errSecCSStaticCodeChanged = -67034, /* the code on disk does not match what is running */
errSecCSDBDenied = -67033, /* permission to use a database denied */
errSecCSDBAccess = -67032, /* cannot access a database */
- errSecCSSigDBDenied = errSecCSDBDenied,
- errSecCSSigDBAccess = errSecCSDBAccess,
+ errSecCSSigDBDenied = -67033, /* permission to use a database denied */
+ errSecCSSigDBAccess = -67032, /* cannot access a database */
errSecCSHostProtocolInvalidAttribute = -67031, /* host returned invalid or inconsistent guest attributes */
errSecCSInfoPlistFailed = -67030, /* invalid Info.plist (plist or signature have been modified) */
errSecCSNoMainExecutable = -67029, /* the code has no main executable file */
errSecCSBadDiskImageFormat = -67001, /* disk image format unrecognized, invalid, or unsuitable */
errSecCSUnsupportedDigestAlgorithm = -67000, /* a requested signature digest algorithm is not supported */
errSecCSInvalidAssociatedFileData = -66999, /* resource fork, Finder information, or similar detritus not allowed */
- errSecCSInvalidTeamIdentifier = -66998, /* a Team Identifier string is invalid */
- errSecCSBadTeamIdentifier = -66997, /* a Team Identifier is wrong or inappropriate */
- errSecCSSignatureUntrusted = -66996, /* signature is valid but signer is not trusted */
+ errSecCSInvalidTeamIdentifier = -66998, /* a Team Identifier string is invalid */
+ errSecCSBadTeamIdentifier = -66997, /* a Team Identifier is wrong or inappropriate */
+ errSecCSSignatureUntrusted = -66996, /* signature is valid but signer is not trusted */
errSecMultipleExecSegments = -66995, /* the image contains multiple executable segments */
+ errSecCSInvalidEntitlements = -66994, /* invalid entitlement plist */
+ errSecCSInvalidRuntimeVersion = -66993, /* an invalid runtime version was explicitly set */
+ errSecCSRevokedNotarization = -66992, /* notarization indicates this code has been revoked */
};
/*
immediately if it becomes invalid.
@constant kSecCodeSignatureForceExpiration
Forces the kSecCSConsiderExpiration flag on all validations of the code.
+ @constant kSecCodeSignatureRuntime
+ Instructs the kernel to apply runtime hardening policies as required by the
+ hardened runtime version
*/
typedef CF_OPTIONS(uint32_t, SecCodeSignatureFlags) {
kSecCodeSignatureHost = 0x0001, /* may host guest code */
kSecCodeSignatureRestrict = 0x0800, /* restrict dyld loading */
kSecCodeSignatureEnforcement = 0x1000, /* enforce code signing */
kSecCodeSignatureLibraryValidation = 0x2000, /* library validation required */
+ kSecCodeSignatureRuntime = 0x10000, /* apply runtime hardening policies */
};
/*!
This bit can only be set. Code that has the kill flag set will never be dynamically invalid
(and live). Note however that a change in static validity does not necessarily trigger instant
death.
+
+ @constant kSecCodeStatusDebugged
+ Indicated that code has been debugged by another process that was allowed to do so. The debugger
+ causes this to be set when it attachs.
+
+ @constant kSecCodeStatusPlatform
+ Indicates the code is platform code, shipping with the operating system and signed by Apple.
*/
typedef CF_OPTIONS(uint32_t, SecCodeStatus) {
- kSecCodeStatusValid = 0x0001,
- kSecCodeStatusHard = 0x0100,
- kSecCodeStatusKill = 0x0200,
+ kSecCodeStatusValid = 0x00000001,
+ kSecCodeStatusHard = 0x00000100,
+ kSecCodeStatusKill = 0x00000200,
+ kSecCodeStatusDebugged = 0x10000000,
+ kSecCodeStatusPlatform = 0x04000000,
};
kSecCodeSignatureHashSHA256 = 2, /* SHA-256 */
kSecCodeSignatureHashSHA256Truncated = 3, /* SHA-256 truncated to first 20 bytes */
kSecCodeSignatureHashSHA384 = 4, /* SHA-384 */
+ kSecCodeSignatureHashSHA512 = 5, /* SHA-512 */
};
CF_ASSUME_NONNULL_END
projects / apple / security.git / blobdiff