Swifty Tech by Marco Eidinger

How to verify a signed xcframework programmatically

Marco Eidinger's photo
Marco Eidinger
·

2 min read

Table of contents

In this blog post, I'll explain how you can programmatically verify a binary framework (.xcframework file).

This can help determine build/archive issues on a CI machine related to error: signature-collection failed: The operation couldn’t be completed. Once you know that a binary framework was tempered and how, i.e., which files were added/modified/removed, then you can easily chase down the root cause.

I use the LineSDK.xcframework, accessible for download on GitHub, in my examples below.

Details

Use the codesign tool (MAN page) to verify the signature and integrity of a binary framework.

Display the signature of the binary framework

codesign -dv LineSDK.xcframework

Output

Executable=/Users/marcoeidinger/Downloads/LineSDK.xcframework/Info.plist
Identifier=LineSDK
Format=bundle
CodeDirectory v=20200 size=199 flags=0x0(none) hashes=1+3 location=embedded
Signature size=9179
Timestamp=Oct 31, 2023 at 6:43:37 PM
Info.plist entries=3
TeamIdentifier=VUTU7AKEUR
Sealed Resources version=2 rules=10 files=70
Internal requirements count=1 size=176

We know that the binary framework was signed with Team Identifier VUTU7AKEUR but is the binary framework untempered? Let's check its integrity next.

Verify the integrity of the signed binary framework

codesign -vv LineSDK.xcframework

Output

LineSDK.xcframework: valid on disk
LineSDK.xcframework: satisfies its Designated Requirement

This output proves that the signed binary framework was not tempered 👍

Here is an example of when the signed binary framework was tempered (e.g. by deleting files)

LineSDK.xcframework: a sealed resource is missing or invalid
file missing: /Users/d041771/Downloads/Kingfisher-7.9.0/LineSDK.xcframework/ios-arm64/dSYMs/LineSDK.framework.dSYM/Contents/Resources/DWARF/LineSDK
file missing: /Users/d041771/Downloads/Kingfisher-7.9.0/LineSDK.xcframework/ios-arm64/dSYMs/LineSDK.framework.dSYM/Contents/Info.plist

Alternative: use signature verification in Xcode 15+

Alternatively, Xcode 15 offers signature verification as a new feature in its IDE.

If the binary framework would have been tempered

If you want more details on this feature, check out my WWDCNotes article on signing and verifying a binary framework in Xcode 15.

https://www.wwdcnotes.com/notes/wwdc23/10061/

Did you find this article valuable?

Support Marco Eidinger by becoming a sponsor. Any amount is appreciated!

SwiftiOS