Codesign Lottie.xcframework (airbnb#2259)

.github/workflows/main.yml

@@ -86,11 +86,15 @@ jobs:
           - '14.1' # Swift 5.7.1
     steps:
       - uses: actions/checkout@v2
+      - uses: apple-actions/import-codesign-certs@v2
+        with:
+          p12-file-base64: ${{ secrets.SIGNING_CERTIFICATE_BASE_64 }}
+          p12-password: ${{ secrets.SIGNING_CERTIFICATE_PASSWORD }}
       - uses: ./.github/actions/setup
         with:
           xcode: ${{ matrix.xcode }}
       - name: Build XCFramework
-        # Once there is a production Xcode version with the visionOS SDK, we will 
+        # Once there is a production Xcode version with the visionOS SDK, we will
         # need to also build an XCFramework using that version but without `SKIP_VISION_OS=true`
         run: SKIP_VISION_OS=true bundle exec rake build:xcframework[Lottie-Xcode-${{ matrix.xcode }}]
       - name: Upload XCFramework

README.md

@@ -85,6 +85,18 @@ Lottie supports Swift / Xcode versions back to the minimum version that is permi
 
 Lottie does not collect any data. We provide this notice to help you fill out [App Privacy Details](https://developer.apple.com/app-store/app-privacy-details/). We additionally provide a [privacy manifest](https://github.com/airbnb/lottie-ios/blob/master/PrivacyInfo.xcprivacy) which can be included in your app.
 
+## Security
+
+We distribute XCFramework bundles for each release on [GitHub](https://github.com/airbnb/lottie-ios/releases/latest). In Lottie 4.4.0 and later, these XCFramework bundles include a [code signature](https://developer.apple.com/documentation/xcode/verifying-the-origin-of-your-xcframeworks). These bundles are self-signed under the name "Lottie iOS" and have the following fingerprint:
+
+```
+89 2F 1B 43 04 7B 50 53 8F 2F 46 EA D9 29 00 DD 3D 48 11 F358 21 78 C0 61 A5 FB 20 F1 11 CB 26
+```
+
+In Xcode you can verify this by selecting `Lottie.xcframework` and confirming that it shows the following information:
+
+![Code Signature in Xcode](_Gifs/code_signature.png)
+
 ## Contributing
 
 We always appreciate contributions from the community. To make changes to the project, you can clone the repo and open `Lottie.xcworkspace`. This workspace includes:

Rakefile

@@ -100,13 +100,28 @@ namespace :build do
 
     xcodebuild(xcframeworkInvocation.join(" "))
 
-    # Archive the XCFramework into a zip file
     Dir.chdir('.build/archives') do
+      # Codesign the XCFramework using the "Lottie iOS" certificate, which should be installed in the keychain.
+      #  - Check to make sure the certificate is installed before attemtping to codesign.
+      #  - In GitHub actions CI, only jobs run by contibutors have access to repo secrets,
+      #    so PR jobs from external contributors won't have access to this certificate.
+      #    In that case we skip codesigning so the job doesn't fail.
+      puts "Checking if signing certificate is installed..."
+      `security find-certificate -c 'Lottie iOS'`
+      if $?.success?
+        puts "Signing certificate is installed. Code signing Lottie.xcframework."
+        sh 'codesign --timestamp -v --sign "Lottie iOS" Lottie.xcframework'
+      else
+        puts "Signing certificate is not installed. Lottie.xcframework will not be code signed."
+      end
+
+      # Archive the XCFramework into a zip file
       # Use --symlinks to avoid "Multiple binaries share the same codesign path. This can happen if your build process copies frameworks by following symlinks." 
       # error when validating macOS apps (#1948)
       sh "zip -r --symlinks #{args[:zip_archive_name]}.xcframework.zip Lottie.xcframework"
       sh 'rm -rf Lottie.xcframework'
     end
+
     sh "swift package compute-checksum .build/archives/#{args[:zip_archive_name]}.xcframework.zip"
   end
 end