Skip to content

AppStore rejecting apps because of "(ITMS-91061) Missing privacy manifest" #268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
freakboy3742 opened this issue Mar 31, 2025 · 1 comment · May be fixed by #285
Open

AppStore rejecting apps because of "(ITMS-91061) Missing privacy manifest" #268

freakboy3742 opened this issue Mar 31, 2025 · 1 comment · May be fixed by #285
Labels
bug A crash or error in behavior.

Comments

@freakboy3742
Copy link
Member

Describe the bug

We've had a report that the iOS App Store is rejecting apps with the following error:

ITMS-91061: Missing privacy manifest - Your app includes “Frameworks/_hashlib.framework/_hashlib.cpython-39-iphoneos.dylib”, which includes BoringSSL / openssl_grpc, an SDK that was identified in the documentation as a commonly used third-party SDK. If a new app includes a commonly used third-party SDK, or an app update adds a new commonly used third-party SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements.

ITMS-91061: Missing privacy manifest - Your app includes “Frameworks/_ssl.framework/_ssl.cpython-39-iphoneos.dylib”, which includes BoringSSL / openssl_grpc, an SDK that was identified in the documentation as a commonly used third-party SDK. If a new app includes a commonly used third-party SDK, or an app update adds a new commonly used third-party SDK, the SDK must include a privacy manifest file. Please contact the provider of the SDK that includes this file to get an updated SDK version with a privacy manifest. For more details about this policy, including a list of SDKs that are required to include signatures and manifests, visit: https://developer.apple.com/support/third-party-SDK-requirements.

Steps to reproduce

  1. Submit a new app (or app update) that uses the Apple Support Package to the iOS App Store.

Expected behavior

App should be accepted.

Screenshots

No response

Environment

  • Operating System: iOS (but probably macOS as well)
  • Python version: 3.9+

Logs

Additional context

The candidate PrivacyInfo file from the macOS PR might be all that is needed here. We might need to incorporate PrivacyInfo handling into the framework build script, and include the PrivacyInfo file next to the .so files that are being processed.
@freakboy3742 freakboy3742 added the bug A crash or error in behavior. label Mar 31, 2025
@freakboy3742 freakboy3742 mentioned this issue Apr 2, 2025
Open
This was referenced May 7, 2025
Draft
Draft
@freakboy3742
Copy link
Member Author

freakboy3742 commented May 10, 2025
edited
Loading

I have found the solution to this problem, confirmed by submitting an update to TravelTips to the App Store.

During the build process, when lib-dynload/_hashlib.cpython-3XX-iphoneos.so and lib-dynload/_ssl.cpython-3XX-iphoneos.so are converted into Frameworks, an additional file must be placed in the generated Framework, alongside the renamed binary.

The file must be called PrivacyInfo.xcprivacy; the contents of the file must be:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
    <key>NSPrivacyAccessedAPITypes</key>
    <array>
        <dict>
            <key>NSPrivacyAccessedAPIType</key>
            <string>NSPrivacyAccessedAPICategoryFileTimestamp</string>
            <key>NSPrivacyAccessedAPITypeReasons</key>
            <array>
                <string>C617.1</string>
            </array>
        </dict>
    </array>
    <key>NSPrivacyCollectedDataTypes</key>
    <array/>
    <key>NSPrivacyTrackingDomains</key>
    <array/>
    <key>NSPrivacyTracking</key>
    <false/>
    </dict>
</plist>

So - the app bundle should contain (amongst many other files):

  • My App.app
    • Frameworks
      • _hashlib.framework
        • _hashlib
        • _hashlib.origin
        • Privacy.xcprivacy
        • Info.plist
      • _ssl.framework
        • _ssl
        • _ssl.origin
        • Privacy.xcprivacy
        • Info.plist
      • ... other frameworks

This specific PrivacyInfo.xcprivacy file is only needed for library that statically link OpenSSL. Most libraries will not need an PrivacyInfo.xcprivacy file; only those that link one of the "known privacy issue" third-party libraries must include the file. However, the contents of that file will be specific to the library being linked.

The XML content provided for the OpenSSL version of PrivacyInfo.xcprivacy comes from OpenSSL itself. An official macOS OpenSSL framework includes this same file; Python needs to include it explicitly because it's linking statically with OpenSSL.

#285 contains a modification that looks for a LIBNAME.xcprivacy file during the framework conversion process, and if it exists, moves that file into the framework. This allows the Python support package - or any other binary library - to provide an xcprivacy file, and have that file included.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug A crash or error in behavior.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add xcprivacy handling for modules that link OpenSSL. beeware/Python-Apple-support
1 participant
@freakboy3742