verifyos-cli 0.1.3

A pure Rust CLI tool to scan Apple app bundles for App Store rejection risks before submission.
Documentation

verifyOS-cli

Crates.io Docs.rs CI License: MIT

verifyOS-cli is a pure Rust, cross-platform CLI tool designed to scan Apple app bundles (like .ipa, .app, Info.plist, and Mach-O binaries) for App Store rejection risks before submission. Operating locally or within an automated CI pipeline, it catches potential App Store Connect rejections left of the build process.

The App Store Connect validation step is historically a "black box" that costs developers hours of waiting. By shifting validation to your local machine—or a fast, cheap Linux runner—verifyOS-cli empowers solo developers and robust teams alike. Unlike Apple's toolchain (codesign, otool), this tool is built entirely in Rust.

What it does

  • Acts as a local static analysis orchestrator for iOS/macOS apps.
  • Privacy Manifests: Checks for missing PrivacyInfo.xcprivacy and API-required privacy labels.
  • Permissions (Info.plist): Validates the inclusion of mandatory descriptions (e.g., NSLocationWhenInUseUsageDescription) against linked frameworks.
  • Code Signatures: Extracts binary entitlements and spots mismatches with the embedded provisioning profile.
  • Export Compliance: Inspects binaries for the ITSAppUsesNonExemptEncryption to avoid manual Web UI confirmations.
  • Architecture & Metadata: Ensures proper Mach-O universal sizes and UI asset configurations.

Installation

From crates.io

cargo install verifyos-cli

Quick start

Run the CLI tool against your .ipa or .app path:

verifyos-cli --app path/to/YourApp.ipa

Example Passing Output

 Analysis complete!                                                       
╭──────────────────────────────────┬──────────┬────────────────╮
│ Rule                             ┆ Severity ┆ Result/Message │
╞══════════════════════════════════╪══════════╪════════════════╡
│ Missing Privacy Manifest         ┆ ERROR    ┆ PASS           │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Missing Camera Usage Description ┆ ERROR    ┆ PASS           │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Entitlements Mismatch            ┆ ERROR    ┆ PASS           │
╰──────────────────────────────────┴──────────┴────────────────╯

Example Failing Output (Exits with code 1)

 Analysis complete!                                                       
╭──────────────────────────────────┬──────────┬──────────────────────────────────╮
│ Rule                             ┆ Severity ┆ Result/Message                   │
╞══════════════════════════════════╪══════════╪══════════════════════════════════╡
│ Missing Privacy Manifest         ┆ ERROR    ┆ Missing Privacy Manifest         │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Missing Camera Usage Description ┆ ERROR    ┆ Missing Camera Usage Description │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ Entitlements Mismatch            ┆ ERROR    ┆ PASS                             │
╰──────────────────────────────────┴──────────┴──────────────────────────────────╯

Architecture

This project is structured with modularity in mind:

  • core/: Orchestrator and logic execution engine.
  • parsers/: Format handlers (zip extraction, plist mapping, goblin/apple-codesign Mach-O inspection).
  • rules/: Trait-based rule engine representing the validation checks.

Conventional Commits

To ensure the automated semantic versioning and changelog parsing through the release-plz bot behaves properly, developers MUST use Git Conventional Commits format:

  • feat: A new feature (correlates to a MINOR v0.X.0 bump).
  • fix: A bug fix (correlates to a PATCH v0.0.X bump).
  • docs: Documentation only changes.
  • chore: Changes to the build process or auxiliary tools.

CI and releases

  • CI: lint + tests on push and pull request.
  • Automated release PRs: release-plz workflow.
  • Publishing: crates.io + GitHub release artifacts.

License

MIT