How do I get Xcode to programmatically trust a specific build tool plugin for CI?

Hi! So I've figured out from this thread from the Xcode 14 beta days that to get build tool plugins running on a Continuous Integration server, you need to either set a boolean on the CI's system or pass in a -skipPackagePluginValidation parameter into xcodebuild.

The problem with this is that it trusts every package plugin, which is a gaping security hole, especially on CI systems that are creating builds. If someone were to add a malicious plugin to your codebase, it would run any time the CI built the PR, which seems real bad.

I've been poking around for this but haven't been able to find it: Is there a way to tell Xcode to trust a specific package plugin programmatically rather than every single one?

Follow up: If there isn't, is this something that should be filed as a bug in Feedback or on the Swift Jira?

There's currently no affordance for trusting individual plugins, but the trust information is stored in ~/.swiftpm/security/plugins.json so copying that file to the CI after trusting individual plugins locally is an option.

Also note that build tool plugins are always sandboxed, so the security impact is somewhat mitigated and similar to what code inside the package manifest itself can do.

1 Like

OK, that's probably a better workaround - I assume that fingerprint changes anytime you update the plugin, correct?

Also, what's better to file a feature request for this, Feedback or SPM's jira board?

I believe so, the file contains the commit hash of the parent package.

Feedback would be the preferred way. Thanks!

Thank you - FB11772479!

1 Like

Anyone trying to do this on CI: I was not able to copy to ~.swiftpm/security using bash, but I was able to copy to the folder it symlinks to, ~/Library/org.swift.swiftpm/security, and that did indeed get the plugin to be recognized by the CI's version of Xcode.

1 Like