Merge branch 'main' into gh-139269

Author: ashm-dev

Apple/__main__.py

@@ -316,7 +316,7 @@ def unpack_deps(
     for name_ver in [
         "BZip2-1.0.8-2",
         "libFFI-3.4.7-2",
-        "OpenSSL-3.0.16-2",
+        "OpenSSL-3.0.17-1",
         "XZ-5.6.4-2",
         "mpdecimal-4.0.0-2",
         "zstd-1.5.7-1",
@@ -577,6 +577,7 @@ def create_xcframework(platform: str) -> str:
 
     # Extract the package version from the merged framework
     version = package_version(package_path / "Python.xcframework")
+    version_tag = ".".join(version.split(".")[:2])
 
     # On non-macOS platforms, each framework in XCframework only contains the
     # headers, libPython, plus an Info.plist. Other resources like the standard
@@ -647,6 +648,23 @@ def create_xcframework(platform: str) -> str:
                 slice_framework / f"Headers/pyconfig-{arch}.h",
             )
 
+            # Apple identifies certain libraries as "security risks"; if you
+            # statically link those libraries into a Framework, you become
+            # responsible for providing a privacy manifest for that framework.
+            xcprivacy_file = {
+                "OpenSSL": subdir(host_triple) / "prefix/share/OpenSSL.xcprivacy"
+            }
+            print(f"   - {multiarch} xcprivacy files")
+            for module, lib in [
+                ("_hashlib", "OpenSSL"),
+                ("_ssl", "OpenSSL"),
+            ]:
+                shutil.copy(
+                    xcprivacy_file[lib],
+                    slice_path
+                    / f"lib-{arch}/python{version_tag}/lib-dynload/{module}.xcprivacy",
+                )
+
     print(" - build tools")
     shutil.copytree(
         PYTHON_DIR / "Apple/testbed/Python.xcframework/build",

Apple/testbed/Python.xcframework/build/utils.sh

@@ -67,6 +67,9 @@ install_dylib () {
 
     # The name of the extension file
     EXT=$(basename "$FULL_EXT")
+    # The name and location of the module
+    MODULE_PATH=$(dirname "$FULL_EXT")
+    MODULE_NAME=$(echo $EXT | cut -d "." -f 1)
     # The location of the extension file, relative to the bundle
     RELATIVE_EXT=${FULL_EXT#$CODESIGNING_FOLDER_PATH/}
     # The path to the extension file, relative to the install base
@@ -94,6 +97,16 @@ install_dylib () {
     # Create a back reference to the .so file location in the framework
     echo "${RELATIVE_EXT%.so}.fwork" > "$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER/$FULL_MODULE_NAME.origin"
 
+    # If the framework provides an xcprivacy file, install it.
+    if [ -e "$MODULE_PATH/$MODULE_NAME.xcprivacy" ]; then
+        echo "Installing XCPrivacy file for $FRAMEWORK_FOLDER/$FULL_MODULE_NAME"
+        XCPRIVACY_FILE="$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER/PrivacyInfo.xcprivacy"
+        if [ -e "$XCPRIVACY_FILE" ]; then
+          rm -rf "$XCPRIVACY_FILE"
+        fi
+        mv "$MODULE_PATH/$MODULE_NAME.xcprivacy" "$XCPRIVACY_FILE"
+    fi
+
     echo "Signing framework as $EXPANDED_CODE_SIGN_IDENTITY_NAME ($EXPANDED_CODE_SIGN_IDENTITY)..."
     /usr/bin/codesign --force --sign "$EXPANDED_CODE_SIGN_IDENTITY" ${OTHER_CODE_SIGN_FLAGS:-} -o runtime --timestamp=none --preserve-metadata=identifier,entitlements,flags --generate-entitlement-der "$CODESIGNING_FOLDER_PATH/$FRAMEWORK_FOLDER"
 }

Doc/using/ios.rst

@@ -328,7 +328,12 @@ App Store Compliance
 The only mechanism for distributing apps to third-party iOS devices is to
 submit the app to the iOS App Store; apps submitted for distribution must pass
 Apple's app review process. This process includes a set of automated validation
-rules that inspect the submitted application bundle for problematic code.
+rules that inspect the submitted application bundle for problematic code. There
+are some steps that must be taken to ensure that your app will be able to pass
+these validation steps.
+
+Incompatible code in the standard library
+-----------------------------------------
 
 The Python standard library contains some code that is known to violate these
 automated rules. While these violations appear to be false positives, Apple's
@@ -339,3 +344,18 @@ The Python source tree contains
 :source:`a patch file <Mac/Resources/app-store-compliance.patch>` that will remove
 all code that is known to cause issues with the App Store review process. This
 patch is applied automatically when building for iOS.
+
+Privacy manifests
+-----------------
+
+In April 2025, Apple introduced a requirement for `certain third-party
+libraries to provide a Privacy Manifest
+<https://developer.apple.com/support/third-party-SDK-requirements>`__.
+As a result, if you have a binary module that uses one of the affected
+libraries, you must provide an ``.xcprivacy`` file for that library.
+OpenSSL is one library affected by this requirement, but there are others.
+
+If you produce a binary module named ``mymodule.so``, and use you the Xcode
+build script described in step 7 above, you can place a ``mymodule.xcprivacy``
+file next to ``mymodule.so``, and the privacy manifest will be installed into
+the required location when the binary module is converted into a framework.

Lib/imaplib.py

@@ -497,8 +497,6 @@ def append(self, mailbox, flags, date_time, message):
         else:
             date_time = None
         literal = MapCRLF.sub(CRLF, message)
-        if self.utf8_enabled:
-            literal = b'UTF8 (' + literal + b')'
         self.literal = literal
         return self._simple_command(name, mailbox, flags, date_time)
 
@@ -1119,7 +1117,11 @@ def _command(self, name, *args):
                 literator = literal
             else:
                 literator = None
-                data = data + bytes(' {%s}' % len(literal), self._encoding)
+                if self.utf8_enabled:
+                    data = data + bytes(' UTF8 (~{%s}' % len(literal), self._encoding)
+                    literal = literal + b')'
+                else:
+                    data = data + bytes(' {%s}' % len(literal), self._encoding)
 
         if __debug__:
             if self.debug >= 4:

Lib/test/test_imaplib.py

@@ -372,7 +372,11 @@ def cmd_AUTHENTICATE(self, tag, args):
                 self._send_tagged(tag, 'OK', 'FAKEAUTH successful')
             def cmd_APPEND(self, tag, args):
                 self._send_textline('+')
-                self.server.response = yield
+                self.server.response = args
+                literal = yield
+                self.server.response.append(literal)
+                literal = yield
+                self.server.response.append(literal)
                 self._send_tagged(tag, 'OK', 'okay')
         client, server = self._setup(UTF8AppendServer)
         self.assertEqual(client._encoding, 'ascii')
@@ -383,10 +387,13 @@ def cmd_APPEND(self, tag, args):
         self.assertEqual(code, 'OK')
         self.assertEqual(client._encoding, 'utf-8')
         msg_string = 'Subject: üñí©öðé'
-        typ, data = client.append(None, None, None, msg_string.encode('utf-8'))
+        typ, data = client.append(
+            None, None, None, (msg_string + '\n').encode('utf-8'))
         self.assertEqual(typ, 'OK')
         self.assertEqual(server.response,
-            ('UTF8 (%s)\r\n' % msg_string).encode('utf-8'))
+            ['INBOX', 'UTF8',
+             '(~{25}', ('%s\r\n' % msg_string).encode('utf-8'),
+             b')\r\n' ])
 
     def test_search_disallows_charset_in_utf8_mode(self):
         class UTF8Server(SimpleIMAPHandler):
@@ -881,7 +888,11 @@ def test_enable_UTF8_True_append(self):
         class UTF8AppendServer(self.UTF8Server):
             def cmd_APPEND(self, tag, args):
                 self._send_textline('+')
-                self.server.response = yield
+                self.server.response = args
+                literal = yield
+                self.server.response.append(literal)
+                literal = yield
+                self.server.response.append(literal)
                 self._send_tagged(tag, 'OK', 'okay')
 
         with self.reaped_pair(UTF8AppendServer) as (server, client):
@@ -895,12 +906,12 @@ def cmd_APPEND(self, tag, args):
             self.assertEqual(client._encoding, 'utf-8')
             msg_string = 'Subject: üñí©öðé'
             typ, data = client.append(
-                None, None, None, msg_string.encode('utf-8'))
+                None, None, None, (msg_string + '\n').encode('utf-8'))
             self.assertEqual(typ, 'OK')
-            self.assertEqual(
-                server.response,
-                ('UTF8 (%s)\r\n' % msg_string).encode('utf-8')
-            )
+            self.assertEqual(server.response,
+                ['INBOX', 'UTF8',
+                 '(~{25}', ('%s\r\n' % msg_string).encode('utf-8'),
+                 b')\r\n' ])
 
     # XXX also need a test that makes sure that the Literal and Untagged_status
     # regexes uses unicode in UTF8 mode instead of the default ASCII.

Lib/urllib/parse.py

@@ -97,11 +97,9 @@ def clear_cache():
     _byte_quoter_factory.cache_clear()
 
 # Helpers for bytes handling
-# For 3.2, we deliberately require applications that
-# handle improperly quoted URLs to do their own
-# decoding and encoding. If valid use cases are
-# presented, we may relax this by using latin-1
-# decoding internally for 3.3
+# We deliberately require applications that
+# handle improperly quoted URLs to do their
+# own decoding and encoding.
 _implicit_encoding = 'ascii'
 _implicit_errors = 'strict'
 

Misc/NEWS.d/next/Library/2023-02-13-20-34-52.gh-issue-78319.V1zzed.rst

@@ -0,0 +1 @@
+UTF8 support for the IMAP APPEND command has been made RFC compliant.

Misc/NEWS.d/next/Tools-Demos/2025-08-28-06-22-26.gh-issue-132006.eZQmc6.rst

@@ -0,0 +1,2 @@
+XCframeworks now include privacy manifests to satisfy Apple App Store
+submission requirements.