Tags: blokadaorg/blokada
Tags
fix(ios): gate ITMS-91065 on signed=true, warn (not fail) on missing … …timestamp The 26.2.21 release build hit the verify gate, not Apple: the bundle-signing from #1137 worked — every plugin xcframework's recorded origin signature is now `signed=true` (was `signed=false` in 26.2.20) — but `isSecureTimestamp=false`, and the gate required both, so it failed the build before upload. `signed=true` is the documented ITMS-91065 requirement ("the SDK must include a signature file"). A secure timestamp is best-practice (Apple's example signs with --timestamp) but is NOT confirmed to be required, and Xcode's archive does not reliably stamp `isSecureTimestamp=true` onto the recorded origin signature even when the .xcframework was signed with --timestamp. Requiring it blocks a build that already meets the documented requirement. Gate hard on `signed=true`; downgrade a missing secure timestamp to a WARNING so the build uploads and App Store Connect — the only authority on whether the timestamp is mandatory — gives the verdict. If Apple still flags ITMS-91065, we'll know the timestamp is required and can target it specifically. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
fix(ios): gate ITMS-91065 on signed=true, warn (not fail) on missing … …timestamp The 26.2.21 release build hit the verify gate, not Apple: the bundle-signing from #1137 worked — every plugin xcframework's recorded origin signature is now `signed=true` (was `signed=false` in 26.2.20) — but `isSecureTimestamp=false`, and the gate required both, so it failed the build before upload. `signed=true` is the documented ITMS-91065 requirement ("the SDK must include a signature file"). A secure timestamp is best-practice (Apple's example signs with --timestamp) but is NOT confirmed to be required, and Xcode's archive does not reliably stamp `isSecureTimestamp=true` onto the recorded origin signature even when the .xcframework was signed with --timestamp. Requiring it blocks a build that already meets the documented requirement. Gate hard on `signed=true`; downgrade a missing secure timestamp to a WARNING so the build uploads and App Store Connect — the only authority on whether the timestamp is mandatory — gives the verdict. If Apple still flags ITMS-91065, we'll know the timestamp is required and can target it specifically. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
fix(ios): sign plugin xcframework bundles w/ timestamp (real ITMS-910… …65 fix) (#1137) ITMS-91065 ("Missing signature") kept rejecting sqflite_darwin across 26.2.18– 26.2.20 despite the embedded framework being validly code-signed. Root cause, found by inspecting the rejected IPA: ITMS-91065 does NOT read the embedded framework's code signature — it reads the xcframework's *origin* signature, recorded by the archive into `Signatures/<name>.xcframework-ios.signature`. For every plugin that file said `signed=false, isSecureTimestamp=false`, because we signed the inner .framework while the .xcframework *bundle* stayed unsigned (and the host export re-signs the embedded slice anyway, so the inner signing was a no-op — it never affected the shipped binary). Fix = Apple's canonical command, also the sqflite maintainer's accepted fix (tekartik/sqflite#1129): sign the .xcframework BUNDLE with `--timestamp`, so the recorded origin signature is signed=true AND isSecureTimestamp=true. - sign-ios-frameworks.sh: sign the plugin .xcframework bundles with `--timestamp` (was: inner per-slice .framework, no timestamp). Keep excluding Flutter (already Google-signed; re-signing broke the archive in 26.2.18), App and FlutterPluginRegistrant (not third-party SDKs). Verify each carries a secure timestamp before the archive consumes it. - verify-ios-ipa-signatures.sh: add the real ITMS-91065 gate — parse Signatures/*.xcframework-ios.signature and require signed=true + isSecureTimestamp=true for each non-excluded SDK xcframework. Keep the embedded code-signature check as a defensive secondary check. Verified against the actual rejected 26.2.20 IPA: the new gate FAILS it on all 9 plugin origin signatures (signed=false) and PASSES once corrected. Confirmed locally that `codesign --timestamp --sign` on an .xcframework yields a secure Timestamp. Supersedes the inner-framework signing from #1135 (#1136 unaffected). Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
fix(ios): make IPA signature verifier SIGPIPE-safe (fixes make Error … …141) (#1136) verify-ios-ipa-signatures.sh died with exit 141 on the real release archive: `make[1]: *** [build-ios-six] Error 141`. The archive itself now succeeds (Flutter/App exclusion works — `sign-ios-frameworks: signed & verified 18 framework(s)`), but the verifier piped `codesign -dvv | awk '…exit'`. awk's early exit closes the pipe, codesign dies with SIGPIPE, and `set -o pipefail` + `set -e` propagate 141 and abort the script. Local test frameworks were too small to keep codesign writing past awk's exit, so it only triggered on the large real frameworks in CI. Parse captured strings via here-strings / bash builtins instead of piping into early-exiting consumers (awk exit, grep -q, head): capture `codesign -dvv` into a var first, match the authority with `case`, take the first verify line with `${verr%%$'\n'*}`, and feed the required-framework grep from a here-string. Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
fix(ios): make IPA signature verifier SIGPIPE-safe (fixes make Error … …141) (#1136) verify-ios-ipa-signatures.sh died with exit 141 on the real release archive: `make[1]: *** [build-ios-six] Error 141`. The archive itself now succeeds (Flutter/App exclusion works — `sign-ios-frameworks: signed & verified 18 framework(s)`), but the verifier piped `codesign -dvv | awk '…exit'`. awk's early exit closes the pipe, codesign dies with SIGPIPE, and `set -o pipefail` + `set -e` propagate 141 and abort the script. Local test frameworks were too small to keep codesign writing past awk's exit, so it only triggered on the large real frameworks in CI. Parse captured strings via here-strings / bash builtins instead of piping into early-exiting consumers (awk exit, grep -q, head): capture `codesign -dvv` into a var first, match the authority with `case`, take the first verify line with `${verr%%$'\n'*}`, and feed the required-framework grep from a here-string. Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
fix(ios): don't re-sign Flutter/App xcframeworks (fixes release archi… …ve) (#1135) The ITMS-91065 signing fix (#1133) signed every *.framework under the ios-framework output, including Flutter's own pre-signed Flutter.framework and App.framework. Re-signing those breaks the host archive: Xcode's ProcessXCFramework -> SignatureCollection on Flutter.xcframework fails with `SWBUtil.CodeSignatureInfo.Error error 0` -> ** ARCHIVE FAILED **, which broke the 26.2.18 release build (the PR "CI" workflow is build+lint only and never runs the gym Release archive, so #1133 merged green). - sign-ios-frameworks.sh: exclude Flutter, App and the static link-only FlutterPluginRegistrant xcframeworks; keep signing the unsigned third-party plugins (sqflite_darwin, path_provider, shared_preferences, Adapty*) that ITMS-91065 actually flags. - verify-ios-ipa-signatures.sh (new): post-archive gate that cracks the .ipa and asserts every embedded framework (Flutter/App included) is signed by the Apple Distribution identity, so a missing/wrong signature fails the build before upload instead of at App Store Connect. - Makefile: run the verifier after the host archive in build-ios{,-family,-six}. Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
fix(ios): sign add-to-app plugin xcframeworks to fix ITMS-91065 (#1133) * fix(ios): sign add-to-app plugin xcframeworks to fix ITMS-91065 `flutter build ios-framework` (common/Makefile `build-ios`) emits every plugin as an UNSIGNED .xcframework. The host embeds them with Code-Sign- On-Copy, but that runtime re-sign is unreliable for the device slice of a pre-built xcframework (flutter/flutter#148300, #179634), so commonly-used SDKs ship unsigned and App Store Connect rejects the upload with ITMS-91065 ("Missing signature") for sqflite (sqflite_darwin.framework), path_provider, shared_preferences and Flutter. This surfaced with the CocoaPods->add-to-app migration (f4f78dd): pods compiled/signed plugins inline, so there was never a standalone sqflite_darwin.framework for Apple to flag; now each plugin is a discrete embedded framework. Add scripts/sign-ios-frameworks.sh, which codesigns the inner per-slice .framework of every produced xcframework with the Apple Distribution identity, and run it between `make -C common build-ios` and the host archive in the release targets (build-ios / -family / -six). Signing the .xcframework wrapper is NOT enough -- it does not propagate to the inner frameworks that land in the app bundle, so the inner frameworks are signed directly. Idempotent with Code-Sign-On-Copy; debug/simulator builds are untouched. Self-signing with our own distribution cert satisfies ITMS-91065 (Apple allows it). SPM deps (Firebase, Factory, CodeScanner) are statically linked, not embedded, so they are not affected. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> * fix(ios): route default `make build` through build-ios so it signs too The top-level `build` target ran `make -C ios build` (Fastlane archive) directly after `make -C common build`, which builds the Android aar, not the iOS plugin xcframeworks. So `build` never built the iOS frameworks (broken on a clean checkout) and, with leftover output present, embedded stale UNSIGNED frameworks — bypassing the new signing step and still hitting ITMS-91065. Route its iOS step through the root `build-ios` target, which builds the frameworks, signs them, then archives. Closes the unsigned bypass path flagged in review. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
fix(ios): sign add-to-app plugin xcframeworks to fix ITMS-91065 (#1133) * fix(ios): sign add-to-app plugin xcframeworks to fix ITMS-91065 `flutter build ios-framework` (common/Makefile `build-ios`) emits every plugin as an UNSIGNED .xcframework. The host embeds them with Code-Sign- On-Copy, but that runtime re-sign is unreliable for the device slice of a pre-built xcframework (flutter/flutter#148300, #179634), so commonly-used SDKs ship unsigned and App Store Connect rejects the upload with ITMS-91065 ("Missing signature") for sqflite (sqflite_darwin.framework), path_provider, shared_preferences and Flutter. This surfaced with the CocoaPods->add-to-app migration (f4f78dd): pods compiled/signed plugins inline, so there was never a standalone sqflite_darwin.framework for Apple to flag; now each plugin is a discrete embedded framework. Add scripts/sign-ios-frameworks.sh, which codesigns the inner per-slice .framework of every produced xcframework with the Apple Distribution identity, and run it between `make -C common build-ios` and the host archive in the release targets (build-ios / -family / -six). Signing the .xcframework wrapper is NOT enough -- it does not propagate to the inner frameworks that land in the app bundle, so the inner frameworks are signed directly. Idempotent with Code-Sign-On-Copy; debug/simulator builds are untouched. Self-signing with our own distribution cert satisfies ITMS-91065 (Apple allows it). SPM deps (Firebase, Factory, CodeScanner) are statically linked, not embedded, so they are not affected. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> * fix(ios): route default `make build` through build-ios so it signs too The top-level `build` target ran `make -C ios build` (Fastlane archive) directly after `make -C common build`, which builds the Android aar, not the iOS plugin xcframeworks. So `build` never built the iOS frameworks (broken on a clean checkout) and, with leftover output present, embedded stale UNSIGNED frameworks — bypassing the new signing step and still hitting ITMS-91065. Route its iOS step through the root `build-ios` target, which builds the frameworks, signs them, then archives. Closes the unsigned bypass path flagged in review. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> --------- Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
sync: update translate strings to: 35ecb (#1132) Co-authored-by: blokada-ci[bot] <276300274+blokada-ci[bot]@users.noreply.github.com>
sync: update translate strings to: 35ecb (#1132) Co-authored-by: blokada-ci[bot] <276300274+blokada-ci[bot]@users.noreply.github.com>
PreviousNext