Invalid privacy manifest

[zz-0io]

Describe the bug
The Privacyinfo.xcprivacy file from the following path is invalid:"Frameworks/AppAuth.framework/AppAuthExternalUserAgent Privacy.bundle/Privacyinfo.xcprivacy". in addition the privacy manifest files in the locations outlined in the documentation, starting November 12, 2024, all privacy manifests you submit must have valid content. Keys and values in any privacy manifest must be in avalid format, For more details about privacy manifest files

The Privacyinfo.xcprivacy file from the following path is invalid:"Frameworks/AppAuth.framework/AppAuthCore Privacy.bundle/Privacyinfo.xcprivacy". in addition to the privacy manifest files in the locations outlined in the documentation, starting November 12. 2024. all privacy manifests you submit must have valid content. Keys and values in any privacy manifest must be in a valid format.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'product'
2. Tap on 'archive'
3. click 'attribute app'
4. click ‘custom’
5. click ‘apple store connect ’
6. submit app
7. See error

Environment

• xcode 15.3

[krazykriskomar]

I second this! We use this package in our app and only have until 11/14 to fix the privacy issue.
I'm happy to help out here if you need it, just let me know.
If you are not going to be able to update the privacy manifest soon, would you mind posting here? We'll need to find another package if so.

[krazykriskomar]

I think literally hundreds of other packages, including most popular google sign in packages use this library. It'd be nice to know if you're not going to take action to correct this so that we can find an alternate.

[camden-king]

Thank you for reporting. Our team is investigating.

Are you able to clarify where you are getting AppAuth from? Is it CocoaPods or Swift Package Manager?

[krazykriskomar]

Cocoapods

[krazykriskomar]

Its all of the privacy info files that need filled in...
https://github.com/openid/AppAuth-iOS/blob/master/Sources/AppAuth/Resources/PrivacyInfo.xcprivacy

[krazykriskomar]

So, I think literally thousands of applications in some way depend on this library, and Apple is cutting off the ability to submit new app versions on 2024-11-14 that do not declare proper privacy policies, even in dependencies. Does anyone have an alternate that they've come across? Or at the least does anyone have an alternate to the google-sign-in library that uses this? We are coming dangerously close to the cutoff date.

[brnnmrls]

Thanks for the issue. We are taking a look. Apple requires that this library have a manifest, and so we have one at the relevant locations. Note that this library does not do any collection or tracking itself. Therefore, the manifest file has empty values for all required fields. Do you have a privacy manifest for your app? If not, then we suggest that you create one following the instructions here. Per this comment, it's the host app and its identity provider that do the tracking where host apps should declare their privacy impacting usage in their own privacy manifest files.

[krazykriskomar]

We do have a privacy policy, yes. I'm basing my claim off of an email we get from Apple every time we submit that seems to call out your package.

Here are the links they call out:
https://developer.apple.com/documentation/bundleresources/privacy_manifest_files and https://developer.apple.com/documentation/bundleresources/privacy_manifest_files/adding_a_privacy_manifest_to_your_app_or_third-party_sdk.

[brnnmrls]

Thanks for the extra context, our team is further investigating.

In the meantime, I have a few questions that could help. What version of AppAuth are you using? In the past we've had validation issues that were fixed so I'm curious if it might be due to not updating the version. Additionally, are you using Google Sign-In (asking since GSI pulls in AppAuth)? If so, which version of GSI are you using?

[brnnmrls]

Curious if you're still running into this issue? In addition to ensuring that you are depending on the latest versions of GoogleSign-In and AppAuth, please also share as much information as possible as to how you're building your app. For example, can you also provide your Podfile and any other commands, etc. that you use to assemble your app? This all would help us be able to reproduce your issue on our end.

[krazykriskomar]

We are using @react-native-google-signin/google-signin version 13.1.0 which uses AppAuth (1.7.5)
So, I don't know what happened, but Apple did not send us that same warning email for the last version we released (2024.11.1). 🤷‍♂️ I'll keep an eye out but perhaps this has resolved itself in some way?
It could have been because I added the @react-native-google-signin/google-signin package to our expo app.config.js file, therefor making expo pay attention to it and configure for it.

[brnnmrls]

Awesome, that's good to hear! I will be closing the issue, but feel free to reopen if the issue returns and there's something we can do on our end.

[JaoMcs]

I had the same issue yesterday, does anyone have any updates on it?

[thaxz]

The same thing is happening here. When I try to upload to the App Store, I get the error: 'Invalid binary App Store appauth.' I'm using Carthage btw

[zz-0io]

Apple has specified that privacy manifest files must adhere to certain standards. Each dataType entry should include valid key, type, and description fields to clearly indicate the type and purpose of the data being used. Entries that are empty dictionaries (e.g., ) do not meet these requirements, as Apple cannot determine the specific purpose of such entries.

By removing the empty dictionaries and updating the PrivacyInfo.xcprivacy file to match the format , the Invalid privacy manifest issue was resolved upon uploading to Apple.

[zz-0io]

This is the PrivacyInfo.xcprivacy file from AppAuth before removing the empty dictionaries.

[zz-0io]

thanks！！