for name_ver in [
"BZip2-1.0.8-2",
"libFFI-3.4.7-2",
- "OpenSSL-3.0.16-2",
+ "OpenSSL-3.0.17-1",
"XZ-5.6.4-2",
"mpdecimal-4.0.0-2",
"zstd-1.5.7-1",
# Extract the package version from the merged framework
version = package_version(package_path / "Python.xcframework")
+ version_tag = ".".join(version.split(".")[:2])
# On non-macOS platforms, each framework in XCframework only contains the
# headers, libPython, plus an Info.plist. Other resources like the standard
slice_framework / f"Headers/pyconfig-{arch}.h",
)
+ # Apple identifies certain libraries as "security risks"; if you
+ # statically link those libraries into a Framework, you become
+ # responsible for providing a privacy manifest for that framework.
+ xcprivacy_file = {
+ "OpenSSL": subdir(host_triple) / "prefix/share/OpenSSL.xcprivacy"
+ }
+ print(f" - {multiarch} xcprivacy files")
+ for module, lib in [
+ ("_hashlib", "OpenSSL"),
+ ("_ssl", "OpenSSL"),
+ ]:
+ shutil.copy(
+ xcprivacy_file[lib],
+ slice_path
+ / f"lib-{arch}/python{version_tag}/lib-dynload/{module}.xcprivacy",
+ )
+
print(" - build tools")
shutil.copytree(
PYTHON_DIR / "Apple/testbed/Python.xcframework/build",
# The name of the extension file
EXT=$(basename "$FULL_EXT")
+ # The name and location of the module
+ MODULE_PATH=$(dirname "$FULL_EXT")
+ MODULE_NAME=$(echo $EXT | cut -d "." -f 1)
# The location of the extension file, relative to the bundle
RELATIVE_EXT=${FULL_EXT#$CODESIGNING_FOLDER_PATH/}
# The path to the extension file, relative to the install base
# Create a back reference to the .so file location in the framework
echo "${RELATIVE_EXT%.so}.fwork" > "$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER/$FULL_MODULE_NAME.origin"
+ # If the framework provides an xcprivacy file, install it.
+ if [ -e "$MODULE_PATH/$MODULE_NAME.xcprivacy" ]; then
+ echo "Installing XCPrivacy file for $FRAMEWORK_FOLDER/$FULL_MODULE_NAME"
+ XCPRIVACY_FILE="$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER/PrivacyInfo.xcprivacy"
+ if [ -e "$XCPRIVACY_FILE" ]; then
+ rm -rf "$XCPRIVACY_FILE"
+ fi
+ mv "$MODULE_PATH/$MODULE_NAME.xcprivacy" "$XCPRIVACY_FILE"
+ fi
+
echo "Signing framework as $EXPANDED_CODE_SIGN_IDENTITY_NAME ($EXPANDED_CODE_SIGN_IDENTITY)..."
/usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" ${OTHER_CODE_SIGN_FLAGS:-} -o runtime --timestamp=none --preserve-metadata=identifier,entitlements,flags --generate-entitlement-der "$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER"
}
The only mechanism for distributing apps to third-party iOS devices is to
submit the app to the iOS App Store; apps submitted for distribution must pass
Apple's app review process. This process includes a set of automated validation
-rules that inspect the submitted application bundle for problematic code.
+rules that inspect the submitted application bundle for problematic code. There
+are some steps that must be taken to ensure that your app will be able to pass
+these validation steps.
+
+Incompatible code in the standard library
+-----------------------------------------
The Python standard library contains some code that is known to violate these
automated rules. While these violations appear to be false positives, Apple's
:source:`a patch file <Mac/Resources/app-store-compliance.patch>` that will remove
all code that is known to cause issues with the App Store review process. This
patch is applied automatically when building for iOS.
+
+Privacy manifests
+-----------------
+
+In April 2025, Apple introduced a requirement for `certain third-party
+libraries to provide a Privacy Manifest
+<https://developer.apple.com/support/third-party-SDK-requirements>`__.
+As a result, if you have a binary module that uses one of the affected
+libraries, you must provide an ``.xcprivacy`` file for that library.
+OpenSSL is one library affected by this requirement, but there are others.
+
+If you produce a binary module named ``mymodule.so``, and use you the Xcode
+build script described in step 7 above, you can place a ``mymodule.xcprivacy``
+file next to ``mymodule.so``, and the privacy manifest will be installed into
+the required location when the binary module is converted into a framework.
--- /dev/null
+XCframeworks now include privacy manifests to satisfy Apple App Store
+submission requirements.
projects / thirdparty / Python / cpython.git / commitdiff
