Firebase-ios-sdk: "upload-symbols" triggers security alert

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

Forgot to mention: the upload-symbols used is from the master branch as of today

Hi @mattia,

Can you provide the output of codesign -dv --verbose=4 ./MyProject/Firebase/upload-symbols?

Executable=/Users/mattia/MyProject/Firebase/upload-symbols
Identifier=$(PRODUCT_BUNDLE_IDENTIFIER)
Format=Mach-O thin (x86_64)
CodeDirectory v=20200 size=2364 flags=0x0(none) hashes=66+5 location=embedded
VersionPlatform=1
VersionMin=657920
VersionSDK=658944
Hash type=sha256 size=32
CandidateCDHash sha1=f8676d7245e0e8b17f384593adbc98a9b3bc89a1
CandidateCDHashFull sha1=f8676d7245e0e8b17f384593adbc98a9b3bc89a1
CandidateCDHash sha256=6b411fadc47682444c2d4468cb49968a2f055964
CandidateCDHashFull sha256=6b411fadc47682444c2d4468cb49968a2f0559641a91d80158aae3aa4294a02f
Hash choices=sha1,sha256
CMSDigest=66d8c4b5d01277dfca312a330a3a427c062fccea69b12d4fe7489e67e7dcd42b
CMSDigestType=2
Page size=4096
CDHash=6b411fadc47682444c2d4468cb49968a2f055964
Signature size=4707
Authority=Developer ID Application: Crashlytics, Inc. (L8VKXC2S77)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=31 Mar 2020 at 20:36:45
Info.plist entries=8
TeamIdentifier=L8VKXC2S77
Sealed Resources=none
Internal requirements count=1 size=220

Can I provide additional information to help the process?

Thanks! Have a nice day

Do you mind sharing your installation method, e.g. CocoaPods, Swift Package Manager, manual zip download, etc...?

Edit, I see from the initial report that it is through Carthage.

Hey @mattia, based on that output, upload-symbols is codesigned (which is expected). I think ultimately we need to take the next step and Notarize the tool for macOS to accept it via Carthage / zip downloads. With Cocoapods it seems to be ok with just a signed binary.

I'll let you know when we pull the work to get it Notarized.

Thank you!

Just a quick update on this: we've pulled this work and should have an update on the expected timeline within the next few weeks.

Just a quick update on this: we've pulled this work and should have an update on the expected timeline within the next few weeks.

Looking forward to the update!

Thanks! Have a nice day

“upload-symbols” can’t be opened because Apple cannot check it for malicious software.

Same issue for me
I need to upload symbols from an xcarchive bundle (generated with Xcode build archive)
Any update about this ticket?

“upload-symbols” can’t be opened because Apple cannot check it for malicious software.

Same issue for me
I need to upload symbols from an xcarchive bundle (generated with Xcode build archive)
Any update about this ticket?

Same issue for me! Any progress on this ticket?

I created https://github.com/firebase/firebase-ios-sdk/pull/7323 which updates the upload-symbols binary to hopefully avoid the security alert. The binary is signed with Google's developer certificate and has been notarized via Apple's notary service.

I will leave this ticket open until the PR is merged and folks have a chance to verify that this solves the issue.

Seems like this is resolved for the folks that were participating in the conversation.