{"id":32151838,"url":"https://github.com/trilemma-dev/required","last_synced_at":"2025-10-21T10:53:59.273Z","repository":{"id":37352220,"uuid":"493513286","full_name":"trilemma-dev/Required","owner":"trilemma-dev","description":"Parser and evaluator for Apple's Code Signing Requirement Language","archived":false,"fork":false,"pushed_at":"2022-06-17T12:05:51.000Z","size":160,"stargazers_count":8,"open_issues_count":0,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-10-21T10:53:58.185Z","etag":null,"topics":["codesign","csreq","macos","secrequirement","security"],"latest_commit_sha":null,"homepage":"","language":"Swift","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trilemma-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-05-18T04:53:59.000Z","updated_at":"2025-07-27T22:10:05.000Z","dependencies_parsed_at":"2022-07-27T23:07:34.272Z","dependency_job_id":null,"html_url":"https://github.com/trilemma-dev/Required","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/trilemma-dev/Required","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trilemma-dev%2FRequired","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trilemma-dev%2FRequired/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trilemma-dev%2FRequired/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trilemma-dev%2FRequired/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trilemma-dev","download_url":"https://codeload.github.com/trilemma-dev/Required/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trilemma-dev%2FRequired/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280248570,"owners_count":26297925,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-21T02:00:06.614Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codesign","csreq","macos","secrequirement","security"],"created_at":"2025-10-21T10:53:56.762Z","updated_at":"2025-10-21T10:53:59.266Z","avatar_url":"https://github.com/trilemma-dev.png","language":"Swift","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Required\nParse requirement and requirement sets into their abstract syntax tree form and then evaluate them.\n\nApple provides a compiler for their\n[Code Signing Requirement Language](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html)\nin the form of\n[`SecRequirementCreateWithString`](https://developer.apple.com/documentation/security/1394522-secrequirementcreatewithstring),\nbut does not expose a parser and its corresponding abstract syntax tree. This package does precisely that.\n\nWhile Apple does provide an evaluator for a\n[`SecRequirement`](https://developer.apple.com/documentation/security/secrequirement) in the form of\n[`SecStaticCodeCheckValidity`](https://developer.apple.com/documentation/security/1395784-secstaticcodecheckvalidity),\nthere is no ability to see _why_ validation has failed. This package provides detailed explanations.\n\n## Example\nTo see whether and how an application satisfies its designated requirement:\n```swift\n// Retrieve the designated requirement for Numbers\nlet url = URL(fileURLWithPath: \"/Applications/Numbers.app\")\nvar code: SecStaticCode?\nSecStaticCodeCreateWithPath(url as CFURL, [], \u0026code)\nvar requirement: SecRequirement?\nSecCodeCopyDesignatedRequirement(code!, [], \u0026requirement)\n\n// See whether and how Numbers satisifies its designated requirement\nlet abstractRequirement = try Parser.parse(requirement: requirement!)\nlet evaluation = try abstractRequirement.evaluateForStaticCode(code!)\nprint(\"Does \\(url.lastPathComponent) satisfy its designated requirement?\")\nprint(evaluation.isSatisfied ? \"Yes\" : \"No\")\nprint(\"\\nEvaluation tree:\")\nprint(evaluation.prettyDescription)\n```\n\nRequirements can be provided either as `SecRequirement`s as shown in the above code snippet or as `String`s. Running\nthis example outputs:\n```\nDoes Numbers.app satisfy its designated requirement?\nYes\n\nEvaluation tree:\nand {true}\n|--() {true}\n|  \\--or {true}\n|     |--and {true}\n|     |  |--anchor apple generic {true}\n|     |  \\--certificate leaf[field.1.2.840.113635.100.6.1.9] {true}\n|     \\--and {false}\n|        |--and {false}\n|        |  |--and {false}\n|        |  |  |--anchor apple generic {true}\n|        |  |  \\--certificate 1[field.1.2.840.113635.100.6.2.6] {false}¹\n|        |  \\--certificate leaf[field.1.2.840.113635.100.6.1.13] {false}²\n|        \\--certificate leaf[subject.OU] = K36BKF7T3D {false}³\n\\--identifier \"com.apple.iWork.Numbers\" {true}\n\nConstraints not satisfied:\n1. The certificate \u003cApple Worldwide Developer Relations Certification Authority\u003e does not contain OID 1.2.840.113635.100.6.2.6\n2. The certificate \u003cApple Mac OS Application Signing\u003e does not contain OID 1.2.840.113635.100.6.1.13\n3. The certificate \u003cApple Mac OS Application Signing\u003e does not contain element subject.OU\n```\n\nEach leaf node of the evaluation tree which was not satisfied is annotated with a superscript number. Those numbers are\nthen used at the bottom to provide explanations for why the leaf node was not satified. \n\nSee this package's DocC documentation for more details.\n\n## Apple Resources\nApple has published several documents that discuss to varying degrees their requirements language:\n- [Code Signing Requirement Language](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/RequirementLang/RequirementLang.html#//apple_ref/doc/uid/TP40005929-CH5-SW1)\n- [TN2206: macOS Code Signing In Depth](https://developer.apple.com/library/archive/technotes/tn2206/_index.html)\n- [TN3125: Inside Code Signing: Provisioning Profiles](https://developer.apple.com/documentation/technotes/tn3125-inside-code-signing-provisioning-profiles)\n- [TN3126: Inside Code Signing: Hashes](https://developer.apple.com/documentation/technotes/tn3126-inside-code-signing-hashes)\n- [TN3127: Inside Code Signing: Requirements](https://developer.apple.com/documentation/technotes/tn3127-inside-code-signing-requirements)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrilemma-dev%2Frequired","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrilemma-dev%2Frequired","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrilemma-dev%2Frequired/lists"}