Security-55471.14.18.tar.gz

[apple/security.git] / libsecurity_codesigning / lib / SecStaticCode.h

diff --git a/libsecurity_codesigning/lib/SecStaticCode.h b/libsecurity_codesigning/lib/SecStaticCode.h
index ba083b41f4bc16bd2fada1197ad6bc8b43a20b32..8e5f8c202a6c92e7fc43aeab36fa2297ee6748ca 100644 (file)
--- a/libsecurity_codesigning/lib/SecStaticCode.h
+++ b/libsecurity_codesigning/lib/SecStaticCode.h
@@ -125,6 +125,10 @@ OSStatus SecStaticCodeCreateWithPathAndAttributes(CFURLRef path, SecCSFlags flag
        @constant kSecCSCheckNestedCode
        For code in bundle form, locate and recursively check embedded code. Only code
        in standard locations is considered.
+       @constant kSecCSStrictValidate
+       For code in bundle form, perform additional checks to verify that the bundle
+       is not structured in a way that would allow tampering, and reject any resource
+       envelope that introduces weaknesses into the signature.
        
        @param requirement On optional code requirement specifying additional conditions
        the staticCode object must satisfy to be considered valid. If NULL, no additional
@@ -142,6 +146,7 @@ enum {
        kSecCSDoNotValidateResources = 1 << 2,
        kSecCSBasicValidateOnly = kSecCSDoNotValidateExecutable | kSecCSDoNotValidateResources,
        kSecCSCheckNestedCode = 1 << 3,
+       kSecCSStrictValidate = 1 << 4,
 };
 
 OSStatus SecStaticCodeCheckValidity(SecStaticCodeRef staticCode, SecCSFlags flags,