I submitted my app to the App Review and got the following message.
ITMS-91065: Missing signature – Your app includes “Frameworks/OpenSSL.framework/OpenSSL”, which includes BoringSSL / openssl_grpc, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. If a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a signature.
Context
-
I used the
nextcloud/ios
-
OpenSSL version used
1.1.2200
From what I have searched, it seems like an issue with the OpenSSL
version – source, which may not include the privacy manifest yet.
2
Answers
Apple published a list of SDKs which require manifests and signatures. If you link them statically, you are required to provide the manifests and signatures in your app.
https://developer.apple.com/support/third-party-SDK-requirements/
Apple uses multiple names when referring to the list.
"privacy-impacting third-party SDK" was used first in the WWDC session announcing the privacy manifests.
"commonly used SDKs" is another name.
If you add the SDK with Cocoapods, then the build phase "[CP] Embed Pods Frameworks" probably already does the signing in the shell script.
Found a reference to adding a manifest in BoringSSL here: https://boringssl-review.googlesource.com/c/boringssl/+/67487
An ‘OpenSSL’ is listed in Apple’s article as well, so you might want to be sure that has a privacy manifest as well.
Also, make sure the PrivacyInfo.xcprivacy is fully formed with all 4 of the top-level keys required. Missing a key can sometimes be the cause of scanners missing them during the submission.
I was facing this issue with OpenSSL and BoringSSL. I did the following:
<dict>
</dict>
pod 'OpenSSL-Universal'
beforetarget 'YourAppNameTest' do
and run the following from your app folder:cd ios && pod install && cd ../
This worked for me and the app wasn’t rejected due the signature file.