Telling Xcode 14 beta 4 to trust build tool plugins programatically

In Xcode 14 beta 4, build tool plugins need to be trusted before they can be run now, which works fine on my local Xcode instance by following the instructions in the alert dialogue.

However, on Xcode cloud I'm just given an error immediately after starting the archive:

Showing All Messages

Archiving project Foo with scheme Foo of project Foo

Prepare packages
Validate plug-in “CodegenPlugin” in package “mypackage”
“CodegenPlugin” is disabled

Plug-in “CodegenPlugin” is implemented here

From what I can tell, there's no state or flag stored in the Xcode project files or anything else that is checked in. Is there an environment variable or flag I can set to tell Xcode cloud to trust my build tool plugin?

1 Like

Seems xcodebuild has a new option -skipPackagePluginValidation in Xcode 14.0 beta 4:

Skip validation of package plugins (this can be a security risk if they are not from trusted sources)

I'm guessing that's what you're after?

3 Likes

Yup, this looks like what I'm looking for, thanks! The only problem now is to figure out how to pass it to Xcode Cloud. There doesn't seem to be any option for passing xcodebuild arguments in the edit workflow screen, only a table for environment variables.

Hi @Luke_Lau - did you ever figure out a solution to this?

Seems like you cannot use Swift Package Plugins, or any dependency which might use them, if you also want to use Xcode Cloud. Which is a bit of a deal breaker - as it's highly likely that open source packages will start making use of them.

Unfortunately no, not with Xcode cloud. We’ve had to stop using Xcode cloud for this reason

Thanks @Luke_Lau - I guess back to GitHub Actions it is.

In Xcode Cloud you can use custom build scripts (ci_post_clone.sh) to set the following user default:

defaults write com.apple.dt.Xcode IDESkipPackagePluginFingerprintValidatation -bool YES

This will have the same effect as passing -skipPackagePluginValidation.

8 Likes

Just stuck it into my pre build script, it worked perfectly. Thanks! Is this documented anywhere or is it considered internal?