Missing signature; Privacy Manifest

[JaoMcs]

Describe the bug
Apple rejected the submission of an app using the AppAuth library due to a missing Privacy Manifest. The specific error reported by Apple is ITMS-91065: Missing signature. It states that the app includes "AppAuth", which is identified as a privacy-impacting SDK, and requires a privacy manifest. Currently, it seems the AppAuth library does not include this required manifest, making it impossible to release apps on the App Store that use this library for OAuth 2.0.

To Reproduce
Steps to reproduce the behavior:

1. Create an app that uses the AppAuth library.
2. Submit the app to the App Store for review.
3. Wait for Apple to review the app.
4. The app will be rejected with an error related to a missing signature (privacy manifest).
5. Expected behavior
6. The application should pass App Store submission without any errors related to missing signatures or privacy manifest files.

Screenshots

Environment
macOS: 14.4.1
Xcode: 15.3
Carthage: 0.39.1
AppAuth: 1.7.5

Additional context
During the development of OAuth functionality using the AppAuth library, the AuthState is stored using Keychain to maintain user login state. This is the only piece of user information that is stored during the development process. Additionally, UserDefaults is used to store an internal system token, which is not provided by AppAuth (this might or might not be related to the rejection).

The rejection message from Apple was as follows:

"ITMS-91065: Missing signature - Your app includes 'Frameworks/AppAuth.framework/AppAuth', which includes AppAuth, an SDK that was identified in the documentation as a privacy-impacting third-party SDK. If a new app includes a privacy-impacting SDK, or an app update adds a new privacy-impacting SDK, the SDK must include a signature file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a signature."

Please provide guidance on how to add the Privacy Manifest or an updated version of the library that complies with the new Apple requirements.

[brnnmrls]

Hi there, thanks for reporting this issue and providing detailed information! We've seen similar reports recently, and after internal investigation, we were not convinced our manifest file were causing failures.

Additionally, there was a November 12th deadline from Apple regarding privacy manifest files and figured many users rely on AppAuth without encountering this problem, so there might be potential compatibility issues or recent changes that might be contributing on your end.

I'd suggest double-checking that all your dependencies are up-to-date and where your packages are stored. If you'd like, it'd also be helpful to share your Podfile if you're using one.

Also, I can keep this open for a bit to see if others want to comment on the same issue.

[JaoMcs]

@brnnmrls
I’m using Carthage as my dependency manager, so I don’t have a Podfile to provide. I noticed that this issue might be related to the dependency manager. I found some similar reports on Carthage’s GitHub repository involving other libraries as well.

[brnnmrls]

Also, sorry for missing this in the first place, but we noticed in your error that AppAuth is being shipped as a framework. Unfortunately, AppAuth doesn't officially support this.

This is partially because the team doesn't have a way to sign this framework. Thus, the developer is responsible for adding the signature if they want to use AppAuth as a framework and use a dependency manager that makes AppAuth a framework.

Hope this clarifies things!