Skip to content

Instantly share code, notes, and snippets.

@khcrysalis

khcrysalis/CSCommon.h

Last active January 16, 2026 23:34
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save khcrysalis/c6f478839f6f3c0e1366c84e4db138e7 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save khcrysalis/c6f478839f6f3c0e1366c84e4db138e7 to your computer and use it in GitHub Desktop.
Download ZIP
Simple codesigner using Security.framework
Raw
codesigner.h
//
// CodeSigner.h
// codesign
//
// Created by samsam on 1/15/26.
//
#import <Foundation/Foundation.h>
NS_ASSUME_NONNULL_BEGIN
int codesignAllNested(NSString *bundlePath,
const char *p12Path,
const char *p12Password,
const char *mobileProvisionPath);
int codesign_sign_with_p12_and_mobileprovision(
const char *appPath,
const char *p12Path,
const char *p12Password,
const char * _Nullable mobileProvisionPath,
BOOL shallow
);
NS_ASSUME_NONNULL_END
Raw
codesigner.m
//
// codesigner.m
// codesign
//
// Created by samsam on 1/15/26.
//
#import "CodeSigner.h"
#import "SecCodeSignerSPI.h"
#import "SecCodeSigner.h"
#import "SecCode.h"
#import "CSCommon.h"
#import "SecCodePriv.h"
#import "SecStaticCode.h"
#import "CodeSigner.h"
#import <Security/Security.h>
#import <dlfcn.h>
NSArray<NSString *> *allNestedCodePathsSorted(NSString *bundlePath) {
NSMutableArray<NSString *> *results = [NSMutableArray array];
NSFileManager *fm = [NSFileManager defaultManager];
NSURL *bundleURL = [NSURL fileURLWithPath:bundlePath];
NSDirectoryEnumerator *enumerator = [fm enumeratorAtURL:bundleURL
includingPropertiesForKeys:@[NSURLIsDirectoryKey, NSURLIsPackageKey]
options:0
errorHandler:nil];
for (NSURL *fileURL in enumerator) {
NSString *path = [fileURL path];
NSString *filename = [path lastPathComponent];
if ([filename hasPrefix:@"."]) continue;
NSNumber *isDirectory = nil;
[fileURL getResourceValue:&isDirectory forKey:NSURLIsDirectoryKey error:nil];
NSString *extension = [[path pathExtension] lowercaseString];
if ([isDirectory boolValue]) {
if ([extension isEqualToString:@"app"] ||
[extension isEqualToString:@"appex"] ||
[extension isEqualToString:@"framework"]) {
[results addObject:path];
}
} else {
BOOL isMachO = NO;
if ([extension isEqualToString:@"dylib"]) {
isMachO = YES;
} else {
NSData *header = [NSData dataWithContentsOfFile:path options:NSDataReadingMappedIfSafe error:nil];
if (header.length >= 4) {
uint32_t magic = *(const uint32_t *)header.bytes;
if (magic == 0xfeedface || magic == 0xcefaedfe || // 32-bit
magic == 0xfeedfacf || magic == 0xcffaedfe || // 64-bit
magic == 0xcafebabe || magic == 0xbebafeca) { // Universal/Fat
isMachO = YES;
}
}
}
if (isMachO) {
[results addObject:path];
}
}
}
if (![results containsObject:bundlePath]) {
[results addObject:bundlePath];
}
[results sortUsingComparator:^NSComparisonResult(NSString *a, NSString *b) {
NSUInteger countA = [[a pathComponents] count];
NSUInteger countB = [[b pathComponents] count];
if (countA > countB) return NSOrderedAscending;
if (countA < countB) return NSOrderedDescending;
return [a compare:b];
}];
return results;
}
int codesignAllNested(NSString *bundlePath,
const char *p12Path,
const char *p12Password,
const char *mobileProvisionPath)
{
NSFileManager *fm = [NSFileManager defaultManager];
NSString *rootExtension = [[bundlePath pathExtension] lowercaseString];
if (mobileProvisionPath && ([rootExtension isEqualToString:@"app"] || [rootExtension isEqualToString:@"appex"])) {
NSString *destPath = [bundlePath stringByAppendingPathComponent:@"embedded.mobileprovision"];
[fm removeItemAtPath:destPath error:nil];
NSError *copyError = nil;
if (![fm copyItemAtPath:[NSString stringWithUTF8String:mobileProvisionPath]
toPath:destPath
error:&copyError]) {
NSLog(@"Failed to copy mobileprovision to root: %@", copyError);
return 408;
}
}
NSArray<NSString *> *paths = allNestedCodePathsSorted(bundlePath);
NSLog(@"Signing: %@", paths);
for (NSString *path in paths) {
NSLog(@"Signing: %@", path);
NSString *extension = [[path pathExtension] lowercaseString];
const char *provToUse = NULL;
// Pass the mobileprovision ONLY if the current item is an app or extension
// Frameworks and dylibs should generally NOT have entitlements applied directly from a provision
if (mobileProvisionPath && ([extension isEqualToString:@"app"] || [extension isEqualToString:@"appex"])) {
provToUse = mobileProvisionPath;
}
int status = codesign_sign_with_p12_and_mobileprovision(
path.UTF8String,
p12Path,
p12Password,
provToUse,
YES
);
if (status != 0) {
NSLog(@"Failed signing %@ with status %d", path, status);
return status;
}
}
return 0;
}
int codesign_sign_with_p12_and_mobileprovision(
const char *appPath,
const char *p12Path,
const char *p12Password,
const char * _Nullable mobileProvisionPath,
BOOL shallow
) {
OSStatus (*__SecCodeSignerCreate)(CFDictionaryRef, SecCSFlags, SecCodeSignerRef *) =
dlsym(RTLD_DEFAULT, "SecCodeSignerCreate");
OSStatus (*__SecCodeSignerAddSignatureWithErrors)(SecCodeSignerRef, SecStaticCodeRef, SecCSFlags, CFErrorRef *) =
dlsym(RTLD_DEFAULT, "SecCodeSignerAddSignatureWithErrors");
if (!__SecCodeSignerCreate || !__SecCodeSignerAddSignatureWithErrors) {
NSLog(@"Failed to load private SecCodeSigner symbols");
return 404;
}
NSString *filePath = [NSString stringWithUTF8String:appPath];
NSData *p12Data = [NSData dataWithContentsOfFile:[NSString stringWithUTF8String:p12Path]];
if (!p12Data) return 405;
CFArrayRef items = NULL;
NSDictionary *options = @{ (__bridge id)kSecImportExportPassphrase : [NSString stringWithUTF8String:p12Password] };
OSStatus secStatus = SecPKCS12Import((__bridge CFDataRef)p12Data, (__bridge CFDictionaryRef)options, &items);
if (secStatus != errSecSuccess || CFArrayGetCount(items) == 0) return 406;
CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
SecIdentityRef identity = (SecIdentityRef)CFDictionaryGetValue(identityDict, kSecImportItemIdentity);
if (!identity) { CFRelease(items); return 407; }
NSMutableDictionary *parameters = [NSMutableDictionary dictionary];
parameters[(__bridge NSString *)kSecCodeSignerIdentity] = (__bridge id)identity;
if (mobileProvisionPath) {
NSData *mpData = [NSData dataWithContentsOfFile:[NSString stringWithUTF8String:mobileProvisionPath]];
if (mpData) {
CMSDecoderRef decoder = NULL;
if (CMSDecoderCreate(&decoder) == errSecSuccess &&
CMSDecoderUpdateMessage(decoder, mpData.bytes, mpData.length) == errSecSuccess &&
CMSDecoderFinalizeMessage(decoder) == errSecSuccess) {
CFDataRef plistData = NULL;
if (CMSDecoderCopyContent(decoder, &plistData) == errSecSuccess && plistData) {
NSError *error = nil;
NSDictionary *plist = [NSPropertyListSerialization propertyListWithData:(__bridge NSData *)plistData
options:NSPropertyListImmutable
format:nil
error:&error];
if (plist) {
NSDictionary *entitlements = plist[@"Entitlements"];
if (entitlements) {
NSData *xmlData = [NSPropertyListSerialization dataWithPropertyList:entitlements
format:NSPropertyListXMLFormat_v1_0
options:0
error:nil];
uint32_t entitlementsData[xmlData.length + 8];
entitlementsData[0] = OSSwapHostToBigInt32(0xFADE7171);
entitlementsData[1] = OSSwapHostToBigInt32((uint32_t)(xmlData.length + 8));
[xmlData getBytes:&entitlementsData[2] length:xmlData.length];
parameters[(__bridge NSString *)kSecCodeSignerEntitlements] =
[NSData dataWithBytes:entitlementsData length:xmlData.length + 8];
}
}
CFRelease(plistData);
}
CFRelease(decoder);
}
}
}
NSLog(@"Signer parameters: %@", parameters);
SecCodeSignerRef signerRef = NULL;
SecCSFlags createFlags = 0;
if (!shallow) {
createFlags |= kSecCSSignNestedCode;
}
secStatus = __SecCodeSignerCreate((__bridge CFDictionaryRef)parameters, createFlags, &signerRef);
if (secStatus != errSecSuccess || !signerRef) {
NSLog(@"SecCodeSignerCreate failed! OSStatus = %d", (int)secStatus);
CFRelease(items);
return 201;
}
SecStaticCodeRef staticCode = NULL;
secStatus = SecStaticCodeCreateWithPathAndAttributes((__bridge CFURLRef)[NSURL fileURLWithPath:filePath],
kSecCSDefaultFlags,
(__bridge CFDictionaryRef)@{},
&staticCode);
if (secStatus != errSecSuccess || !staticCode) {
NSLog(@"SecStaticCodeCreateWithPathAndAttributes failed! OSStatus = %d", (int)secStatus);
CFRelease(signerRef);
CFRelease(items);
return 202;
}
CFErrorRef errorRef = NULL;
secStatus = __SecCodeSignerAddSignatureWithErrors(signerRef, staticCode, kSecCSDefaultFlags, &errorRef);
if (secStatus != errSecSuccess) {
if (errorRef) {
NSError *nsError = (__bridge NSError *)errorRef;
NSLog(@"Error signing: %@ (OSStatus: %d)", nsError, (int)secStatus);
if (nsError.userInfo) {
for (NSString *key in nsError.userInfo) {
NSLog(@" %@: %@", key, nsError.userInfo[key]);
}
}
CFRelease(errorRef);
} else {
NSLog(@"Error signing with unknown reason (OSStatus: %d)", (int)secStatus);
}
CFRelease(staticCode);
CFRelease(signerRef);
CFRelease(items);
return 203;
}
CFDictionaryRef signingInfo = NULL;
OSStatus status = SecCodeCopySigningInformation(staticCode,
kSecCSDefaultFlags |
kSecCSSigningInformation |
kSecCSRequirementInformation |
kSecCSInternalInformation |
kSecCSSkipResourceDirectory,
&signingInfo);
if (status == errSecSuccess && signingInfo) {
CFArrayRef certificates = CFDictionaryGetValue(signingInfo, kSecCodeInfoCertificates);
if (certificates) {
CFIndex count = CFArrayGetCount(certificates);
for (CFIndex i = 0; i < count; i++) {
SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(certificates, i);
CFStringRef subject = NULL;
SecCertificateCopyCommonName(cert, &subject);
NSLog(@"Certificate %ld subject: %@", i, subject);
if (subject) CFRelease(subject);
CFStringRef summary = SecCertificateCopySubjectSummary(cert);
NSLog(@"Certificate %ld summary: %@", i, summary);
if (summary) CFRelease(summary);
CFDataRef derData = SecCertificateCopyData(cert);
NSLog(@"Certificate %ld DER length: %ld bytes", i, (long)CFDataGetLength(derData));
if (derData) CFRelease(derData);
CFStringRef keys[] = { kSecOIDX509V1ValidityNotAfter };
CFArrayRef keysArray = CFArrayCreate(NULL, (const void **)keys, 1, &kCFTypeArrayCallBacks);
CFErrorRef error = NULL;
CFDictionaryRef values = SecCertificateCopyValues(cert, keysArray, &error);
if (values) {
CFDictionaryRef notAfterDict = CFDictionaryGetValue(values, kSecOIDX509V1ValidityNotAfter);
CFDateRef expiryDate = CFDictionaryGetValue(notAfterDict, kSecPropertyKeyValue);
NSLog(@"Certificate %ld expiry date: %@", i, expiryDate);
CFRelease(values);
} else {
NSLog(@"Failed to get expiry date: %@", error);
if (error) CFRelease(error);
}
CFRelease(keysArray);
}
}
CFRelease(signingInfo);
}
CFRelease(staticCode);
CFRelease(signerRef);
CFRelease(items);
return 0;
}
Raw
CSCommon.h
/*
* Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*!
@header CSCommon
CSCommon is the common header of all Code Signing API headers.
It defines types, constants, and error codes.
*/
#ifndef _H_CSCOMMON
#define _H_CSCOMMON
#include <CoreFoundation/CoreFoundation.h>
#include <TargetConditionals.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* Some macOS API's use the old style defined name CSSM_DATA and CSSM_OID.
* These are just typedefs for SecAsn* which are available for iOS. We complete
* those here in case they're not available for compatibility.
*/
#if TARGET_OS_IPHONE
#ifndef CSSM_DATA
#define CSSM_DATA SecAsn1Item
#endif
#ifndef CSSM_OID
#define CSSM_OID SecAsn1Oid
#endif
#endif /* TARGET_OS_IPHONE */
CF_ASSUME_NONNULL_BEGIN
/*
Code Signing specific OSStatus codes.
[Assigned range 0xFFFE_FAxx].
*/
CF_ENUM(OSStatus) {
errSecCSUnimplemented = -67072, /* unimplemented code signing feature */
errSecCSInvalidObjectRef = -67071, /* invalid API object reference */
errSecCSInvalidFlags = -67070, /* invalid or inappropriate API flag(s) specified */
errSecCSObjectRequired = -67069, /* a required pointer argument was NULL */
errSecCSStaticCodeNotFound = -67068, /* cannot find code object on disk */
errSecCSUnsupportedGuestAttributes = -67067, /* cannot locate guests using this attribute set */
errSecCSInvalidAttributeValues = -67066, /* given attribute values are invalid */
errSecCSNoSuchCode = -67065, /* host has no guest with the requested attributes */
errSecCSMultipleGuests = -67064, /* ambiguous guest specification (host has multiple guests with these attribute values) */
errSecCSGuestInvalid = -67063, /* code identity has been invalidated */
errSecCSUnsigned = -67062, /* code object is not signed at all */
errSecCSSignatureFailed = -67061, /* invalid signature (code or signature have been modified) */
errSecCSSignatureNotVerifiable = -67060, /* the code cannot be read by the verifier (file system permissions etc.) */
errSecCSSignatureUnsupported = -67059, /* unsupported type or version of signature */
errSecCSBadDictionaryFormat = -67058, /* a required plist file or resource is malformed */
errSecCSResourcesNotSealed = -67057, /* resources are present but not sealed by signature */
errSecCSResourcesNotFound = -67056, /* code has no resources but signature indicates they must be present */
errSecCSResourcesInvalid = -67055, /* the sealed resource directory is invalid */
errSecCSBadResource = -67054, /* a sealed resource is missing or invalid */
errSecCSResourceRulesInvalid = -67053, /* invalid resource specification rule(s) */
errSecCSReqInvalid = -67052, /* invalid or corrupted code requirement(s) */
errSecCSReqUnsupported = -67051, /* unsupported type or version of code requirement(s) */
errSecCSReqFailed = -67050, /* code failed to satisfy specified code requirement(s) */
errSecCSBadObjectFormat = -67049, /* object file format unrecognized, invalid, or unsuitable */
errSecCSInternalError = -67048, /* internal error in Code Signing subsystem */
errSecCSHostReject = -67047, /* code rejected its host */
errSecCSNotAHost = -67046, /* attempt to specify guest of code that is not a host */
errSecCSSignatureInvalid = -67045, /* invalid or unsupported format for signature */
errSecCSHostProtocolRelativePath = -67044, /* host protocol violation - absolute guest path required */
errSecCSHostProtocolContradiction = -67043, /* host protocol violation - contradictory hosting modes */
errSecCSHostProtocolDedicationError = -67042, /* host protocol violation - operation not allowed with/for a dedicated guest */
errSecCSHostProtocolNotProxy = -67041, /* host protocol violation - proxy hosting not engaged */
errSecCSHostProtocolStateError = -67040, /* host protocol violation - invalid guest state change request */
errSecCSHostProtocolUnrelated = -67039, /* host protocol violation - the given guest is not a guest of the given host */
/* -67038 obsolete (no longer issued) */
errSecCSNotSupported = -67037, /* operation inapplicable or not supported for this type of code */
errSecCSCMSTooLarge = -67036, /* signature too large to embed (size limitation of on-disk representation) */
errSecCSHostProtocolInvalidHash = -67035, /* host protocol violation - invalid guest hash */
errSecCSStaticCodeChanged = -67034, /* the code on disk does not match what is running */
errSecCSDBDenied = -67033, /* permission to use a database denied */
errSecCSDBAccess = -67032, /* cannot access a database */
errSecCSSigDBDenied = -67033, /* permission to use a database denied */
errSecCSSigDBAccess = -67032, /* cannot access a database */
errSecCSHostProtocolInvalidAttribute = -67031, /* host returned invalid or inconsistent guest attributes */
errSecCSInfoPlistFailed = -67030, /* invalid Info.plist (plist or signature have been modified) */
errSecCSNoMainExecutable = -67029, /* the code has no main executable file */
errSecCSBadBundleFormat = -67028, /* bundle format unrecognized, invalid, or unsuitable */
errSecCSNoMatches = -67027, /* no matches for search or update operation */
errSecCSFileHardQuarantined = -67026, /* File created by an AppSandbox, exec/open not allowed */
errSecCSOutdated = -67025, /* presented data is out of date */
errSecCSDbCorrupt = -67024, /* a system database or file is corrupt */
errSecCSResourceDirectoryFailed = -67023, /* invalid resource directory (directory or signature have been modified) */
errSecCSUnsignedNestedCode = -67022, /* nested code is unsigned */
errSecCSBadNestedCode = -67021, /* nested code is modified or invalid */
errSecCSBadCallbackValue = -67020, /* monitor callback returned invalid value */
errSecCSHelperFailed = -67019, /* the codesign_allocate helper tool cannot be found or used */
errSecCSVetoed = -67018,
errSecCSBadLVArch = -67017, /* library validation flag cannot be used with an i386 binary */
errSecCSResourceNotSupported = -67016, /* unsupported resource found (something not a directory, file or symlink) */
errSecCSRegularFile = -67015, /* the main executable or Info.plist must be a regular file (no symlinks, etc.) */
errSecCSUnsealedAppRoot = -67014, /* unsealed contents present in the bundle root */
errSecCSWeakResourceRules = -67013, /* resource envelope is obsolete (custom omit rules) */
errSecCSDSStoreSymlink = -67012, /* .DS_Store files cannot be a symlink */
errSecCSAmbiguousBundleFormat = -67011, /* bundle format is ambiguous (could be app or framework) */
errSecCSBadMainExecutable = -67010, /* main executable failed strict validation */
errSecCSBadFrameworkVersion = -67009, /* embedded framework contains modified or invalid version */
errSecCSUnsealedFrameworkRoot = -67008, /* unsealed contents present in the root directory of an embedded framework */
errSecCSWeakResourceEnvelope = -67007, /* resource envelope is obsolete (version 1 signature) */
errSecCSCancelled = -67006, /* operation was terminated by explicit cancelation */
errSecCSInvalidPlatform = -67005, /* invalid platform identifier or platform mismatch */
errSecCSTooBig = -67004, /* code is too big for current signing format */
errSecCSInvalidSymlink = -67003, /* invalid destination for symbolic link in bundle */
errSecCSNotAppLike = -67002, /* the code is valid but does not seem to be an app */
errSecCSBadDiskImageFormat = -67001, /* disk image format unrecognized, invalid, or unsuitable */
errSecCSUnsupportedDigestAlgorithm = -67000, /* a requested signature digest algorithm is not supported */
errSecCSInvalidAssociatedFileData = -66999, /* resource fork, Finder information, or similar detritus not allowed */
errSecCSInvalidTeamIdentifier = -66998, /* a Team Identifier string is invalid */
errSecCSBadTeamIdentifier = -66997, /* a Team Identifier is wrong or inappropriate */
errSecCSSignatureUntrusted = -66996, /* signature is valid but signer is not trusted */
errSecMultipleExecSegments = -66995, /* the image contains multiple executable segments */
errSecCSInvalidEntitlements = -66994, /* invalid entitlement plist */
errSecCSInvalidRuntimeVersion = -66993, /* an invalid runtime version was explicitly set */
errSecCSRevokedNotarization = -66992, /* notarization indicates this code has been revoked */
errSecCSCMSConstructionFailed = -66991, /* CMS construction failed, see logs for deeper error */
errSecCSRemoteSignerFailed = -66990, /* remote signing block did not return a signature */
};
/*
* Code Signing specific CFError "user info" keys.
* In calls that can return CFErrorRef indications, if a CFErrorRef is actually
* returned, its "user info" dictionary may contain some of the following keys
* to more closely describe the circumstances of the failure.
* Do not rely on the presence of any particular key to categorize a problem;
* always use the primary OSStatus return for that. The data contained under
* these keys is always supplemental and optional.
*/
extern const CFStringRef kSecCFErrorArchitecture; /* CFStringRef: name of architecture causing the problem */
extern const CFStringRef kSecCFErrorPattern; /* CFStringRef: invalid resource selection pattern encountered */
extern const CFStringRef kSecCFErrorResourceSeal; /* CFTypeRef: invalid component in resource seal (CodeResources) */
extern const CFStringRef kSecCFErrorResourceAdded; /* CFURLRef: unsealed resource found */
extern const CFStringRef kSecCFErrorResourceAltered; /* CFURLRef: modified resource found */
extern const CFStringRef kSecCFErrorResourceMissing; /* CFURLRef: sealed (non-optional) resource missing */
extern const CFStringRef kSecCFErrorResourceSideband; /* CFURLRef: sealed resource has invalid sideband data (resource fork, etc.) */
extern const CFStringRef kSecCFErrorResourceRecursive; /* CFURLRef: resource is main executable, resulting in infinite recursion */
extern const CFStringRef kSecCFErrorInfoPlist; /* CFTypeRef: Info.plist dictionary or component thereof found invalid */
extern const CFStringRef kSecCFErrorGuestAttributes; /* CFTypeRef: Guest attribute set of element not accepted */
extern const CFStringRef kSecCFErrorRequirementSyntax; /* CFStringRef: compilation error for Requirement source */
extern const CFStringRef kSecCFErrorPath; /* CFURLRef: subcomponent containing the error */
/*!
@typedef SecCodeRef
This is the type of a reference to running code.
In many (but not all) calls, this can be passed to a SecStaticCodeRef
argument, which performs an implicit SecCodeCopyStaticCode call and
operates on the result.
*/
typedef struct CF_BRIDGED_TYPE(id) __SecCode *SecCodeRef; /* running code */
/*!
@typedef SecStaticCodeRef
This is the type of a reference to static code on disk.
*/
typedef struct CF_BRIDGED_TYPE(id) __SecCode const *SecStaticCodeRef; /* code on disk */
/*!
@typedef SecRequirementRef
This is the type of a reference to a code requirement.
*/
typedef struct CF_BRIDGED_TYPE(id) __SecRequirement *SecRequirementRef; /* code requirement */
/*!
@typedef SecGuestRef
An abstract handle to identify a particular Guest in the context of its Host.
Guest handles are assigned by the host at will, with kSecNoGuest (zero) being
reserved as the null value. They can be reused for new children if desired.
*/
typedef u_int32_t SecGuestRef;
CF_ENUM(SecGuestRef) {
kSecNoGuest = 0, /* not a valid SecGuestRef */
};
/*!
@typedef SecCSFlags
This is the type of flags arguments to Code Signing API calls.
It provides a bit mask of request and option flags. All of the bits in these
masks are reserved to Apple; if you set any bits not defined in these headers,
the behavior is generally undefined.
This list describes the flags that are shared among several Code Signing API calls.
Flags that only apply to one call are defined and documented with that call.
Global flags are assigned from high order down (31 -> 0); call-specific flags
are assigned from the bottom up (0 -> 31).
@constant kSecCSDefaultFlags
When passed to a flags argument throughout, indicates that default behavior
is desired. Do not mix with other flags values.
@constant kSecCSConsiderExpiration
When passed to a call that performs code validation, requests that code signatures
made by expired certificates be rejected. By default, expiration of participating
certificates is not automatic grounds for rejection.
@constant kSecCSNoNetworkAccess
When passed to a call that performs code validation, configures the validation to
not perform any work that requires the network. Using this flag disables security features
like online certificate revocation and notarization checks by removing potentially
slow network requests that can delay evaluations. This flag has always been usable for
SecStaticCode objects and is usable with SecCode objects starting with macOS 11.3.
*/
typedef CF_OPTIONS(uint32_t, SecCSFlags) {
kSecCSDefaultFlags = 0, /* no particular flags (default behavior) */
kSecCSConsiderExpiration = 1U << 31, /* consider expired certificates invalid */
kSecCSEnforceRevocationChecks = 1 << 30, /* force revocation checks regardless of preference settings */
kSecCSNoNetworkAccess = 1 << 29, /* do not use the network, cancels "kSecCSEnforceRevocationChecks" */
kSecCSReportProgress = 1 << 28, /* make progress report call-backs when configured */
kSecCSCheckTrustedAnchors = 1 << 27, /* build certificate chain to system trust anchors, not to any self-signed certificate */
kSecCSQuickCheck = 1 << 26, /* (internal) */
kSecCSApplyEmbeddedPolicy = 1 << 25, /* Apply Embedded (iPhone) policy regardless of the platform we're running on */
kSecCSStripDisallowedXattrs = 1 << 24, /* Strip disallowed xattrs, such as com.apple.FinderInfo and com.apple.ResourceFork */
kSecCSMatchGuestRequirementInKernel = 1 << 23, /* Request matching the provided requirement in kernel against the running guest rather than on disk*/
};
typedef CF_OPTIONS(uint32_t, SecPreserveFlags) {
kSecCSPreserveIdentifier = 1 << 0,
kSecCSPreserveRequirements = 1 << 1,
kSecCSPreserveEntitlements = 1 << 2,
kSecCSPreserveResourceRules = 1 << 3,
kSecCSPreserveFlags = 1 << 4,
kSecCSPreserveTeamIdentifier = 1 << 5,
kSecCSPreserveDigestAlgorithm = 1 << 6,
kSecCSPreservePreEncryptHashes = 1 << 7,
kSecCSPreserveRuntime = 1 << 8,
};
/*!
@typedef SecCodeSignatureFlags
This is the type of option flags that can be embedded in a code signature
during signing, and that govern the use of the signature thereafter.
Some of these flags can be set through the codesign(1) command's --options
argument; some are set implicitly based on signing circumstances; and all
can be set with the kSecCodeSignerFlags item of a signing information dictionary.
@constant kSecCodeSignatureHost
Indicates that the code may act as a host that controls and supervises guest
code. If this flag is not set in a code signature, the code is never considered
eligible to be a host, and any attempt to act like one will be ignored or rejected.
@constant kSecCodeSignatureAdhoc
The code has been sealed without a signing identity. No identity may be retrieved
from it, and any code requirement placing restrictions on the signing identity
will fail. This flag is set by the code signing API and cannot be set explicitly.
@constant kSecCodeSignatureForceHard
Implicitly set the "hard" status bit for the code when it starts running.
This bit indicates that the code prefers to be denied access to a resource
if gaining such access would cause its invalidation. Since the hard bit is
sticky, setting this option bit guarantees that the code will always have
it set.
@constant kSecCodeSignatureForceKill
Implicitly set the "kill" status bit for the code when it starts running.
This bit indicates that the code wishes to be terminated with prejudice if
it is ever invalidated. Since the kill bit is sticky, setting this option bit
guarantees that the code will always be dynamically valid, since it will die
immediately if it becomes invalid.
@constant kSecCodeSignatureForceExpiration
Forces the kSecCSConsiderExpiration flag on all validations of the code.
@constant kSecCodeSignatureRuntime
Instructs the kernel to apply runtime hardening policies as required by the
hardened runtime version
@constant kSecCodeSignatureLinkerSigned
The code was automatically signed by the linker. This signature should be
ignored in any new signing operation.
*/
typedef CF_OPTIONS(uint32_t, SecCodeSignatureFlags) {
kSecCodeSignatureHost = 0x0001, /* may host guest code */
kSecCodeSignatureAdhoc = 0x0002, /* must be used without signer */
kSecCodeSignatureForceHard = 0x0100, /* always set HARD mode on launch */
kSecCodeSignatureForceKill = 0x0200, /* always set KILL mode on launch */
kSecCodeSignatureForceExpiration = 0x0400, /* force certificate expiration checks */
kSecCodeSignatureRestrict = 0x0800, /* restrict dyld loading */
kSecCodeSignatureEnforcement = 0x1000, /* enforce code signing */
kSecCodeSignatureLibraryValidation = 0x2000, /* library validation required */
kSecCodeSignatureRuntime = 0x10000, /* apply runtime hardening policies */
kSecCodeSignatureLinkerSigned = 0x20000, /* identify that the signature was auto-generated by the linker*/
};
/*!
@typedef SecCodeStatus
The code signing system attaches a set of status flags to each running code.
These flags are maintained by the code's host, and can be read by anyone.
A code may change its own flags, a host may change its guests' flags,
and root may change anyone's flags. However, these flags are sticky in that
each can change in only one direction (and never back, for the lifetime of the code).
Not even root can violate this restriction.
There are other flags in SecCodeStatus that are not publicly documented.
Do not rely on them, and do not ever attempt to explicitly set them.
@constant kSecCodeStatusValid
Indicates that the code is dynamically valid, i.e. it started correctly
and has not been invalidated since then. The valid bit can only be cleared.
Warning: This bit is not your one-stop shortcut to determining the validity of code.
It represents the dynamic component of the full validity function; if this
bit is unset, the code is definitely invalid, but the converse is not always true.
In fact, code hosts may represent the outcome of some delayed static validation work in this bit,
and thus it strictly represents a blend of (all of) dynamic and (some of) static validity,
depending on the implementation of the particular host managing the code. You can (only)
rely that (1) dynamic invalidation will clear this bit; and (2) the combination
of static validation and dynamic validity (as performed by the SecCodeCheckValidity* APIs)
will give a correct answer.
@constant kSecCodeStatusHard
Indicates that the code prefers to be denied access to resources if gaining access
would invalidate it. This bit can only be set.
It is undefined whether code that is marked hard and is already invalid will still
be denied access to a resource that would invalidate it if it were still valid. That is,
the code may or may not get access to such a resource while being invalid, and that choice
may appear random.
@constant kSecCodeStatusKill
Indicates that the code wants to be killed (terminated) if it ever loses its validity.
This bit can only be set. Code that has the kill flag set will never be dynamically invalid
(and live). Note however that a change in static validity does not necessarily trigger instant
death.
@constant kSecCodeStatusDebugged
Indicated that code has been debugged by another process that was allowed to do so. The debugger
causes this to be set when it attachs.
@constant kSecCodeStatusPlatform
Indicates the code is platform code, shipping with the operating system and signed by Apple.
*/
typedef CF_OPTIONS(uint32_t, SecCodeStatus) {
kSecCodeStatusValid = 0x00000001,
kSecCodeStatusHard = 0x00000100,
kSecCodeStatusKill = 0x00000200,
kSecCodeStatusDebugged = 0x10000000,
kSecCodeStatusPlatform = 0x04000000,
};
/*!
@typedef SecRequirementType
An enumeration indicating different types of internal requirements for code.
*/
typedef CF_ENUM(uint32_t, SecRequirementType) {
kSecHostRequirementType = 1, /* what hosts may run us */
kSecGuestRequirementType = 2, /* what guests we may run */
kSecDesignatedRequirementType = 3, /* designated requirement */
kSecLibraryRequirementType = 4, /* what libraries we may link against */
kSecPluginRequirementType = 5, /* what plug-ins we may load */
kSecInvalidRequirementType, /* invalid type of Requirement (must be last) */
kSecRequirementTypeCount = kSecInvalidRequirementType /* number of valid requirement types */
};
/*!
Types of cryptographic digests (hashes) used to hold code signatures
together.
Each combination of type, length, and other parameters is a separate
hash type; we don't understand "families" here.
These type codes govern the digest links that connect a CodeDirectory
to its subordinate data structures (code pages, resources, etc.)
They do not directly control other uses of hashes (such as those used
within X.509 certificates and CMS blobs).
*/
typedef CF_ENUM(uint32_t, SecCSDigestAlgorithm) {
kSecCodeSignatureNoHash = 0, /* null value */
kSecCodeSignatureHashSHA1 = 1, /* SHA-1 */
kSecCodeSignatureHashSHA256 = 2, /* SHA-256 */
kSecCodeSignatureHashSHA256Truncated = 3, /* SHA-256 truncated to first 20 bytes */
kSecCodeSignatureHashSHA384 = 4, /* SHA-384 */
kSecCodeSignatureHashSHA512 = 5, /* SHA-512 */
};
CF_ASSUME_NONNULL_END
#ifdef __cplusplus
}
#endif
#endif //_H_CSCOMMON
Raw
SecCode.h
/*
* Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*!
@header SecCode
SecCode represents separately indentified running code in the system.
In addition to UNIX processes, this can also include (with suitable support)
scripts, applets, widgets, etc.
*/
#ifndef _H_SECCODE
#define _H_SECCODE
#include <Security/CSCommon.h>
#include <CoreFoundation/CFBase.h>
#include <xpc/xpc.h>
#ifdef __cplusplus
extern "C" {
#endif
CF_ASSUME_NONNULL_BEGIN
/*!
@function SecCodeGetTypeID
Returns the type identifier of all SecCode instances.
*/
CFTypeID SecCodeGetTypeID(void);
/*!
@function SecCodeCopySelf
Obtains a SecCode object for the code making the call.
The calling code is determined in a way that is subject to modification over
time, but obeys the following rules. If it is a UNIX process, its process id (pid)
is always used.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param self Upon successful return, contains a SecCodeRef representing the caller.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeCopySelf(SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED self);
/*!
@function SecCodeCopyStaticCode
Given a SecCode object, locate its origin in the file system and return
a SecStaticCode object representing it.
The link established by this call is generally reliable but is NOT guaranteed
to be secure.
Many API functions taking SecStaticCodeRef arguments will also directly
accept a SecCodeRef and apply this translation implicitly, operating on
its result or returning its error code if any. Each of these functions
calls out that behavior in its documentation.
If the code was obtained from a universal (aka "fat") program file,
the resulting SecStaticCodeRef will refer only to the architecture actually
being used. This means that multiple running codes started from the same file
may conceivably result in different static code references if they ended up
using different execution architectures. (This is unusual but possible.)
@param code A valid SecCode object reference representing code running
on the system.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@constant kSecCSUseAllArchitectures
If code refers to a single architecture of a universal binary, return a SecStaticCodeRef
that refers to the entire universal code with all its architectures. By default, the
returned static reference identifies only the actual architecture of the running program.
@param staticCode On successful return, a SecStaticCode object reference representing
the file system origin of the given SecCode. On error, unchanged.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
CF_ENUM(uint32_t) {
kSecCSUseAllArchitectures = 1 << 0,
};
OSStatus SecCodeCopyStaticCode(SecCodeRef code, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
/*!
@function SecCodeCopyHost
Given a SecCode object, identify the (different) SecCode object that acts
as its host. A SecCode's host acts as a supervisor and controller,
and is the ultimate authority on the its dynamic validity and status.
The host relationship is securely established (absent reported errors).
@param guest A valid SecCode object reference representing code running
on the system.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param host On successful return, a SecCode object reference identifying
the code's host.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeCopyHost(SecCodeRef guest, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED host);
extern const CFStringRef kSecGuestAttributeCanonical;
extern const CFStringRef kSecGuestAttributeHash;
extern const CFStringRef kSecGuestAttributeMachPort;
extern const CFStringRef kSecGuestAttributePid;
extern const CFStringRef kSecGuestAttributeAudit;
extern const CFStringRef kSecGuestAttributeDynamicCode;
extern const CFStringRef kSecGuestAttributeDynamicCodeInfoPlist;
extern const CFStringRef kSecGuestAttributeArchitecture;
extern const CFStringRef kSecGuestAttributeSubarchitecture;
#if TARGET_OS_OSX
/*!
@function SecCodeCopyGuestWithAttributes
This is the omnibus API function for obtaining dynamic code references.
In general, it asks a particular code acting as a code host to locate
and return a guest with given attributes. Different hosts support
different combinations of attributes and values for guest selection.
Asking the NULL host invokes system default procedures for obtaining
any running code in the system with the attributes given. The returned
code may be anywhere in the system.
The methods a host uses to identify, separate, and control its guests
are specific to each type of host. This call provides a generic abstraction layer
that allows uniform interrogation of all hosts. A SecCode that does not
act as a host will always return errSecCSNoSuchCode. A SecCode that does
support hosting may return itself to signify that the attribute refers to
itself rather than one of its hosts.
@param host A valid SecCode object reference representing code running
on the system that acts as a Code Signing host. As a special case, passing
NULL indicates that the Code Signing root of trust should be used as a starting
point. Currently, that is the system kernel.
@param attributes A CFDictionary containing zero or more attribute selector
values. Each selector has a CFString key and associated CFTypeRef value.
The key name identifies the attribute being specified; the associated value,
whose type depends on the the key name, selects a particular value or other
constraint on that attribute. Each host only supports particular combinations
of keys and values, and errors will be returned if any unsupported set is requested.
As a special case, NULL is taken to mean an empty attribute set.
Note that some hosts that support hosting chains (guests being hosts)
may return sub-guests in this call. In other words, do not assume that
a SecCodeRef returned by this call is a direct guest of the queried host
(though it will be a proximate guest, i.e. a guest's guest some way down).
Asking the NULL host for NULL attributes returns a code reference for the system root
of trust (at present, the running Darwin kernel).
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param guest On successful return, a SecCode object reference identifying
the particular guest of the host that owns the attribute value(s) specified.
This argument will not be changed if the call fails (does not return errSecSuccess).
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers. In particular:
@error errSecCSUnsupportedGuestAttributes The host does not support the attribute
type given by attributeType.
@error errSecCSInvalidAttributeValues The type of value given for a guest
attribute is not supported by the host.
@error errSecCSNoSuchCode The host has no guest with the attribute value given
by attributeValue, even though the value is of a supported type. This may also
be returned if the host code does not currently act as a Code Signing host.
@error errSecCSNotAHost The specified host cannot, in fact, act as a code
host. (It is missing the kSecCodeSignatureHost option flag in its code
signature.)
@error errSecCSMultipleGuests The attributes specified do not uniquely identify
a guest (the specification is ambiguous).
*/
OSStatus SecCodeCopyGuestWithAttributes(SecCodeRef __nullable host,
CFDictionaryRef __nullable attributes, SecCSFlags flags, SecCodeRef * __nonnull CF_RETURNS_RETAINED guest);
/*!
@function SecCodeCreateWithXPCMessage
Creates a SecCode reference to the process that sent the provided XPC message, using the
associated audit token.
@param message The xpc_object_t of a message recieved via xpc to look up the audit token
of the process that sent the message.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param processRef On successful return, a SecCode object reference identifying
the particular guest of the process from the audit token. This argument will not be
changed if the call fails (does not return errSecSuccess).
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers. In particular:
@error errSecCSInvalidObjectRef The xpc_object_t was not of type XPC_TYPE_DICTIONARY.
@error errSecCSInvalidObjectRef The xpc_object_t was not an xpc message with an associated
connection.
For a complete list of errors, please see {@link SecCodeCopyGuestWithAttributes}.
*/
OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags,
SecCodeRef * __nonnull CF_RETURNS_RETAINED target);
#endif // TARGET_OS_OSX
/*!
@function SecCodeCheckValidity
Performs dynamic validation of the given SecCode object. The call obtains and
verifies the signature on the code object. It checks the validity of only those
sealed components required to establish identity. It checks the SecCode's
dynamic validity status as reported by its host. It ensures that the SecCode's
host is in turn valid. Finally, it validates the code against a SecRequirement
if one is given. The call succeeds if all these conditions are satisfactory.
It fails otherwise.
This call is secure against attempts to modify the file system source of the
SecCode.
@param code The code object to be validated.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param requirement An optional code requirement specifying additional conditions
the code object must satisfy to be considered valid. If NULL, no additional
requirements are imposed.
@result If validation passes, errSecSuccess. If validation fails, an OSStatus value
documented in CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeCheckValidity(SecCodeRef code, SecCSFlags flags,
SecRequirementRef __nullable requirement);
/*!
@function SecCodeCheckValidityWithErrors
Performs dynamic validation of the given SecCode object. The call obtains and
verifies the signature on the code object. It checks the validity of only those
sealed components required to establish identity. It checks the SecCode's
dynamic validity status as reported by its host. It ensures that the SecCode's
host is in turn valid. Finally, it validates the code against a SecRequirement
if one is given. The call succeeds if all these conditions are satisfactory.
It fails otherwise.
This call is secure against attempts to modify the file system source of the
SecCode.
@param code The code object to be validated.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param requirement An optional code requirement specifying additional conditions
the code object must satisfy to be considered valid. If NULL, no additional
requirements are imposed.
@param errors An optional pointer to a CFErrorRef variable. If the call fails
(and something other than errSecSuccess is returned), and this argument is non-NULL,
a CFErrorRef is stored there further describing the nature and circumstances
of the failure. The caller must CFRelease() this error object when done with it.
@result If validation passes, errSecSuccess. If validation fails, an OSStatus value
documented in CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeCheckValidityWithErrors(SecCodeRef code, SecCSFlags flags,
SecRequirementRef __nullable requirement, CFErrorRef *errors);
/*!
@function SecCodeValidateFileResource
For a SecStaticCodeRef, check that a given CFData object faithfully represents
a plain-file resource in its resource seal.
This call will fail if the file is missing in the bundle, even if it is optional.
@param code A code or StaticCode object.
@param relativePath A CFStringRef containing the relative path to a sealed resource
file. This path is relative to the resource base, which is either Contents or
the bundle root, depending on bundle format.
@param fileData A CFDataRef containing the exact contents of that resource file.
@param flags Pass kSecCSDefaultFlags.
@result noErr if fileData is the exact content of the file at relativePath at the
time it was signed. Various error codes if it is different, there was no such file,
it was not a plain file, or anything is irregular.
*/
OSStatus SecCodeValidateFileResource(SecStaticCodeRef code, CFStringRef relativePath,
CFDataRef fileData, SecCSFlags flags)
__API_AVAILABLE(macos(10.13)) __SPI_AVAILABLE(ios(13.0), tvos(13.0), watchos(6.0), macCatalyst(11.0));
/*!
@function SecCodeCopyPath
For a given Code or StaticCode object, returns a URL to a location on disk where the
code object can be found. For single files, the URL points to that file.
For bundles, it points to the directory containing the entire bundle.
@param staticCode The Code or StaticCode object to be located. For a Code
argument, its StaticCode is processed as per SecCodeCopyStaticCode.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param path On successful return, contains a CFURL identifying the location
on disk of the staticCode object.
@result On success, errSecSuccess. On error, an OSStatus value
documented in CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeCopyPath(SecStaticCodeRef staticCode, SecCSFlags flags,
CFURLRef * __nonnull CF_RETURNS_RETAINED path);
/*!
@function SecCodeCopyDesignatedRequirement
For a given Code or StaticCode object, determines its Designated Code Requirement.
The Designated Requirement is the SecRequirement that the code believes
should be used to properly identify it in the future.
If the SecCode contains an explicit Designated Requirement, a copy of that
is returned. If it does not, a SecRequirement is implicitly constructed from
its signing authority and its embedded unique identifier. No Designated
Requirement can be obtained from code that is unsigned. Code that is modified
after signature, improperly signed, or has become invalid, may or may not yield
a Designated Requirement. This call does not validate the SecStaticCode argument.
@param code The Code or StaticCode object to be interrogated. For a Code
argument, its StaticCode is processed as per SecCodeCopyStaticCode.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param requirement On successful return, contains a copy of a SecRequirement
object representing the code's Designated Requirement. On error, unchanged.
@result On success, errSecSuccess. On error, an OSStatus value
documented in CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeCopyDesignatedRequirement(SecStaticCodeRef code, SecCSFlags flags,
SecRequirementRef * __nonnull CF_RETURNS_RETAINED requirement);
/*
@function SecCodeCopySigningInformation
For a given Code or StaticCode object, extract various pieces of information
from its code signature and return them in the form of a CFDictionary. The amount
and detail level of the data is controlled by the flags passed to the call. For
Code objects, some of the signing information returned will be from disk. You can
call one of the CheckValidity functions to check that the content on disk matches
the signing information attached to the running Code.
If the code exists but is not signed at all, this call will succeed and return
a dictionary that does NOT contain the kSecCodeInfoIdentifier key. This is the
recommended way to check quickly whether a code is signed.
If the signing data for the code is corrupt or invalid, this call may fail or it
may return partial data. To ensure that only valid data is returned (and errors
are raised for invalid data), you must successfully call one of the CheckValidity
functions on the code before calling CopySigningInformation.
@param code The Code or StaticCode object to be interrogated. For a Code
argument, its StaticCode is processed as per SecCodeCopyStaticCode.
Note that dynamic information (kSecCSDynamicInformation) cannot be obtained
for a StaticCode argument.
@param flags Optional flags. Use any or all of the kSecCS*Information flags
to select what information to return. A generic set of entries is returned
regardless; you may specify kSecCSDefaultFlags for just those.
@param information A CFDictionary containing information about the code is stored
here on successful completion. The contents of the dictionary depend on
the flags passed. Regardless of flags, the kSecCodeInfoIdentifier key is
always present if the code is signed, and always absent if the code is
unsigned.
Note that some of the objects returned are (retained) "live" API objects
used by the code signing infrastructure. Making changes to these objects
is unsupported and may cause subsequent code signing operations on the
affected code to behave in undefined ways.
@result On success, errSecSuccess. On error, an OSStatus value
documented in CSCommon.h or certain other Security framework headers.
Flags:
@constant kSecCSSigningInformation Return cryptographic signing information,
including the certificate chain and CMS data (if any). For ad-hoc signed
code, there are no certificates and the CMS data is empty.
@constant kSecCSRequirementInformation Return information about internal code
requirements embedded in the code. This includes the Designated Requirement.
@constant kSecCSInternalInformation Return internal code signing information.
This information is for use by Apple, and is subject to change without notice.
It will not be further documented here.
@constant kSecCSDynamicInformation Return dynamic validity information about
the Code. The subject code must be a SecCodeRef (not a SecStaticCodeRef).
@constant kSecCSContentInformation Return more information about the file system
contents making up the signed code on disk. It is not generally advisable to
make use of this information, but some utilities (such as software-update
tools) may find it useful.
Dictionary keys:
@constant kSecCodeInfoCertificates A CFArray of SecCertificates identifying the
certificate chain of the signing certificate as seen by the system. Absent
for ad-hoc signed code. May be partial or absent in error cases.
@constant kSecCodeInfoChangedFiles A CFArray of CFURLs identifying all files in
the code that may have been modified by the process of signing it. (In other
words, files not in this list will not have been touched by the signing operation.)
@constant kSecCodeInfoCMS A CFData containing the CMS cryptographic object that
secures the code signature. Empty for ad-hoc signed code.
@constant kSecCodeInfoDesignatedRequirement A SecRequirement describing the
actual Designated Requirement of the code.
@constant kSecCodeInfoEntitlements A CFData containing the embedded entitlement
blob of the code, if any.
@constant kSecCodeInfoEntitlementsDict A CFDictionary containing the embedded entitlements
of the code if it has entitlements and they are in standard dictionary form.
Absent if the code has no entitlements, or they are in a different format (in which
case, see kSecCodeInfoEntitlements).
@constant kSecCodeInfoFlags A CFNumber with the static (on-disk) state of the object.
Contants are defined by the type SecCodeSignatureFlags.
@constant kSecCodeInfoFormat A CFString characterizing the type and format of
the code. Suitable for display to a (knowledeable) user.
@constant kSecCodeInfoDigestAlgorithm A CFNumber indicating the kind of cryptographic
hash function chosen to establish integrity of the signature on this system, which
is the best supported algorithm from kSecCodeInfoDigestAlgorithms.
@constant kSecCodeInfoDigestAlgorithms A CFArray of CFNumbers indicating the kinds of
cryptographic hash functions available within the signature. The ordering of those items
has no significance in terms of priority, but determines the order in which
the hashes appear in kSecCodeInfoCdHashes.
@constant kSecCodeInfoPlatformIdentifier If this code was signed as part of an operating
system release, this value identifies that release.
@constant kSecCodeInfoIdentifier A CFString with the actual signing identifier
sealed into the signature. Absent for unsigned code.
@constant kSecCodeInfoImplicitDesignatedRequirement A SecRequirement describing
the designated requirement that the system did generate, or would have generated,
for the code. If the Designated Requirement was implicitly generated, this is
the same object as kSecCodeInfoDesignatedRequirement; this can be used to test
for an explicit Designated Requirement.
@constant kSecCodeInfoMainExecutable A CFURL identifying the main executable file
of the code. For single files, that is the file itself. For bundles, it is the
main executable as identified by its Info.plist.
@constant kSecCodeInfoPList A retained CFDictionary referring to the secured Info.plist
as seen by code signing. Absent if no Info.plist is known to the code signing
subsystem. Note that this is not the same dictionary as the one CFBundle would
give you (CFBundle is free to add entries to the on-disk plist).
@constant kSecCodeInfoRequirements A CFString describing the internal requirements
of the code in canonical syntax.
@constant kSecCodeInfoRequirementsData A CFData containing the internal requirements
of the code as a binary blob.
@constant kSecCodeInfoSource A CFString describing the source of the code signature
used for the code object. The values are meant to be shown in informational
displays; do not rely on the precise value returned.
@constant kSecCodeInfoStatus A CFNumber containing the dynamic status word of the
(running) code. This is a snapshot at the time the API is executed and may be
out of date by the time you examine it. Do note however that most of the bits
are sticky and thus some values are permanently reliable. Be careful.
@constant kSecCodeInfoTime A CFDate describing the signing date (securely) embedded
in the code signature. Note that a signer is able to omit this date or pre-date
it. Nobody certifies that this was really the date the code was signed; however,
you do know that this is the date the signer wanted you to see.
Ad-hoc signatures have no CMS and thus never have secured signing dates.
@constant kSecCodeInfoTimestamp A CFDate describing the signing date as (securely)
certified by a timestamp authority service. This time cannot be falsified by the
signer; you trust the timestamp authority's word on this.
Ad-hoc signatures have no CMS and thus never have secured signing dates.
@constant kSecCodeInfoTrust The (retained) SecTrust object the system uses to
evaluate the validity of the code's signature. You may use the SecTrust API
to extract detailed information, particularly for reasons why certificate
validation may have failed. This object may continue to be used for further
evaluations of this code; if you make any changes to it, behavior is undefined.
@constant kSecCodeInfoUnique A CFData binary identifier that uniquely identifies
the static code in question. It can be used to recognize this particular code
(and none other) now or in the future. Compare to kSecCodeInfoIdentifier, which
remains stable across (developer-approved) updates.
The algorithm used may change from time to time. However, for any existing signature,
the value is stable.
@constant kSecCodeInfoCdHashes An array containing the values of the kSecCodeInfoUnique
binary identifier for every digest algorithm supported in the signature, in the same
order as in the kSecCodeInfoDigestAlgorithms array. The kSecCodeInfoUnique value
will be contained in this array, and be the one corresponding to the
kSecCodeInfoDigestAlgorithm value.
*/
CF_ENUM(uint32_t) {
kSecCSInternalInformation = 1 << 0,
kSecCSSigningInformation = 1 << 1,
kSecCSRequirementInformation = 1 << 2,
kSecCSDynamicInformation = 1 << 3,
kSecCSContentInformation = 1 << 4,
kSecCSSkipResourceDirectory = 1 << 5,
kSecCSCalculateCMSDigest = 1 << 6,
};
/* flag required to get this value */
extern const CFStringRef kSecCodeInfoCertificates; /* Signing */
extern const CFStringRef kSecCodeInfoChangedFiles; /* Content */
extern const CFStringRef kSecCodeInfoCMS; /* Signing */
extern const CFStringRef kSecCodeInfoDesignatedRequirement; /* Requirement */
extern const CFStringRef kSecCodeInfoEntitlements; /* generic */
extern const CFStringRef kSecCodeInfoEntitlementsDict; /* generic */
extern const CFStringRef kSecCodeInfoFlags; /* generic */
extern const CFStringRef kSecCodeInfoFormat; /* generic */
extern const CFStringRef kSecCodeInfoDigestAlgorithm; /* generic */
extern const CFStringRef kSecCodeInfoDigestAlgorithms; /* generic */
extern const CFStringRef kSecCodeInfoPlatformIdentifier; /* generic */
extern const CFStringRef kSecCodeInfoIdentifier; /* generic */
extern const CFStringRef kSecCodeInfoImplicitDesignatedRequirement; /* Requirement */
extern const CFStringRef kSecCodeInfoDefaultDesignatedLightweightCodeRequirement; /* Requirement */
extern const CFStringRef kSecCodeInfoMainExecutable; /* generic */
extern const CFStringRef kSecCodeInfoPList; /* generic */
extern const CFStringRef kSecCodeInfoRequirements; /* Requirement */
extern const CFStringRef kSecCodeInfoRequirementData; /* Requirement */
extern const CFStringRef kSecCodeInfoSource; /* generic */
extern const CFStringRef kSecCodeInfoStatus; /* Dynamic */
extern const CFStringRef kSecCodeInfoTeamIdentifier; /* Signing */
extern const CFStringRef kSecCodeInfoTime; /* Signing */
extern const CFStringRef kSecCodeInfoTimestamp; /* Signing */
extern const CFStringRef kSecCodeInfoTrust; /* Signing */
extern const CFStringRef kSecCodeInfoUnique; /* generic */
extern const CFStringRef kSecCodeInfoCdHashes; /* generic */
extern const CFStringRef kSecCodeInfoRuntimeVersion; /*generic */
extern const CFStringRef kSecCodeInfoStapledNotarizationTicket; /* content */
OSStatus SecCodeCopySigningInformation(SecStaticCodeRef code, SecCSFlags flags,
CFDictionaryRef * __nonnull CF_RETURNS_RETAINED information);
/*
@function SecCodeMapMemory
For a given Code or StaticCode object, ask the kernel to accept the signing information
currently attached to it in the caller and use it to validate memory page-ins against it,
updating dynamic validity state accordingly. This change affects all processes that have
the main executable of this code mapped.
@param code A Code or StaticCode object representing the signed code whose main executable
should be subject to page-in validation.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
*/
OSStatus SecCodeMapMemory(SecStaticCodeRef code, SecCSFlags flags);
CF_ASSUME_NONNULL_END
#ifdef __cplusplus
}
#endif
#endif //_H_SECCODE
Raw
SecCodePriv.h
/*
* Copyright (c) 2006-2007,2011,2013 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*!
@header SecCodePriv
SecCodePriv is the private counter-part to SecCode. Its contents are not
official API, and are subject to change without notice.
*/
#ifndef _H_SECCODEPRIV
#define _H_SECCODEPRIV
#include <Security/SecCode.h>
#ifdef __cplusplus
extern "C" {
#endif
/*
* Private flags for SecCodeCopySigningInformation.
* @constant kSecCSSkipCodeDirectoryValidation Force the information creation to skip any
* code directory validation (including signature CMS) as part of loading the information.
* Generally the copied information is not validated, but some information currently
* triggers validation. Since this behavior is relied on by some callers, this flag
* opts into new behavior to completely skip the validation.
*/
CF_ENUM(uint32_t) {
kSecCSSkipCodeDirectoryValidation = 1 << 7,
};
/*
* Private constants for SecCodeCopySigningInformation.
*/
extern const CFStringRef kSecCodeInfoCdHashesFull; /* Internal */
extern const CFStringRef kSecCodeInfoCodeDirectory; /* Internal */
extern const CFStringRef kSecCodeInfoCodeOffset; /* Internal */
extern const CFStringRef kSecCodeInfoDiskRepInfo; /* Internal */
extern const CFStringRef kSecCodeInfoEntitlementsDER; /* Internal */
extern const CFStringRef kSecCodeInfoResourceDirectory; /* Internal */
extern const CFStringRef kSecCodeInfoNotarizationDate; /* Internal */
extern const CFStringRef kSecCodeInfoCMSDigestHashType; /* Internal */
extern const CFStringRef kSecCodeInfoCMSDigest; /* Internal */
extern const CFStringRef kSecCodeInfoSignatureVersion; /* Internal */
extern const CFStringRef kSecCodeInfoLaunchConstraintsSelf; /* Internal */
extern const CFStringRef kSecCodeInfoLaunchConstraintsParent;/* Internal */
extern const CFStringRef kSecCodeInfoLaunchConstraintsResponsible; /* Internal */
extern const CFStringRef kSecCodeInfoLibraryConstraints; /* Internal */
extern const CFStringRef kSecCodeInfoValidationCategory; /* Number */
extern const CFStringRef kSecCodeInfoDiskRepVersionPlatform; /* Number */
extern const CFStringRef kSecCodeInfoDiskRepVersionMin; /* Number */
extern const CFStringRef kSecCodeInfoDiskRepVersionSDK; /* Number */
extern const CFStringRef kSecCodeInfoDiskRepNoLibraryValidation; /* String */
/*!
@function SecCodeGetStatus
Retrieves the dynamic status for a SecCodeRef.
The dynamic status of a code can change at any time; the value returned is a snapshot
in time that is inherently stale by the time it is received by the caller. However,
since the status bits can only change in certain ways, some information is indefinitely
valid. For example, an indication of invalidity (kSecCodeStatusValid bit off) is permanent
since the valid bit cannot be set once clear, while an indication of validity (bit set)
may already be out of date.
Use this call with caution; it is usually wiser to call the validation API functions
and let then consider the status as part of their holistic computation. However,
SecCodeGetStatus is useful at times to capture persistent (sticky) status configurations.
@param code A valid SecCode object reference representing code running
on the system.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param status Upon successful return, contains the dynamic status of code as
determined by its host.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeGetStatus(SecCodeRef code, SecCSFlags flags, SecCodeStatus *status);
typedef uint32_t SecCodeStatusOperation;
enum {
kSecCodeOperationNull = 0,
kSecCodeOperationInvalidate = 1,
kSecCodeOperationSetHard = 2,
kSecCodeOperationSetKill = 3,
};
/*!
@function SecCodeSetStatus
Change the dynamic status of a SecCodeRef.
@param code A valid SecCode object reference representing code running
on the system.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeSetStatus(SecCodeRef code, SecCodeStatusOperation operation,
CFDictionaryRef arguments, SecCSFlags flags);
/*!
@function SecCodeCopyInternalRequirement
For a given Code or StaticCode object, retrieves a particular kind of internal
requirement that was sealed during signing.
This function will always fail for unsigned code. Requesting a type of internal
requirement that was not given during signing is not an error.
Specifying a type of kSecDesignatedRequirementType is not the same as calling
SecCodeCopyDesignatedRequirement. This function will only return an explicit
Designated Requirement if one was specified during signing. SecCodeCopyDesignatedRequirement
will synthesize a suitable Designated Requirement if one was not given explicitly.
@param code The Code or StaticCode object to be interrogated. For a Code
argument, its StaticCode is processed as per SecCodeCopyStaticCode.
@param type A SecRequirementType specifying which internal requirement is being
requested.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param requirement On successful return, contains a copy of the internal requirement
of the given type included in the given code. If the code has no such internal
requirement, this argument is set to NULL (with no error).
@result On success, errSecSuccess. On error, an OSStatus value
documented in CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeCopyInternalRequirement(SecStaticCodeRef code, SecRequirementType type,
SecCSFlags flags, SecRequirementRef *requirement);
#if TARGET_OS_OSX
/*!
@function SecCodeCreateWithAuditToken
Asks the kernel to return a SecCode object for a process identified
by a UNIX audit token. This is a shorthand for asking SecGetRootCode()
for a guest whose "audit" attribute has the given audit token.
@param audit A process audit token for an existing UNIX process on the system.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param process On successful return, a SecCode object reference identifying
the requesteed process.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeCreateWithAuditToken(const audit_token_t *audit,
SecCSFlags flags, SecCodeRef *process)
AVAILABLE_MAC_OS_X_VERSION_10_15_AND_LATER;
/* Deprecated and unsafe, DO NOT USE. */
OSStatus SecCodeCreateWithPID(pid_t pid, SecCSFlags flags, SecCodeRef *process)
AVAILABLE_MAC_OS_X_VERSION_10_5_AND_LATER_BUT_DEPRECATED_IN_MAC_OS_X_VERSION_10_6;
#endif
/*
@function SecCodeSetDetachedSignature
For a given Code or StaticCode object, explicitly specify the detached signature
data used to verify it.
This call unconditionally overrides any signature embedded in the Code and any
previously specified detached signature; only the signature data specified here
will be used from now on for this Code object. If NULL data is specified, the
code object is returned to its natural signing state (before a detached
signature was first attached to it).
Any call to this function voids all cached validations for the Code object.
Validations will be performed again as needed in the future. This call does not,
by itself, perform or trigger any validations.
Please note that it is possible to have multiple Code objects for the same static
or dynamic code entity in the system. This function only attaches signature data
to the particular SecStaticCodeRef involved. It is your responsibility to understand
the object graph and pick the right one(s).
@param code A Code or StaticCode object whose signature information is to be changed.
@param signature A CFDataRef containing the signature data to be used for validating
the given Code. This must be exactly the data previously generated as a detached
signature by the SecCodeSignerAddSignature API or the codesign(1) command with
the -D/--detached option.
If signature is NULL, discards any previously set signature data and reverts
to using the embedded signature, if any. If not NULL, the data is retained and used
for future validation operations.
The data may be retained or copied. Behavior is undefined if this object
is modified after this call before it is replaced through another call to this
function).
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
*/
OSStatus SecCodeSetDetachedSignature(SecStaticCodeRef code, CFDataRef signature,
SecCSFlags flags);
/*
@function SecCodeCopyComponent
For a SecStaticCodeRef, directly retrieve the binary blob for a special slot,
optionally checking that its native hash is the one given.
@param code A code or StaticCode object.
@param slot The (positive) special slot number requested.
@param hash A CFDataRef containing the native slot hash for the slot requested.
@result NULL if anything went wrong (including a missing slot), or a CFDataRef
containing the slot data.
*/
CFDataRef SecCodeCopyComponent(SecCodeRef code, int slot, CFDataRef hash);
/*
@function SecCodeSpecialSlotIsPresent
For a SecStaticCodeRef, checks if the slot is present in the code directory
@param code A StaticCode object.
@param slot The (positive) special slot number requested.
@result false if anything went wrong (including a missing slot), true otherwise
*/
CFBooleanRef SecCodeSpecialSlotIsPresent(SecStaticCodeRef code, int slot);
/*
@constant kSecCSStrictValidateStructure
A subset of the work kSecCSStrictValidate performs, omitting work that
is unnecessary on some platforms. Since the definition of what can be
omitted is in flux, and since we would like to remove that notion
entirely eventually, we makes this a private flag.
@constant kSecCSSkipRootVolumeExceptions
Resource validations are skipped for items on the root filesystem and therefore protected
by the authenticated root volume policy. Passing this flag to a validation causes full resource
validation even for items on the root volume to enable diagnosting issues with signatures
on the root volume.
@constant kSecCSSkipXattrFiles
NOTE: this flag is no longer used and has become the default behavior.
Indicates the validation should allow additional files caused on filesystems
that do not support native xattrs. Only changes validation results if the item lies
on a filesystem that uses xattr files and the file appears to be an actual xattr.
*/
CF_ENUM(uint32_t) {
// NOTE: These values needs to align with the public definitions for static code validity too.
kSecCSStrictValidateStructure = 1 << 13,
kSecCSSkipRootVolumeExceptions = 1 << 14,
kSecCSSkipXattrFiles = 1 << 15,
};
#if TARGET_OS_OSX
/* Here just to make TAPI happy. */
extern int GKBIS_DS_Store_Present;
extern int GKBIS_Dot_underbar_Present;
extern int GKBIS_Num_localizations;
extern int GKBIS_Num_files;
extern int GKBIS_Num_dirs;
extern int GKBIS_Num_symlinks;
#endif /* TARGET_OS_OSX */
#ifdef __cplusplus
}
#endif
#endif //_H_SECCODE
Raw
SecCodeSigner.h
/*
* Copyright (c) 2006-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*!
@header SecCodeSigner
SecCodeSigner represents an object that can sign code.
*/
#ifndef _H_SECCODESIGNER
#define _H_SECCODESIGNER
#include <Security/CSCommon.h>
#ifdef __cplusplus
extern "C" {
#endif
/*!
@typedef SecCodeSignerRef
This is the type of a reference to a code requirement.
*/
#ifdef BRIDGED_SECCODESIGNER
typedef struct CF_BRIDGED_TYPE(id) __SecCodeSigner *SecCodeSignerRef
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
#else
typedef struct __SecCodeSigner *SecCodeSignerRef
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
#endif
/*!
@function SecCodeGetTypeID
Returns the type identifier of all SecCodeSigner instances.
*/
CFTypeID SecCodeSignerGetTypeID(void)
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
/*!
The following CFString constants can be used as keys in the parameters argument
of SecCodeSignerCreate to specify various modes and options of the signing operation.
Passing any keys not specified here may lead to undefined behavior and is not supported.
The same applies to passing objects of types not explicitly allowed here.
@constant kSecCodeSignerDetached Determines where the signature is written.
If this key is absent, the code being signed is modified to contain the signature,
replacing any signature already embedded there.
If the value is kCFNull, the signature is written to the system-wide detached
signature database. (You must have root privileges to write there.)
If the value of this key is a CFURL, the signature is written to a file at that location,
replacing any data there.
If the value is a CFMutableData, the signature is appended to that data.
@constant kSecCodeSignerDryRun A boolean value. If present and true, the actual writing
of the signature is inhibited, and the code is not modified, but all operations
leading up to this are performed normally, including the cryptographic access to
the signing identity (if any).
@constant kSecCodeSignerFlags A CFNumber specifying which flags to set in the code signature.
Note that depending on circumstances, this value may be augmented or modified
as part of the signing operation.
@constant kSecCodeSignerForceLibraryEntitlements A boolean value. If true, and entitlements
are present, entitlements will be included in signature of libraries (non-main executables).
@constant kSecCodeSignerIdentifier If present, a CFString that explicitly specifies
the unique identifier string sealed into the code signature. If absent, the identifier
is derived implicitly from the code being signed.
@constant kSecCodeSignerIdentifierPrefix If the unique identifier string of the code signature
is implicitly generated, and the resulting string does not contain any "." (dot)
characters, then the (string) value of this parameter is prepended to the identifier.
By convention, the prefix is usually of the form "com.yourcompany.", but any value
is acceptable. If the kSecCodeSignerIdentifier parameter is specified, this parameter
is ineffective (but still allowed).
@constant kSecCodeSignerIdentity A SecIdentityRef describing the signing identity
to use for signing code. This is a mandatory parameter for signing operations.
Its value must be either a SecIdentityRef specifying a cryptographic identity
valid for Code Signing, or the special value kCFNull to indicate ad-hoc signing.
@constant kSecCodeSignerOperation The type of operation to be performed. Valid values
are kSecCodeSignerOperationSign to sign code, and kSecCodeSignerOperationRemove
to remove any existing signature from code. The default operation is to sign code.
@constant kSecCodeSignerPageSize An integer value explicitly specifying the page size
used to sign the main executable. This must be a power of two. A value of zero indicates
infinite size (no paging).
Only certain page sizes are allowed in most circumstances, and specifying an inappropriate
size will lead to spurious verification failures. This is for expert use only.
@constant kSecCodeSignerRequirements Specifies the internal requirements to be sealed into
the code signature. Must be either a CFData containing the binary (compiled) form of
a requirements set (SuperBlob), or a CFString containing a valid text form to be
compiled into binary form. Default requirements are automatically generated if this
parameter is omitted, and defaults may be applied to particular requirement types
that are not specified; but any requirement type you specify is sealed exactly as
specified.
@constant kSecCodeSignerResourceRules A CFDictionary containing resource scanning rules
determining what resource files are sealed into the signature (and in what way).
A situation-dependent default is applied if this parameter is not specified.
@constant kSecCodeSignerSDKRoot A CFURLRef indicating an alterate directory root
where signing operations should find subcomponents (libraries, frameworks, modules, etc.).
The default is the host system root "/".
@constant kSecCodeSignerSigningTime Specifies what date and time is sealed into the
code signature's CMS data. Can be either a CFDate object specifying a date, or
the value kCFNull indicating that no date should be included in the signature.
If not specified, the current date is chosen and sealed.
Since an ad-hoc signature has no CMS data, this argument is ineffective
for ad-hoc signing operations.
@constant kSecCodeSignerRequireTimestamp A CFBoolean indicating (if kCFBooleanTrue) that
the code signature should be certified by a timestamp authority service. This option
requires access to a timestamp server (usually over the Internet). If requested and
the timestamp server cannot be contacted or refuses service, the signing operation fails.
The timestamp value is not under the caller's control.
If the value is kCFBooleanFalse, no timestamp service is contacted and the resulting signature
has no certified timestamp.
If this key is omitted, a default is used that may vary from release to release.
Note that when signing multi-architectural ("fat") programs, each architecture will
be signed separately, and thus each architecture will have a slightly different timestamp.
@constant kSecCodeSignerTimestampServer A CFURL specifying which timestamp authority service
to contact for timestamping if requested by the kSecCodeSignerRequireTimestamp argument.
If omitted (and timestamping is performed), a system-defined default value is used, referring
to an Apple-operated timestamp service. Note that this service may not freely serve all requests.
@constant kSecCodeSignerTimestampAuthentication A SecIdentityRef describing the identity
used to authenticate to the timestamp authority server, if the server requires client-side
(SSL/TLS) authentication. This will not generally be the identity used to sign the actual
code, depending on the requirements of the timestamp authority service used.
If omitted, the timestamp server is contacted using unauthenticated HTTP requests.
@constant kSecCodeSignerTimestampOmitCertificates A CFBoolean indicating (if kCFBooleanTrue)
that the timestamp embedded in the signature, if requested, not contain the full certificate chain
of the timestamp service used. This will make for a marginally smaller signature, but may not
verify correctly unless all such certificates are available (through the keychain system)
on the verifying system.
The default is to embed enough certificates to ensure proper verification of Apple-generated
timestamp signatures.
@constant kSecCodeSignerRuntimeVersion A CFString indicating the version of runtime hardening policies
that the process should be opted into. The string should be of the form "x", "x.x", or "x.x.x" where
x is a number between 0 and 255. This parameter is optional. If the signer specifies
kSecCodeSignatureRuntime but does not provide this parameter, the runtime version will be the SDK
version built into the Mach-O.
*/
extern const CFStringRef kSecCodeSignerApplicationData
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerDetached
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerDigestAlgorithm
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerDryRun
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerEntitlements
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerFlags
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerForceLibraryEntitlements
SPI_AVAILABLE(macos(15.0), ios(18.0), macCatalyst(18.0));
extern const CFStringRef kSecCodeSignerIdentifier
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerIdentifierPrefix
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerIdentity
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerPageSize
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerRequirements
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerResourceRules
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerSDKRoot
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerSigningTime
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerTimestampAuthentication
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerRequireTimestamp
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerTimestampServer
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerTimestampOmitCertificates
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerPreserveMetadata
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerTeamIdentifier
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerPlatformIdentifier
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerRuntimeVersion
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerPreserveAFSC
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerOmitAdhocFlag
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerEditCpuType
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerEditCpuSubtype
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerEditCMS
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
extern const CFStringRef kSecCodeSignerLaunchConstraintSelf
SPI_AVAILABLE(macos(13.0), ios(16.0), macCatalyst(16.0));
extern const CFStringRef kSecCodeSignerLaunchConstraintParent
SPI_AVAILABLE(macos(13.0), ios(16.0), macCatalyst(16.0));
extern const CFStringRef kSecCodeSignerLaunchConstraintResponsible
SPI_AVAILABLE(macos(13.0), ios(16.0), macCatalyst(16.0));
extern const CFStringRef kSecCodeSignerLibraryConstraint
SPI_AVAILABLE(macos(14.0), ios(17.0), macCatalyst(17.0));
enum {
kSecCodeSignerPreserveIdentifier = 1 << 0, // preserve signing identifier
kSecCodeSignerPreserveRequirements = 1 << 1, // preserve internal requirements (including DR)
kSecCodeSignerPreserveEntitlements = 1 << 2, // preserve entitlements
kSecCodeSignerPreserveResourceRules = 1 << 3, // preserve resource rules (and thus resources)
kSecCodeSignerPreserveFlags = 1 << 4, // preserve signing flags
kSecCodeSignerPreserveTeamIdentifier = 1 << 5, // preserve team identifier flags
kSecCodeSignerPreserveDigestAlgorithm = 1 << 6, // preserve digest algorithms used
kSecCodeSignerPreservePEH = 1 << 7, // preserve pre-encryption hashes
kSecCodeSignerPreserveRuntime = 1 << 8, // preserve the runtime version
kSecCodeSignerPreserveLaunchConstraints = 1 << 9, // preserve embedded launch constraints
kSecCodeSignerPreserveLibraryConstraints = 1 << 10, // preserve embedded library constraints
};
/*!
@function SecCodeSignerCreate
Create a (new) SecCodeSigner object to be used for signing code.
@param parameters An optional CFDictionary containing parameters that influence
signing operations with the newly created SecCodeSigner. If NULL, defaults
are applied to all parameters; note however that some parameters do not have
useful defaults, and will need to be set before signing is attempted.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
The kSecCSRemoveSignature flag requests that any existing signature be stripped
from the target code instead of signing. The kSecCSEditSignature flag
requests editing of existing signatures, which only works with a very
limited set of options.
@param staticCode On successful return, a SecStaticCode object reference representing
the file system origin of the given SecCode. On error, unchanged.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
enum {
kSecCSRemoveSignature = 1 << 0, // strip existing signature
kSecCSSignPreserveSignature = 1 << 1, // do not (re)sign if an embedded signature is already present
kSecCSSignNestedCode = 1 << 2, // recursive (deep) signing
kSecCSSignOpaque = 1 << 3, // treat all files as resources (no nest scan, no flexibility)
kSecCSSignV1 = 1 << 4, // sign ONLY in V1 form
kSecCSSignNoV1 = 1 << 5, // do not include V1 form
kSecCSSignBundleRoot = 1 << 6, // include files in bundle root
kSecCSSignStrictPreflight = 1 << 7, // fail signing operation if signature would fail strict validation
kSecCSSignGeneratePEH = 1 << 8, // generate pre-encryption hashes
kSecCSSignGenerateEntitlementDER = 1 << 9, // generate entitlement DER
kSecCSEditSignature = 1 << 10, // edit existing signature
kSecCSSingleThreadedSigning = 1 << 11, // disable concurrency when building the resource seal
};
#ifdef BRIDGED_SECCODESIGNER
OSStatus SecCodeSignerCreate(CFDictionaryRef parameters, SecCSFlags flags,
SecCodeSignerRef * __nonnull CF_RETURNS_RETAINED signer)
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
#else
OSStatus SecCodeSignerCreate(CFDictionaryRef parameters, SecCSFlags flags,
SecCodeSignerRef *signer)
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
#endif
/*!
@function SecCodeSignerAddSignature
Create a code signature and add it to the StaticCode object being signed.
@param signer A SecCodeSigner object containing all the information required
to sign code.
@param code A valid SecStaticCode object reference representing code files
on disk. This code will be signed, and will ordinarily be modified to contain
the resulting signature data.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param errors An optional pointer to a CFErrorRef variable. If the call fails
(and something other than errSecSuccess is returned), and this argument is non-NULL,
a CFErrorRef is stored there further describing the nature and circumstances
of the failure. The caller must CFRelease() this error object when done with it.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
OSStatus SecCodeSignerAddSignature(SecCodeSignerRef signer,
SecStaticCodeRef code, SecCSFlags flags)
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
OSStatus SecCodeSignerAddSignatureWithErrors(SecCodeSignerRef signer,
SecStaticCodeRef code, SecCSFlags flags, CFErrorRef *errors)
SPI_AVAILABLE(macos(10.5), ios(15.0), macCatalyst(13.0));
#ifdef __cplusplus
}
#endif
#endif //_H_SECCODESIGNER
Raw
SecCodeSignerSPI.h
//
// SecCodeSignerSPI.h
// codesign
//
// Created by samsam on 1/15/26.
//
#ifndef SecCodeSignerSPI_h
#define SecCodeSignerSPI_h
#include <CoreFoundation/CoreFoundation.h>
extern const CFStringRef kSecCodeSignerApplicationData;
extern const CFStringRef kSecCodeSignerDetached;
extern const CFStringRef kSecCodeSignerDigestAlgorithm;
extern const CFStringRef kSecCodeSignerDryRun;
extern const CFStringRef kSecCodeSignerEntitlements;
extern const CFStringRef kSecCodeSignerFlags;
extern const CFStringRef kSecCodeSignerForceLibraryEntitlements;
extern const CFStringRef kSecCodeSignerIdentifier;
extern const CFStringRef kSecCodeSignerIdentifierPrefix;
extern const CFStringRef kSecCodeSignerIdentity;
extern const CFStringRef kSecCodeSignerPageSize;
extern const CFStringRef kSecCodeSignerRequirements;
extern const CFStringRef kSecCodeSignerResourceRules;
extern const CFStringRef kSecCodeSignerSDKRoot;
extern const CFStringRef kSecCodeSignerSigningTime;
extern const CFStringRef kSecCodeSignerRequireTimestamp;
extern const CFStringRef kSecCodeSignerTimestampServer;
extern const CFStringRef kSecCodeSignerTimestampAuthentication;
extern const CFStringRef kSecCodeSignerTimestampOmitCertificates;
extern const CFStringRef kSecCodeSignerPreserveMetadata;
extern const CFStringRef kSecCodeSignerTeamIdentifier;
extern const CFStringRef kSecCodeSignerPlatformIdentifier;
extern const CFStringRef kSecCodeSignerRuntimeVersion;
extern const CFStringRef kSecCodeSignerPreserveAFSC;
extern const CFStringRef kSecCodeSignerOmitAdhocFlag;
extern const CFStringRef kSecCodeSignerLaunchConstraintSelf;
extern const CFStringRef kSecCodeSignerLaunchConstraintParent;
extern const CFStringRef kSecCodeSignerLaunchConstraintResponsible;
extern const CFStringRef kSecCodeSignerLibraryConstraint;
extern const CFStringRef kSecCodeSignerEditCpuType;
extern const CFStringRef kSecCodeSignerEditCpuSubtype;
extern const CFStringRef kSecCodeSignerEditCMS;
#endif /* SecCodeSignerSPI_h */
Raw
SecStaticCode.h
/*
* Copyright (c) 2006,2011-2014 Apple Inc. All Rights Reserved.
*
* @APPLE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this
* file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_LICENSE_HEADER_END@
*/
/*!
@header SecStaticCode
SecStaticCode represents the Code Signing identity of code in the file system.
This includes applications, tools, frameworks, plugins, scripts, and so on.
Note that arbitrary files will be considered scripts of unknown provenance;
and thus it is possible to handle most files as if they were code, though that is
not necessarily a good idea.
Normally, each SecCode has a specific SecStaticCode that holds its static signing
data. Informally, that is the SecStaticCode the SecCode "was made from" (by its host).
There is however no viable link in the other direction - given a SecStaticCode,
it is not possible to find, enumerate, or control any SecCode that originated from it.
There might not be any at a given point in time; or there might be many.
*/
#ifndef _H_SECSTATICCODE
#define _H_SECSTATICCODE
#include <Security/CSCommon.h>
#ifdef __cplusplus
extern "C" {
#endif
CF_ASSUME_NONNULL_BEGIN
/*!
@function SecStaticCodeGetTypeID
Returns the type identifier of all SecStaticCode instances.
*/
CFTypeID SecStaticCodeGetTypeID(void);
/*!
@function SecStaticCodeCreateWithPath
Given a path to a file system object, create a SecStaticCode object representing
the code at that location, if possible. Such a SecStaticCode is not inherently
linked to running code in the system.
It is possible to create a SecStaticCode object from an unsigned code object.
Most uses of such an object will return the errSecCSUnsigned error. However,
SecCodeCopyPath and SecCodeCopySigningInformation can be safely applied to such objects.
@param path A path to a location in the file system. Only file:// URLs are
currently supported. For bundles, pass a URL to the root directory of the
bundle. For single files, pass a URL to the file. If you pass a URL to the
main executable of a bundle, the bundle as a whole will be generally recognized.
Caution: Paths containing embedded // or /../ within a bundle's directory
may cause the bundle to be misconstrued. If you expect to submit such paths,
first clean them with realpath(3) or equivalent.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param staticCode On successful return, contains a reference to the StaticCode object
representing the code at path. Unchanged on error.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
*/
OSStatus SecStaticCodeCreateWithPath(CFURLRef path, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
extern const CFStringRef kSecCodeAttributeArchitecture;
extern const CFStringRef kSecCodeAttributeSubarchitecture;
extern const CFStringRef kSecCodeAttributeUniversalFileOffset;
extern const CFStringRef kSecCodeAttributeBundleVersion;
/*!
@function SecStaticCodeCreateWithPathAndAttributes
Given a path to a file system object, create a SecStaticCode object representing
the code at that location, if possible. Such a SecStaticCode is not inherently
linked to running code in the system.
It is possible to create a SecStaticCode object from an unsigned code object.
Most uses of such an object will return the errSecCSUnsigned error. However,
SecCodeCopyPath and SecCodeCopySigningInformation can be safely applied to such objects.
@param path A path to a location in the file system. Only file:// URLs are
currently supported. For bundles, pass a URL to the root directory of the
bundle. For single files, pass a URL to the file. If you pass a URL to the
main executable of a bundle, the bundle as a whole will be generally recognized.
Caution: Paths containing embedded // or /../ within a bundle's directory
may cause the bundle to be misconstrued. If you expect to submit such paths,
first clean them with realpath(3) or equivalent.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@param attributes A CFDictionary containing additional attributes of the code sought.
@param staticCode On successful return, contains a reference to the StaticCode object
representing the code at path. Unchanged on error.
@result Upon success, errSecSuccess. Upon error, an OSStatus value documented in
CSCommon.h or certain other Security framework headers.
@constant kSecCodeAttributeArchitecture Specifies the Mach-O architecture of code desired.
This can be a CFString containing a canonical architecture name ("i386" etc.), or a CFNumber
specifying an architecture numerically (see mach/machine.h). This key is ignored if the code
is not in Mach-O binary form. If the code is Mach-O but not universal ("thin"), the architecture
specified must agree with the actual file contents.
@constant kSecCodeAttributeSubarchitecture If the architecture is specified numerically
(using the kSecCodeAttributeArchitecture key), specifies any sub-architecture by number.
This key is ignored if no main architecture is specified; if it is specified by name; or
if the code is not in Mach-O form.
@constant kSecCodeAttributeUniversalFileOffset The offset of a Mach-O specific slice of a universal Mach-O file.
@constant kSecCodeAttributeBundleVersion If the code sought is a deep framework bundle (Something.framework/Versions/...),
then select the specified framework version. This key is otherwise ignored.
*/
OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flags, CFDictionaryRef attributes,
SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
/*!
@function SecStaticCodeCheckValidity
Performs static validation on the given SecStaticCode object. The call obtains and
verifies the signature on the code object. It checks the validity of all
sealed components (including resources, if any). It validates the code against
a SecRequirement if one is given. The call succeeds if all these conditions
are satisfactory. It fails otherwise.
This call is only secure if the code is not subject to concurrent modification,
and the outcome is only valid as long as the code is unmodified thereafter.
Consider this carefully if the underlying file system has dynamic characteristics,
such as a network file system, union mount, FUSE, etc.
@param staticCode The code object to be validated.
@param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior.
@constant kSecCSCheckAllArchitectures
For multi-architecture (universal) Mach-O programs, validate all architectures
included. By default, only the native architecture is validated.
@constant kSecCSDoNotValidateExecutable
Do not validate the contents of the main executable. This is normally done.
@constant kSecCSDoNotValidateResources
Do not validate the presence and contents of all bundle resources (if any).
By default, a mismatch in any bundle resource causes validation to fail.
@constant kSecCSCheckNestedCode
For code in bundle form, locate and recursively check embedded code. Only code
in standard locations is considered.
@constant kSecCSStrictValidate
For code in bundle form, perform additional checks to verify that the bundle
is not structured in a way that would allow tampering, and reject any resource
envelope that introduces weaknesses into the signature.
@constant kSecCSSingleThreaded
Perform all resource validation serially on a single thread instead of dispatching
work in parallel.
@constant kSecCSAllowNetworkAccess
Enables network access for certificate trust evaluation performed while validating the
bundle or its contents.
@param requirement On optional code requirement specifying additional conditions
the staticCode object must satisfy to be considered valid. If NULL, no additional
requirements are imposed.
@param errors An optional pointer to a CFErrorRef variable. If the call fails
(something other than errSecSuccess is returned), and this argument is non-NULL,
a CFErrorRef is stored there further describing the nature and circumstances
of the failure. The caller must CFRelease() this error object when done with it.
@result If validation succeeds, errSecSuccess. If validation fails, an OSStatus value
documented in CSCommon.h or certain other Security framework headers.
*/
CF_ENUM(uint32_t) {
kSecCSCheckAllArchitectures = 1 << 0,
kSecCSDoNotValidateExecutable = 1 << 1,
kSecCSDoNotValidateResources = 1 << 2,
kSecCSBasicValidateOnly = kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources,
kSecCSCheckNestedCode = 1 << 3,
kSecCSStrictValidate = 1 << 4,
kSecCSFullReport = 1 << 5,
kSecCSCheckGatekeeperArchitectures = (1 << 6) | kSecCSCheckAllArchitectures,
kSecCSRestrictSymlinks = 1 << 7,
kSecCSRestrictToAppLike = 1 << 8,
kSecCSRestrictSidebandData = 1 << 9,
kSecCSUseSoftwareSigningCert = 1 << 10,
kSecCSValidatePEH = 1 << 11,
kSecCSSingleThreaded = 1 << 12,
// NOTE: These values have gaps for internal usage.
kSecCSAllowNetworkAccess CF_ENUM_AVAILABLE(11_3, 14_5) = 1 << 16,
kSecCSFastExecutableValidation CF_ENUM_AVAILABLE(11_3, 14_5) = 1 << 17,
};
OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCode, SecCSFlags flags,
SecRequirementRef __nullable requirement);
OSStatus SecStaticCodeCheckValidityWithErrors(SecStaticCodeRef staticCode, SecCSFlags flags,
SecRequirementRef __nullable requirement, CFErrorRef *errors);
CF_ASSUME_NONNULL_END
#ifdef __cplusplus
}
#endif
#endif //_H_SECSTATICCODE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment