Question posted in Xcode
Whether you're new to Xcode or an experienced developer, our archive has everything you need to know about this integrated development environment (IDE). From basic functionalities to advanced features, our archive covers a wide range of Xcode-related questions and answers. Browse our archive now and find solutions to your Xcode questions, and take your app development skills to the next level

Xcode – ITMS-91065: Missing Signature in Privacy Impacting SDK

ASADHAMEED
May 15, 2024
199 views
1 vote
2 Answers

I submitted my app to the App Review and got the following message.

ITMS-91065: Missing signature – Your app includes “Frameworks/OpenSSL.framework/OpenSSL”, which includes BoringSSL / openssl_grpc, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. If a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a signature.

Context

I used the nextcloud/ios
OpenSSL version used 1.1.2200

From what I have searched, it seems like an issue with the OpenSSL version – source, which may not include the privacy manifest yet.

Answers

- WaltSellers
- May 9, 2024 at 9:09 pm
- 0 votes
0
Apple published a list of SDKs which require manifests and signatures. If you link them statically, you are required to provide the manifests and signatures in your app.
https://developer.apple.com/support/third-party-SDK-requirements/

Apple uses multiple names when referring to the list.
"privacy-impacting third-party SDK" was used first in the WWDC session announcing the privacy manifests.
"commonly used SDKs" is another name.

If you add the SDK with Cocoapods, then the build phase "[CP] Embed Pods Frameworks" probably already does the signing in the shell script.

Found a reference to adding a manifest in BoringSSL here: https://boringssl-review.googlesource.com/c/boringssl/+/67487

An ‘OpenSSL’ is listed in Apple’s article as well, so you might want to be sure that has a privacy manifest as well.

Also, make sure the PrivacyInfo.xcprivacy is fully formed with all 4 of the top-level keys required. Missing a key can sometimes be the cause of scanners missing them during the submission.

Login or Signup to reply.

- Elias
- May 15, 2024 at 4:52 pm
- 0 votes
0
I was facing this issue with OpenSSL and BoringSSL. I did the following:
1. In XCode click on File/New File. Scroll down to Resource and select AppPrivacy. Save the file leaving the name PrivacyInfo.
2. Add the following code to the PrivacyInfo file inside the < dict >< /dict >.
<dict>
```
<key>NSPrivacyTracking</key>
<false/>
<key>NSPrivacyTrackingDomains</key>
<array/>
<key>NSPrivacyCollectedDataTypes</key>
<array/>
<key>NSPrivacyAccessedAPITypes</key>
<array/>
```
</dict>
1. Delete Podfile.lock. Add to you Podfile the following line: pod 'OpenSSL-Universal' before target 'YourAppNameTest' do and run the following from your app folder: cd ios && pod install && cd ../
This worked for me and the app wasn’t rejected due the signature file.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.