Project -> Package Dependencies

Note: I'm not sure if upgrading the version can lead to other issues in the app functionality.

Answer 3

I was facing this issue with OpenSSL and BoringSSL. I did the following:

1. In XCode click on File/New File. Scroll down to Resource and select AppPrivacy. Save the file leaving the name PrivacyInfo.
2. Add the following code to the PrivacyInfo file.

<dict>
    <key>NSPrivacyTracking</key>
    <false/>
    <key>NSPrivacyTrackingDomains</key>
    <array/>
    <key>NSPrivacyCollectedDataTypes</key>
    <array/>
    <key>NSPrivacyAccessedAPITypes</key>
    <array/>
</dict>

3. Delete Podfile.lock. Add to you Podfile the following line: pod 'OpenSSL-Universal' before target 'YourAppNameTest' do and run the following from your app folder: cd ios && pod install && cd ../

This worked for me and the app wasn't rejected due the signature file.

Answer 4

Apple published a list of SDKs which require manifests and signatures. If you link them statically, you are required to provide the manifests and signatures in your app. https://developer.apple.com/support/third-party-SDK-requirements/

Apple uses multiple names when referring to the list. "privacy-impacting third-party SDK" was used first in the WWDC session announcing the privacy manifests. "commonly used SDKs" is another name.

If you add the SDK with Cocoapods, then the build phase "[CP] Embed Pods Frameworks" probably already does the signing in the shell script.

Found a reference to adding a manifest in BoringSSL here: https://boringssl-review.googlesource.com/c/boringssl/+/67487

An 'OpenSSL' is listed in Apple's article as well, so you might want to be sure that has a privacy manifest as well.

Also, make sure the PrivacyInfo.xcprivacy is fully formed with all 4 of the top-level keys required. Missing a key can sometimes be the cause of scanners missing them during the submission.