Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenSSL xcframework signature issue / InvalidBinary. URGENT ‼️ #12888

Closed
arturdev opened this issue May 2, 2024 · 13 comments
Closed

OpenSSL xcframework signature issue / InvalidBinary. URGENT ‼️ #12888

arturdev opened this issue May 2, 2024 · 13 comments
Labels
needs-triage

Comments

@arturdev
Copy link

arturdev commented May 2, 2024
edited
Loading

Description

When submitting the app to the appstore review, after a few minutes I receive the following email:

ITMS-91065: Missing signature - Your app includes “Frameworks/openssl.framework/openssl”, which includes BoringSSL / openssl_grpc, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. If a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a signature. For details about verifying the code signature for a third-party SDK, visit: https://developer.apple.com/documentation/xcode/verifying-the-origin-of-your-xcframeworks.

And the status is changed to "Invalid Binary".

Note, that firebase is the only dependency who uses openssl/grpc.

Reproducing the issue

No response

Firebase SDK Version

10.25.0

Xcode Version

15.3

Installation Method

Swift Package Manager

Firebase Product(s)

Analytics, Crashlytics

Targeted Platforms

iOS

Relevant Log Output

No response

If using Swift Package Manager, the project's Package.resolved

Expand Package.resolved snippet 
{
  "originHash" : "e8f9851bc3826b8d125ab109e077a21f96ced46538b4af32a227b536a1926d70",
  "pins" : [
    {
      "identity" : "abseil-cpp-binary",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/abseil-cpp-binary.git",
      "state" : {
        "revision" : "748c7837511d0e6a507737353af268484e1745e2",
        "version" : "1.2024011601.1"
      }
    },
    {
      "identity" : "alamofire",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/Alamofire/Alamofire.git",
      "state" : {
        "revision" : "f455c2975872ccd2d9c81594c658af65716e9b9a",
        "version" : "5.9.1"
      }
    },
    {
      "identity" : "app-check",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/app-check.git",
      "state" : {
        "revision" : "7d2688de038d5484866d835acb47b379722d610e",
        "version" : "10.19.0"
      }
    },
    {
      "identity" : "defaults",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/sindresorhus/Defaults",
      "state" : {
        "branch" : "main",
        "revision" : "38925e3cfacf3fb89a81a35b1cd44fd5a5b7e0fa"
      }
    },
    {
      "identity" : "firebase-ios-sdk",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/firebase/firebase-ios-sdk.git",
      "state" : {
        "revision" : "97940381e57703c07f31a8058d8f39ec53b7c272",
        "version" : "10.25.0"
      }
    },
    {
      "identity" : "googleappmeasurement",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/GoogleAppMeasurement.git",
      "state" : {
        "revision" : "16244d177c4e989f87b25e9db1012b382cfedc55",
        "version" : "10.25.0"
      }
    },
    {
      "identity" : "googledatatransport",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/GoogleDataTransport.git",
      "state" : {
        "revision" : "a637d318ae7ae246b02d7305121275bc75ed5565",
        "version" : "9.4.0"
      }
    },
    {
      "identity" : "googleutilities",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/GoogleUtilities.git",
      "state" : {
        "revision" : "26c898aed8bed13b8a63057ee26500abbbcb8d55",
        "version" : "7.13.1"
      }
    },
    {
      "identity" : "grpc-binary",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/grpc-binary.git",
      "state" : {
        "revision" : "e9fad491d0673bdda7063a0341fb6b47a30c5359",
        "version" : "1.62.2"
      }
    },
    {
      "identity" : "gtm-session-fetcher",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/gtm-session-fetcher.git",
      "state" : {
        "revision" : "9534039303015a84837090d20fa21cae6e5eadb6",
        "version" : "3.3.2"
      }
    },
    {
      "identity" : "interop-ios-for-google-sdks",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/interop-ios-for-google-sdks.git",
      "state" : {
        "revision" : "2d12673670417654f08f5f90fdd62926dc3a2648",
        "version" : "100.0.0"
      }
    },
    {
      "identity" : "iqkeyboardmanager",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/hackiftekhar/IQKeyboardManager",
      "state" : {
        "revision" : "c00b1ae9fa1ad8af4465bb6ca901f6943fc98eba",
        "version" : "6.5.16"
      }
    },
    {
      "identity" : "keychainaccess",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/kishikawakatsumi/KeychainAccess",
      "state" : {
        "branch" : "master",
        "revision" : "e0c7eebc5a4465a3c4680764f26b7a61f567cdaf"
      }
    },
    {
      "identity" : "leveldb",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/firebase/leveldb.git",
      "state" : {
        "revision" : "a0bc79961d7be727d258d33d5a6b2f1023270ba1",
        "version" : "1.22.5"
      }
    },
    {
      "identity" : "moya",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/Moya/Moya.git",
      "state" : {
        "revision" : "c263811c1f3dbf002be9bd83107f7cdc38992b26",
        "version" : "15.0.3"
      }
    },
    {
      "identity" : "nanopb",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/firebase/nanopb.git",
      "state" : {
        "revision" : "b7e1104502eca3a213b46303391ca4d3bc8ddec1",
        "version" : "2.30910.0"
      }
    },
    {
      "identity" : "nuke",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/kean/Nuke",
      "state" : {
        "revision" : "4625c73ea00a9fb4b4f3e28d95d0021a44af7e59",
        "version" : "12.5.0"
      }
    },
    {
      "identity" : "nvactivityindicatorview",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/ninjaprox/NVActivityIndicatorView",
      "state" : {
        "revision" : "bcb52371f2259254bac6690f92bb474a61768c47",
        "version" : "5.1.1"
      }
    },
    {
      "identity" : "openssl-apple",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/passepartoutvpn/openssl-apple",
      "state" : {
        "revision" : "0edc07c7a0e4ec2ca0f448dd68314241ccc925b3",
        "version" : "3.2.107"
      }
    },
    {
      "identity" : "promises",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/promises.git",
      "state" : {
        "revision" : "540318ecedd63d883069ae7f1ed811a2df00b6ac",
        "version" : "2.4.0"
      }
    },
    {
      "identity" : "reactiveswift",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/ReactiveCocoa/ReactiveSwift.git",
      "state" : {
        "revision" : "c43bae3dac73fdd3cb906bd5a1914686ca71ed3c",
        "version" : "6.7.0"
      }
    },
    {
      "identity" : "rxswift",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/ReactiveX/RxSwift.git",
      "state" : {
        "revision" : "9dcaa4b333db437b0fbfaf453fad29069044a8b4",
        "version" : "6.6.0"
      }
    },
    {
      "identity" : "swift-package-manager-google-mobile-ads",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/googleads/swift-package-manager-google-mobile-ads.git",
      "state" : {
        "revision" : "9ab66e38f5f0c2d02f2b024b1babd880130f19bf",
        "version" : "11.3.0"
      }
    },
    {
      "identity" : "swift-package-manager-google-user-messaging-platform",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/googleads/swift-package-manager-google-user-messaging-platform.git",
      "state" : {
        "revision" : "cfe8b2ae16b9bc81f4cdf1d1a12a01a452489c32",
        "version" : "2.3.0"
      }
    },
    {
      "identity" : "swift-protobuf",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/apple/swift-protobuf.git",
      "state" : {
        "revision" : "9f0c76544701845ad98716f3f6a774a892152bcb",
        "version" : "1.26.0"
      }
    },
    {
      "identity" : "swiftmessages",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/SwiftKickMobile/SwiftMessages",
      "state" : {
        "revision" : "62e12e138fc3eedf88c7553dd5d98712aa119f40",
        "version" : "9.0.9"
      }
    },
    {
      "identity" : "swiftybeaver",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/SwiftyBeaver/SwiftyBeaver",
      "state" : {
        "revision" : "12b5acf96d98f91d50de447369bd18df74600f1a",
        "version" : "1.9.6"
      }
    },
    {
      "identity" : "tunnelkit",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/passepartoutvpn/tunnelkit",
      "state" : {
        "branch" : "master",
        "revision" : "339b509ddfd2838ee348d186e9a3016b0f8f447d"
      }
    },
    {
      "identity" : "wireguard-apple",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/passepartoutvpn/wireguard-apple",
      "state" : {
        "revision" : "b79f0f150356d8200a64922ecf041dd020140aa0"
      }
    }
  ],
  "version" : 3
}

If using CocoaPods, the project's Podfile.lock

Expand Podfile.lock snippet 
Replace this line with the contents of your Podfile.lock!
image
@google-oss-bot
Copy link

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

@arturdev arturdev changed the title OpenSSL xcframework signature issue / InvalidBinary OpenSSL xcframework signature issue / InvalidBinary. URGENT May 2, 2024
@arturdev arturdev changed the title OpenSSL xcframework signature issue / InvalidBinary. URGENT OpenSSL xcframework signature issue / InvalidBinary. URGENT ‼️ May 2, 2024
@ncooke3
Copy link
Member

ncooke3 commented May 2, 2024

Hi @arturdev, this actually looks related to the following dependency shown in the Package.resolved:

 {
      "identity" : "openssl-apple",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/passepartoutvpn/openssl-apple",
      "state" : {
        "revision" : "0edc07c7a0e4ec2ca0f448dd68314241ccc925b3",
        "version" : "3.2.107"
      }
    },

The reason being that the release for this dependency (https://github.com/passepartoutvpn/openssl-apple/releases/tag/3.2.107) has an openssl.xcframework artifact.

Firebase uses a similarly named, but different dependency from:

    {
      "identity" : "grpc-binary",
      "kind" : "remoteSourceControl",
      "location" : "https://github.com/google/grpc-binary.git",
      "state" : {
        "revision" : "e9fad491d0673bdda7063a0341fb6b47a30c5359",
        "version" : "1.62.2"
      }
    },

called openssl_grpc.xcframework which does contain a code signature.

I recommend creating an issue in the https://github.com/passepartoutvpn/openssl-apple repo.

@ncooke3 ncooke3 closed this as completed May 2, 2024
@arturdev arturdev mentioned this issue May 2, 2024
Open
@arturdev
Copy link
Author

arturdev commented May 2, 2024

@ncooke3 I don't think you're right, because Apple clearly states that they find BoringSSL...
The link you posted doesn't have any reference to BoringSSL... only firebase has a reference to it

@ncooke3
Copy link
Member

ncooke3 commented May 2, 2024

Apple's warning says:

ITMS-91065: Missing signature - Your app includes “Frameworks/openssl.framework/openssl”, which includes BoringSSL / openssl_grpc, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. If a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a signature. For details about verifying the code signature for a third-party SDK, visit: https://developer.apple.com/documentation/xcode/verifying-the-origin-of-your-xcframeworks.

Firebase does not provide a framework named openssl.framework. Firebase does provide a framework named openssl_grpc.framework, but the App Store Connect error does not list openssl_grpc.framework as the problematic framework.

https://github.com/passepartoutvpn/openssl-apple does however offer a openssl.framework, but this isn't a Firebase dependency (it is listed in your Package.resolved though)

@NasrullahKhan
Copy link

@arturdev did you manage to find the solution?

@arturdev
Copy link
Author

arturdev commented May 7, 2024

@NasrullahKhan yes... Eventually, the issue was with https://github.com/passepartoutvpn/openssl-apple.. so I ended up using another library,, other than passepartoutvpn's one

@NasrullahKhan
Copy link

@arturdev which library you used.. because i'm also using tunnelkit for tcp/udp and wireguard protocols.

@arturdev
Copy link
Author

arturdev commented May 7, 2024
edited
Loading

@NasrullahKhan I built mine, on top of @OpenVPN's official

@NasrullahKhan
Copy link

@arturdev can you help?

@arturdev
Copy link
Author

arturdev commented May 7, 2024

with what?

@NasrullahKhan
Copy link

how you built yours?

@arturdev
Copy link
Author

arturdev commented May 7, 2024

On top of this: https://github.com/OpenVPN/openvpn3
The rest you should figure out yourself

@NasrullahKhan
Copy link

@arturdev Thanks.

@firebase firebase locked and limited conversation to collaborators Jun 2, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arturdev @NasrullahKhan @google-oss-bot @ncooke3