X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/5c19dc3ae3bd8e40a9c028b0deddd50ff337692c..refs/heads/master:/OSX/libsecurity_codesigning/lib/SecCodeSigner.h diff --git a/OSX/libsecurity_codesigning/lib/SecCodeSigner.h b/OSX/libsecurity_codesigning/lib/SecCodeSigner.h index 4dead60d..c1a83ba4 100644 --- a/OSX/libsecurity_codesigning/lib/SecCodeSigner.h +++ b/OSX/libsecurity_codesigning/lib/SecCodeSigner.h @@ -38,7 +38,11 @@ extern "C" { @typedef SecCodeSignerRef This is the type of a reference to a code requirement. */ +#ifdef BRIDGED_SECCODESIGNER +typedef struct CF_BRIDGED_TYPE(id) __SecCodeSigner *SecCodeSignerRef; /* code signing object */ +#else typedef struct __SecCodeSigner *SecCodeSignerRef; /* code signing object */ +#endif /*! @@ -135,6 +139,12 @@ CFTypeID SecCodeSignerGetTypeID(void); on the verifying system. The default is to embed enough certificates to ensure proper verification of Apple-generated timestamp signatures. + @constant kSecCodeSignerRuntimeVersion A CFString indicating the version of runtime hardening policies + that the process should be opted into. The string should be of the form "x", "x.x", or "x.x.x" where + x is a number between 0 and 255. This parameter is optional. If the signer specifies + kSecCodeSignatureRuntime but does not provide this parameter, the runtime version will be the SDK + version built into the Mach-O. + */ extern const CFStringRef kSecCodeSignerApplicationData; extern const CFStringRef kSecCodeSignerDetached; @@ -157,6 +167,12 @@ extern const CFStringRef kSecCodeSignerTimestampOmitCertificates; extern const CFStringRef kSecCodeSignerPreserveMetadata; extern const CFStringRef kSecCodeSignerTeamIdentifier; extern const CFStringRef kSecCodeSignerPlatformIdentifier; +extern const CFStringRef kSecCodeSignerRuntimeVersion; +extern const CFStringRef kSecCodeSignerPreserveAFSC; +extern const CFStringRef kSecCodeSignerOmitAdhocFlag; +extern const CFStringRef kSecCodeSignerEditCpuType; +extern const CFStringRef kSecCodeSignerEditCpuSubtype; +extern const CFStringRef kSecCodeSignerEditCMS; enum { kSecCodeSignerPreserveIdentifier = 1 << 0, // preserve signing identifier @@ -164,7 +180,10 @@ enum { kSecCodeSignerPreserveEntitlements = 1 << 2, // preserve entitlements kSecCodeSignerPreserveResourceRules = 1 << 3, // preserve resource rules (and thus resources) kSecCodeSignerPreserveFlags = 1 << 4, // preserve signing flags - kSecCodeSignerPreserveTeamIdentifier = 1 << 5, // preserve team identifier flags + kSecCodeSignerPreserveTeamIdentifier = 1 << 5, // preserve team identifier flags + kSecCodeSignerPreserveDigestAlgorithm = 1 << 6, // preserve digest algorithms used + kSecCodeSignerPreservePEH = 1 << 7, // preserve pre-encryption hashes + kSecCodeSignerPreserveRuntime = 1 << 8, // preserve the runtime version }; @@ -178,7 +197,9 @@ enum { useful defaults, and will need to be set before signing is attempted. @param flags Optional flags. Pass kSecCSDefaultFlags for standard behavior. The kSecCSRemoveSignature flag requests that any existing signature be stripped - from the target code instead of signing. + from the target code instead of signing. The kSecCSEditSignature flag + requests editing of existing signatures, which only works with a very + limited set of options. @param staticCode On successful return, a SecStaticCode object reference representing the file system origin of the given SecCode. On error, unchanged. @result Upon success, errSecSuccess. Upon error, an OSStatus value documented in @@ -193,12 +214,18 @@ enum { kSecCSSignNoV1 = 1 << 5, // do not include V1 form kSecCSSignBundleRoot = 1 << 6, // include files in bundle root kSecCSSignStrictPreflight = 1 << 7, // fail signing operation if signature would fail strict validation + kSecCSSignGeneratePEH = 1 << 8, // generate pre-encryption hashes + kSecCSSignGenerateEntitlementDER = 1 << 9, // generate entitlement DER + kSecCSEditSignature = 1 << 10, // edit existing signature }; - +#ifdef BRIDGED_SECCODESIGNER +OSStatus SecCodeSignerCreate(CFDictionaryRef parameters, SecCSFlags flags, + SecCodeSignerRef * __nonnull CF_RETURNS_RETAINED signer); +#else OSStatus SecCodeSignerCreate(CFDictionaryRef parameters, SecCSFlags flags, SecCodeSignerRef *signer); - +#endif /*! @function SecCodeSignerAddSignature