skip to Main Content

I submitted my app to the App Review and got the following message.

ITMS-91065: Missing signature – Your app includes “Frameworks/OpenSSL.framework/OpenSSL”, which includes BoringSSL / openssl_grpc, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. If a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a signature.

Context

  • I used the nextcloud/ios

  • OpenSSL version used 1.1.2200

From what I have searched, it seems like an issue with the OpenSSL version – source, which may not include the privacy manifest yet.

2

Answers


  1. Apple published a list of SDKs which require manifests and signatures. If you link them statically, you are required to provide the manifests and signatures in your app.
    https://developer.apple.com/support/third-party-SDK-requirements/

    Apple uses multiple names when referring to the list.
    "privacy-impacting third-party SDK" was used first in the WWDC session announcing the privacy manifests.
    "commonly used SDKs" is another name.

    If you add the SDK with Cocoapods, then the build phase "[CP] Embed Pods Frameworks" probably already does the signing in the shell script.

    Found a reference to adding a manifest in BoringSSL here: https://boringssl-review.googlesource.com/c/boringssl/+/67487

    An ‘OpenSSL’ is listed in Apple’s article as well, so you might want to be sure that has a privacy manifest as well.

    Also, make sure the PrivacyInfo.xcprivacy is fully formed with all 4 of the top-level keys required. Missing a key can sometimes be the cause of scanners missing them during the submission.

    Login or Signup to reply.
  2. I was facing this issue with OpenSSL and BoringSSL. I did the following:

    1. In XCode click on File/New File. Scroll down to Resource and select AppPrivacy. Save the file leaving the name PrivacyInfo.
    2. Add the following code to the PrivacyInfo file inside the < dict >< /dict >.

    <dict>

    <key>NSPrivacyTracking</key>
    <false/>
    <key>NSPrivacyTrackingDomains</key>
    <array/>
    <key>NSPrivacyCollectedDataTypes</key>
    <array/>
    <key>NSPrivacyAccessedAPITypes</key>
    <array/>
    

    </dict>

    1. Delete Podfile.lock. Add to you Podfile the following line: pod 'OpenSSL-Universal' before target 'YourAppNameTest' do and run the following from your app folder: cd ios && pod install && cd ../

    This worked for me and the app wasn’t rejected due the signature file.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search