How to Sign an xcframework.zip iOS SDK on Appdome

Introduction

Code signing is an essential step for deploying any SDK on a mobile iOS device. A valid signature verifies the SDK’s integrity, proving that it comes from a known and approved source and has not been altered. This article guides you through the process of signing an xcframework.zip iOS SDK on Appdome, ensuring that it meets Apple’s security standards for installation.

Importance of Code Signing

When you integrate additional features into an iOS SDK, the original signature becomes invalid due to changes within the SDK. To maintain the SDK’s usability and compliance with security standards, it must be resigned. Appdome facilitates easy and secure SDK signing through various methods, accommodating different user needs and security policies.

Code Signing Methods on Appdome

Appdome allows signing an app via the Sign tab by using any of the following methods:

• On Appdome

Allow Appdome to take care of the entire signing process. You only need to provide the signing credentials.

1. Access the Sign Tab: Log into your Appdome account and select the xcframework.zip iOS SDK you wish to sign.
2. Provide Credentials: Enter your password, including the P12 certificate that corresponds to your SDK.
3. Start the Signing Process: Click on ‘Sign My SDK’ to initiate the signing process. Appdome will handle the rest, ensuring your SDK is signed with the correct certificates.

• Private Signing
  

1. In the Sign tab, go to the section How Would You Like to Sign and select Private Signing.
   
   
2. Click Download My Built SDK
   
3. Unzip the secured xcframework.zip
   

   unzip <secured xcframework>.zip -d BUILD_OUTPUT_FOLDER

4. Sign the unzipped xcframework SDK folders:
   <SDK>libloader.xcframework
   <SDK>.xcframework
   

   codesign -v -f -s <name in keychain access> <SDK>libloader.xcframework>
   codesign -v -f -s <name in keychain access> <SDK>.xcframework>

Success! Your SDK xcframework is now signed.

Troubleshooting for Private Signing

If you encounter a scenario whereby your Key Chain Access files are showing the following message: “certificate name is not trusted,” apply the following steps to resolve the issue:

1. Open the file
2. Navigate to the fields titled “Common Name” and “Organizational Unit”
3. Download the relevant “Apple Root Certificate” and “Apple Intermediate Certificates”.
   For more details, see: Apple PKI documentation
   

Related Articles:

• How to Implement Threat Event Handling in Android SDKs
• Automated SDK Protection – Appdome SDKProtect™
• How to use SDK Input Threat Events for iOS XCFrameworks

How Do I Learn More?

If you have any questions, please send them our way at support.appdome.com or via the chat window on the Appdome platform.

Thank you!

Thanks for visiting Appdome! Our mission is to secure every app on the planet by making mobile app security easy. We hope we’re living up to the mission with your project.