Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iOS App submission will require a privacy manifest and signature #1216

Closed
yanni-fe opened this issue Dec 11, 2023 · 12 comments
Closed

iOS App submission will require a privacy manifest and signature #1216

yanni-fe opened this issue Dec 11, 2023 · 12 comments
Labels
enhancement New feature or request

Comments

@yanni-fe
Copy link

Problem

12/07 Apple published a privacy update on their website: Privacy updates for App Store submissions

It requires third-party SDKs to include a privacy manifest file and this will be required by Spring 2024.

Hermes is on the list of third-party SDKs that require a privacy manifest and signature

So do we have any plan on this?
@yanni-fe yanni-fe added the enhancement New feature or request label Dec 11, 2023
@TheSavior
Copy link
Member

Thanks for flagging this. We've been aware of this policy and are working on the necessary steps

@tmikov
Copy link
Contributor

tmikov commented Jan 16, 2024

It looks like Apple may be referring to this Hermes, not our JS engine: https://github.com/imgur/hermes

@cguino
Copy link

cguino commented Jan 16, 2024

It looks like Apple may be referring to this Hermes, not our JS engine: https://github.com/imgur/hermes

This repository is archived, last release Jul 2015

@RhyG
Copy link

RhyG commented Feb 12, 2024

Has there been any movement here? I can see @tmikov mentioned it potentially being another lib but not sure how to verify. Currently have some pretty nervous stakeholders at the moment is all.

If there's anything the community can do to support the change happy to help. Thanks!

@tmikov
Copy link
Contributor

tmikov commented Feb 12, 2024
edited
Loading

Please note that Hermes repository is just source code and doesn't provide binaries for iOS. Hermes obviously doesn't collect any data or do anything privacy related, it is just a library, but we can't include a privacy manifest in the source, it has to be paired with a binary, and we don't provide one.

This has to be addressed by React Native (I believe it will be soon) or anyone else who compiles and distributes a Hermes binary.

@ikhvorost
Copy link

Hi @tmikov!

If you open hermes-engine.podspec you can find:

unless ENV['hermes-artifact-url']
    spec.prepare_command = <<-EOS
      # When true, debug build will be used.
      # See `build-apple-framework.sh` for details
      DEBUG=#{HermesHelper::BUILD_TYPE == :debug}

      # Build iOS framework
      ./utils/build-ios-framework.sh

      # Build Mac framework
      ./utils/build-mac-framework.sh
    EOS
  end

The scripts build Xcode frameworks both ios/tvos automatically for Cocoapods in destroot/Library/Frameworks/universal/hermes.xcframework when you add it as a dependency to your project and the same as React Native does.

So the scripts should put PrivacyInfo.xcprivacy file inside these frameworks while building, shouldn't?

@vksgautam1986
Copy link

https://developer.apple.com/news/
from 1st May they gonna enforce this

@tmikov
Copy link
Contributor

tmikov commented Mar 4, 2024

@ikhvorost as I mentioned, Hermes is built by React Native: https://github.com/facebook/react-native/tree/main/packages/react-native/sdks/hermes-engine

@ikhvorost
Copy link

@tmikov

First, there is hermes-engine pod that's available through Cocoapods - https://github.com/CocoaPods/Specs/tree/master/Specs/5/d/0/hermes-engine.

All versions are pointed to https://github.com/facebook/hermes, e.g.:
https://github.com/CocoaPods/Specs/blob/master/Specs/5/d/0/hermes-engine/0.11.0/hermes-engine.podspec.json

...
"source": {
    "http": "https://github.com/facebook/hermes/releases/download/v0.11.0/hermes-runtime-darwin-v0.11.0.tar.gz"
},
...

If you download this source and unzip you can find ready to use frameworks in destroot/Library/Frameworks so I don't see any React Native mentions so far.

Next, if you add this pod to your app and make pod install:

platform :ios, '14.0'
use_frameworks!

target 'Test-iOS' do
  pod 'hermes-engine'
end

You can find the frameworks inside your Pods/hermes-engine as well.

The same happens with React Native's hermes-engine pod (https://github.com/facebook/react-native/tree/main/packages/react-native/sdks/hermes-engine) - it just unzips the archive to use these frameworks.

Where does React Native build hermes?

@tmikov
Copy link
Contributor

tmikov commented Mar 7, 2024

@ikhvorost sorry for the delayed response. You will note that versions linked from https://github.com/CocoaPods/Specs/tree/master/Specs/5/d/0/hermes-engine are 2-3 years old, as are the releases pointed by them (like https://github.com/facebook/hermes/releases/download/v0.11.0/hermes-runtime-darwin-v0.11.0.tar.gz).

We stopped building and distributing Hermes independently from this repository years ago, because it was becoming very difficult to ensure binary compatibility with React Native, tracking which version of Hermes corresponds to which version of RN, etc. Plus, the intricacies of building pods or npms are really not our area of expertise.

So, at that time, React Native took over building and distributing Hermes, which eliminated all version confusion and compatibility problems, plus it improved the pod build in various ways (which you will see if you compare the old Hermes podspec in this repo against the RN podspec in that repo).

That is the current situation.

As I mentioned, we do not really understand CocoaPods (last time I tried, I couldn't even install it, because apparently it requires a newer version of Ruby than the one in MacOS). I am also not familiar with the details of how exactly React Native builds Hermes. They are the experts on that, and I do not envy them for having to deal with all that... They are excellent engineers and enable us to spend our time on Hermes itself.

I dug a little into the podspec on their repository, and if you look here, you can see that they download a Hermes binary matching RN's version from Maven: https://github.com/facebook/react-native/blob/f7bbaffdc3aa4e7af0b4d5f62e594cc7edd4f837/packages/react-native/sdks/hermes-engine/hermes-utils.rb#L204.

Comments in their podspec imply that the podspec is used to build Hermes in CircleCI, which makes sense. Presumably that's where they upload it to Maven.

I am sure that they are aware of the new Apple requirements and the corresponding deadlines and are working to address it.

This was referenced Mar 12, 2024
Closed
Closed
@leocpadua7
Copy link

I've opened an issue at the react-native github to get more information about this: facebook/react-native#43439

@leocpadua7 leocpadua7 mentioned this issue Mar 12, 2024
Closed
@tmikov
Copy link
Contributor

tmikov commented Apr 9, 2024

We have spoken with representatives at Apple, and they have informed us that the hermes SDK on the commonly-used SDKs list is referring to another Hermes, not the one made by Meta. They are referring to this one: https://github.com/Imgur/Hermes/blob/master/README.md. As such, Facebook/hermes is not required to provide a Privacy Manifest and Signature ahead of the May 1 date for this SDK. You will be able to continue to submit versions of your apps that use Facebook/hermes without disruption beyond that date, based on current policies.

@tmikov tmikov closed this as completed Apr 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@TheSavior @ikhvorost @cguino @tmikov @yanni-fe @leocpadua7 @RhyG @vksgautam1986 and others