Skip to main content

Use the legacy method to package iOS and tvOS apps

If you cannot package with the gen-ir method Veracode recommends, you can package with the legacy method.

To complete this task:

  1. In Xcode, go to the PROJECT section on the left and select your project.

  2. Click the Project navigator folder icon from the top left menu in Xcode.

  3. In the Project navigator, select your project, and then select its target to the right.

  4. From the top menu bar, select Build Settings > All > Build Options > Debug Information Format, and then set the value to DWARF with dSYM.

  5. Select Build Settings > Build Options > Enable Bitcode, and then set the value to Yes.

  6. From the top menu bar in MacOS, select Product > Scheme > Edit Scheme... > Archive > Build Configuration, and then select Debug.

  7. From the top of Xcode, select your device in the breadcrumb menu, and then choose Any iOS Device.

  8. Select Product > Archive to build your archive. After the build has completed, the archive is highlighted in Xcode Organizer.

  9. Right-click your archive, and then click Show in Finder.

  10. Open your terminal, and then change directory to your project.

  11. Run the following command to create an archive:

    xcodebuild archive \
    -project MyApp.xcodeproj \
    -scheme MyApp \
    -destination generic/platform=iOS \ DEBUG_INFORMATION_FORMAT=dwarf-with-dsym \ ENABLE_BITCODE=YES
  12. If you are using the Cocoapods dependency manager, add the following snippet to the end of your podfile to automatically enable Bitcode for your project dependencies:

    post_install do |installer|   
    installer.pods_project.targets.each do |target|
    target.build_configurations.each do |config|
    config.build_settings['ENABLE_BITCODE'] = 'YES'

    Then, run cd {project_home_dir} && pod install in terminal.

  13. Upload your iOS application to the Veracode Platform for analysis.

  14. Optionally, to upload your archives with Veracode Software Composition Analysis, add the Podfile.lock file to the root of another zipped archive. Keep this new zipped archive separate from the one that contains the .xcarchive folder, as shown in the following command:

    zip Podfile.lock

    Upload to the same scan as the that you previously uploaded.