[3.14] gh-132006: Add support for handling XCPrivacy manifests (GH-139163) (#139410)

Co-authored-by: Russell Keith-Magee <russell@keith-magee.com>
2025-12-31 04:23:37 +00:00 · 2025-10-01 15:50:33 +02:00 · 2025-10-01 15:50:33 +02:00 · 86bc87b30d
commit 86bc87b30d
parent 20f472b629
4 changed files with 55 additions and 2 deletions
--- a/Apple/main.py
+++ b/Apple/main.py
@ -316,7 +316,7 @@ def unpack_deps(
    for name_ver in [
        "BZip2-1.0.8-2",
        "libFFI-3.4.7-2",
-        "OpenSSL-3.0.16-2",
+        "OpenSSL-3.0.17-1",
        "XZ-5.6.4-2",
        "mpdecimal-4.0.0-2",
        "zstd-1.5.7-1",
@ -577,6 +577,7 @@ def create_xcframework(platform: str) -> str:

    # Extract the package version from the merged framework
    version = package_version(package_path / "Python.xcframework")
+    version_tag = ".".join(version.split(".")[:2])

    # On non-macOS platforms, each framework in XCframework only contains the
    # headers, libPython, plus an Info.plist. Other resources like the standard
@ -647,6 +648,23 @@ def create_xcframework(platform: str) -> str:
                slice_framework / f"Headers/pyconfig-{arch}.h",
            )

+            # Apple identifies certain libraries as "security risks"; if you
+            # statically link those libraries into a Framework, you become
+            # responsible for providing a privacy manifest for that framework.
+            xcprivacy_file = {
+                "OpenSSL": subdir(host_triple) / "prefix/share/OpenSSL.xcprivacy"
+            }
+            print(f"   - {multiarch} xcprivacy files")
+            for module, lib in [
+                ("_hashlib", "OpenSSL"),
+                ("_ssl", "OpenSSL"),
+            ]:
+                shutil.copy(
+                    xcprivacy_file[lib],
+                    slice_path
+                    / f"lib-{arch}/python{version_tag}/lib-dynload/{module}.xcprivacy",
+                )
+
    print(" - build tools")
    shutil.copytree(
        PYTHON_DIR / "Apple/testbed/Python.xcframework/build",
--- a/Apple/testbed/Python.xcframework/build/utils.sh
+++ b/Apple/testbed/Python.xcframework/build/utils.sh
@ -67,6 +67,9 @@ install_dylib () {

    # The name of the extension file
    EXT=$(basename "$FULL_EXT")
+    # The name and location of the module
+    MODULE_PATH=$(dirname "$FULL_EXT")
+    MODULE_NAME=$(echo $EXT | cut -d "." -f 1)
    # The location of the extension file, relative to the bundle
    RELATIVE_EXT=${FULL_EXT#$CODESIGNING_FOLDER_PATH/}
    # The path to the extension file, relative to the install base
@ -94,6 +97,16 @@ install_dylib () {
    # Create a back reference to the .so file location in the framework
    echo "${RELATIVE_EXT%.so}.fwork" > "$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER/$FULL_MODULE_NAME.origin"

+    # If the framework provides an xcprivacy file, install it.
+    if [ -e "$MODULE_PATH/$MODULE_NAME.xcprivacy" ]; then
+        echo "Installing XCPrivacy file for $FRAMEWORK_FOLDER/$FULL_MODULE_NAME"
+        XCPRIVACY_FILE="$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER/PrivacyInfo.xcprivacy"
+        if [ -e "$XCPRIVACY_FILE" ]; then
+          rm -rf "$XCPRIVACY_FILE"
+        fi
+        mv "$MODULE_PATH/$MODULE_NAME.xcprivacy" "$XCPRIVACY_FILE"
+    fi
+
    echo "Signing framework as $EXPANDED_CODE_SIGN_IDENTITY_NAME ($EXPANDED_CODE_SIGN_IDENTITY)..."
    /usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" ${OTHER_CODE_SIGN_FLAGS:-} -o runtime --timestamp=none --preserve-metadata=identifier,entitlements,flags --generate-entitlement-der "$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER"
 }