Module: OS::Mac::FFI::Security Private

Extended by:
NativeLibrary
Defined in:
os/mac/ffi/security.rb

Overview

This module is part of a private API. This module may only be used in the Homebrew/brew repository. Third parties should avoid using this module if possible, as it may be removed or changed without warning.

Security.framework code-signing wrapper.

Constant Summary collapse

FUNCTION_ARGUMENT_TYPES =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

T.let(
  [Fiddle::TYPE_VOIDP, Fiddle::TYPE_UINT32_T, Fiddle::TYPE_VOIDP].freeze,
  T::Array[Integer],
)
VALIDATION_FLAGS =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

Validate every architecture, nested code and strict bundle structure. https://developer.apple.com/documentation/security/static-code-validation-flags

T.let(((1 << 0) | (1 << 3) | (1 << 4)).freeze, Integer)
REQUIREMENT_FAILED_STATUS =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

https://developer.apple.com/documentation/security/errseccsreqfailed

-67050

Class Method Summary collapse

Class Method Details

.designated_requirement(path) ⇒ String?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

A designated requirement is macOS's durable identity for recognising successive versions of the same signed code. https://developer.apple.com/documentation/security/applying-code-requirements

Parameters:

Returns:



66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# File 'os/mac/ffi/security.rb', line 66

def self.designated_requirement(path)
  code = static_code(path)
  return if code.nil?

  requirement = retained_pointer do |result|
    # https://developer.apple.com/documentation/security/seccodecopydesignatedrequirement%28_%3A_%3A_%3A%29
    function(
      "SecCodeCopyDesignatedRequirement",
      FUNCTION_ARGUMENT_TYPES,
      Fiddle::TYPE_INT,
    ).call(code, 0, result)
  end
  return if requirement.nil?

  # Validate sealed content against its own identity before trusting it.
  # https://developer.apple.com/documentation/security/secstaticcodecheckvalidity%28_%3A_%3A_%3A%29
  return unless function(
    "SecStaticCodeCheckValidity",
    FUNCTION_ARGUMENT_TYPES,
    Fiddle::TYPE_INT,
  ).call(code, VALIDATION_FLAGS, requirement).zero?

  requirement_string = retained_pointer do |result|
    function(
      "SecRequirementCopyString",
      FUNCTION_ARGUMENT_TYPES,
      Fiddle::TYPE_INT,
    ).call(requirement, 0, result)
  end
  return if requirement_string.nil?

  ObjectiveC.message_send(
    requirement_string,
    "UTF8String",
    [],
    Fiddle::TYPE_VOIDP,
  ).to_s
end

.requirement_match(path, requirement) ⇒ Boolean?

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean, nil)


106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# File 'os/mac/ffi/security.rb', line 106

def self.requirement_match(path, requirement)
  code = static_code(path)
  return if code.nil?

  requirement_string = CoreFoundation.string_create(requirement)
  return if requirement_string.null?

  compiled_requirement = retained_pointer do |result|
    # https://developer.apple.com/documentation/security/1394522-secrequirementcreatewithstring
    function(
      "SecRequirementCreateWithString",
      FUNCTION_ARGUMENT_TYPES,
      Fiddle::TYPE_INT,
    ).call(requirement_string, 0, result)
  end
  return if compiled_requirement.nil?

  status = function(
    "SecStaticCodeCheckValidity",
    FUNCTION_ARGUMENT_TYPES,
    Fiddle::TYPE_INT,
  ).call(code, VALIDATION_FLAGS, compiled_requirement)
  return true if status.zero?

  false if status == REQUIREMENT_FAILED_STATUS
end