devicekit/DeviceKit

Missing API declaration for NSPrivacyAccessedAPICategoryDiskSpace when integrated via SPM

ksdjfksd opened this issue · 6 comments

We integrate DeviceKit 5.2.3 via Swift Package Manager (SPM).

Upon upload for review to the AppStore we receive the mail by Apple with the warning about missing API declaration for NSPrivacyAccessedAPICategoryDiskSpace.

I investigated the payload of the uploaded .ipa and it contains DeviceKit_DeviceKit.bundle.
Inside of this bundle I can also see the PrivacyInfo.xcprivacy file.

This means the PrivacyInfo file should be recognized during the AppStore review process. But the issue is: It does not get recognized and our app is flagged for using NSPrivacyAccessedAPICategoryDiskSpace without declaration.

I have tried to upload a version to app review where I removed DeviceKit from the app.
This version passed review without being flagged.
So it must be an issue with the DeviceKit SPM package integration.

I faced the same issue. Thank you for reporting @ksdjfksd !

We almost have no time until May 1. Could anybody raise the priority for the ticket ? For me it's a blocker.

Similar discussion and workaround for Firebase here
Apparently AppStore Connect is not seeing the privacy reports from SPM dependencies because they are statically linked.
A workaround could be to manually add the required reasons of your dependencies in your app's privacy report (not tested).

Hmmm, the bug is related to Swift Package Manager and it was opened Feb 4.
apple/swift-package-manager#7317

Few days ago Apple updated their documentation related to static libs

Distribute your static library with a privacy manifest
A static library is an archive of object files with the .a file extension. It doesn’t support resources such as the privacy manifest. If you currently distribute a static library as an SDK and want to update it to include a privacy manifest in Xcode, create a new static framework target that includes all your static library’s source files and resources, then add the privacy manifest to the target’s resource.
If you don’t use Xcode to build your static library, create a static framework bundle for your static library manually, then add the privacy manifest to the bundle as a resource. For more information about framework bundle structure, see Placing content in a bundle. To identify the privacy manifest location in the static framework, see Add a privacy manifest to your framework.

The link to documentation is here

Sounds like the offending code should be pulled into another library, or this library should add suggestions for how to add the privacy reasons to your app that this violates..

I don't see any other way around this, do you guys?