From 18f55ce01610a61fa929950cc15de8d272d83c24 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Wed, 27 Aug 2025 16:11:50 +0800 Subject: [PATCH 1/2] Add support for handling XCPrivacy manifests. --- Apple/__main__.py | 18 +++++++++++++++ Apple/iOS/Resources/OpenSSL.xcprivacy | 23 +++++++++++++++++++ .../testbed/Python.xcframework/build/utils.sh | 13 +++++++++++ Doc/using/ios.rst | 22 +++++++++++++++++- ...-08-28-06-22-26.gh-issue-132006.eZQmc6.rst | 2 ++ 5 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 Apple/iOS/Resources/OpenSSL.xcprivacy create mode 100644 Misc/NEWS.d/next/Tools-Demos/2025-08-28-06-22-26.gh-issue-132006.eZQmc6.rst diff --git a/Apple/__main__.py b/Apple/__main__.py index fc19b31be97bb2..3aceb60410c952 100644 --- a/Apple/__main__.py +++ b/Apple/__main__.py @@ -577,6 +577,7 @@ def create_xcframework(platform: str) -> str: # Extract the package version from the merged framework version = package_version(package_path / "Python.xcframework") + version_tag = ".".join(version.split(".")[:2]) # On non-macOS platforms, each framework in XCframework only contains the # headers, libPython, plus an Info.plist. Other resources like the standard @@ -647,6 +648,23 @@ def create_xcframework(platform: str) -> str: slice_framework / f"Headers/pyconfig-{arch}.h", ) + # Apple identifies certain libraries as "security risks"; OpenSSL is + # one of those libraries. Since we have statically linked OpenSSL into + # dynamic libraries that will be converted into frameworks when an + # application is built, we are also responsible for providing + # .xcprivacy files for those frameworks. + print(f" - {multiarch} xcprivacy files") + for module, privacy in [ + ("_hashlib", "OpenSSL"), + ("_ssl", "OpenSSL"), + ]: + shutil.copy( + PYTHON_DIR + / f"Apple/{platform}/Resources/{privacy}.xcprivacy", + slice_path + / f"lib-{arch}/python{version_tag}/lib-dynload/{module}.xcprivacy", + ) + print(" - build tools") shutil.copytree( PYTHON_DIR / "Apple/testbed/Python.xcframework/build", diff --git a/Apple/iOS/Resources/OpenSSL.xcprivacy b/Apple/iOS/Resources/OpenSSL.xcprivacy new file mode 100644 index 00000000000000..95780a091adc10 --- /dev/null +++ b/Apple/iOS/Resources/OpenSSL.xcprivacy @@ -0,0 +1,23 @@ + + + + + NSPrivacyAccessedAPITypes + + + NSPrivacyAccessedAPIType + NSPrivacyAccessedAPICategoryFileTimestamp + NSPrivacyAccessedAPITypeReasons + + C617.1 + + + + NSPrivacyCollectedDataTypes + + NSPrivacyTrackingDomains + + NSPrivacyTracking + + + diff --git a/Apple/testbed/Python.xcframework/build/utils.sh b/Apple/testbed/Python.xcframework/build/utils.sh index 9cfe74720f26d4..961c46d014b5f5 100755 --- a/Apple/testbed/Python.xcframework/build/utils.sh +++ b/Apple/testbed/Python.xcframework/build/utils.sh @@ -67,6 +67,9 @@ install_dylib () { # The name of the extension file EXT=$(basename "$FULL_EXT") + # The name and location of the module + MODULE_PATH=$(dirname "$FULL_EXT") + MODULE_NAME=$(echo $EXT | cut -d "." -f 1) # The location of the extension file, relative to the bundle RELATIVE_EXT=${FULL_EXT#$CODESIGNING_FOLDER_PATH/} # The path to the extension file, relative to the install base @@ -94,6 +97,16 @@ install_dylib () { # Create a back reference to the .so file location in the framework echo "${RELATIVE_EXT%.so}.fwork" > "$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER/$FULL_MODULE_NAME.origin" + # If the framework provides an xcprivacy file, install it. + if [ -e "$MODULE_PATH/$MODULE_NAME.xcprivacy" ]; then + echo "Installing XCPrivacy file for $FRAMEWORK_FOLDER/$FULL_MODULE_NAME" + XCPRIVACY_FILE="$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER/PrivacyInfo.xcprivacy" + if [ -e "$XCPRIVACY_FILE" ]; then + rm -rf "$XCPRIVACY_FILE" + fi + mv "$MODULE_PATH/$MODULE_NAME.xcprivacy" "$XCPRIVACY_FILE" + fi + echo "Signing framework as $EXPANDED_CODE_SIGN_IDENTITY_NAME ($EXPANDED_CODE_SIGN_IDENTITY)..." /usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" ${OTHER_CODE_SIGN_FLAGS:-} -o runtime --timestamp=none --preserve-metadata=identifier,entitlements,flags --generate-entitlement-der "$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER" } diff --git a/Doc/using/ios.rst b/Doc/using/ios.rst index c02dac444dd7cc..5e4033fb6cec7a 100644 --- a/Doc/using/ios.rst +++ b/Doc/using/ios.rst @@ -328,7 +328,12 @@ App Store Compliance The only mechanism for distributing apps to third-party iOS devices is to submit the app to the iOS App Store; apps submitted for distribution must pass Apple's app review process. This process includes a set of automated validation -rules that inspect the submitted application bundle for problematic code. +rules that inspect the submitted application bundle for problematic code. There +are some steps that must be taken to ensure that your app will be able to pass +these validation steps. + +Incompatible code in the standard library +----------------------------------------- The Python standard library contains some code that is known to violate these automated rules. While these violations appear to be false positives, Apple's @@ -339,3 +344,18 @@ The Python source tree contains :source:`a patch file ` that will remove all code that is known to cause issues with the App Store review process. This patch is applied automatically when building for iOS. + +Privacy manifests +----------------- + +In April 2025, Apple introduced a requirement for `certain third-party +libraries to provide a Privacy Manifest +`__. +As a result, if you have a binary module that uses one of the affected +libraries, you must provide an ``.xcprivacy`` file for that library. +OpenSSL is one library affected by this requirement, but there are others. + +If you produce a binary module named ``mymodule.so``, and use you the Xcode +build script described in step 7 above, you can place a ``mymodule.xcprivacy`` +file next to ``mymodule.so``, and the privacy manifest will be installed into +the required location when the binary module is converted into a framework. diff --git a/Misc/NEWS.d/next/Tools-Demos/2025-08-28-06-22-26.gh-issue-132006.eZQmc6.rst b/Misc/NEWS.d/next/Tools-Demos/2025-08-28-06-22-26.gh-issue-132006.eZQmc6.rst new file mode 100644 index 00000000000000..8e7910768648a0 --- /dev/null +++ b/Misc/NEWS.d/next/Tools-Demos/2025-08-28-06-22-26.gh-issue-132006.eZQmc6.rst @@ -0,0 +1,2 @@ +XCframeworks now include privacy manifests to satisfy Apple App Store +submission requirements. From ba3d4084f3241428d6b1ea4eb30dd6bad1ec0750 Mon Sep 17 00:00:00 2001 From: Russell Keith-Magee Date: Tue, 23 Sep 2025 16:16:56 +0100 Subject: [PATCH 2/2] Use the original OpenSSL.xcprivacy file, rather than including one with Python itself. --- Apple/__main__.py | 18 +++++++++--------- Apple/iOS/Resources/OpenSSL.xcprivacy | 23 ----------------------- 2 files changed, 9 insertions(+), 32 deletions(-) delete mode 100644 Apple/iOS/Resources/OpenSSL.xcprivacy diff --git a/Apple/__main__.py b/Apple/__main__.py index 3aceb60410c952..88b54e91ac84d6 100644 --- a/Apple/__main__.py +++ b/Apple/__main__.py @@ -316,7 +316,7 @@ def unpack_deps( for name_ver in [ "BZip2-1.0.8-2", "libFFI-3.4.7-2", - "OpenSSL-3.0.16-2", + "OpenSSL-3.0.17-1", "XZ-5.6.4-2", "mpdecimal-4.0.0-2", "zstd-1.5.7-1", @@ -648,19 +648,19 @@ def create_xcframework(platform: str) -> str: slice_framework / f"Headers/pyconfig-{arch}.h", ) - # Apple identifies certain libraries as "security risks"; OpenSSL is - # one of those libraries. Since we have statically linked OpenSSL into - # dynamic libraries that will be converted into frameworks when an - # application is built, we are also responsible for providing - # .xcprivacy files for those frameworks. + # Apple identifies certain libraries as "security risks"; if you + # statically link those libraries into a Framework, you become + # responsible for providing a privacy manifest for that framework. + xcprivacy_file = { + "OpenSSL": subdir(host_triple) / "prefix/share/OpenSSL.xcprivacy" + } print(f" - {multiarch} xcprivacy files") - for module, privacy in [ + for module, lib in [ ("_hashlib", "OpenSSL"), ("_ssl", "OpenSSL"), ]: shutil.copy( - PYTHON_DIR - / f"Apple/{platform}/Resources/{privacy}.xcprivacy", + xcprivacy_file[lib], slice_path / f"lib-{arch}/python{version_tag}/lib-dynload/{module}.xcprivacy", ) diff --git a/Apple/iOS/Resources/OpenSSL.xcprivacy b/Apple/iOS/Resources/OpenSSL.xcprivacy deleted file mode 100644 index 95780a091adc10..00000000000000 --- a/Apple/iOS/Resources/OpenSSL.xcprivacy +++ /dev/null @@ -1,23 +0,0 @@ - - - - - NSPrivacyAccessedAPITypes - - - NSPrivacyAccessedAPIType - NSPrivacyAccessedAPICategoryFileTimestamp - NSPrivacyAccessedAPITypeReasons - - C617.1 - - - - NSPrivacyCollectedDataTypes - - NSPrivacyTrackingDomains - - NSPrivacyTracking - - -