--- title: LightweightCodeRequirements framework: lightweightcoderequirements role: collection role_heading: Framework path: lightweightcoderequirements --- # LightweightCodeRequirements Test the identity of executable code on disk and in running processes. ## Overview Overview Code that is cryptographically signed carries tamper-proof statements about its identity in its code signature. Construct tests to distinguish different code files using the lightweight code requirement domain-specific language (DSL). Use the tests to distinguish code files on disk, running processes, and processes that the operating system launches. Code files on disk include: Executable binaries Dynamic or static libraries Frameworks Loadable bundles Define tests of signed code properties The keywords you use to test code properties in the lightweight code requirement DSL are: For code signed by an organization or individual other than Apple, the code’s identity is specified by its SigningIdentifier, TeamIdentifier, and ValidationCategory. Combine tests into requirements The lightweight code requirement DSL provides operators that you use to build up complex requirements from individual tests. For example, the operators to construct on-disk code requirements are: ProcessCodeRequirement and LaunchCodeRequirement provide similar operators for building process code requirements and launch requirements. The anyOf(requirement:) and allOf(requirement:) operators simplify their inputs as follows: An operator with a single constraint as its argument replaces itself with the direct evaluation of the given constraint. If any of the arguments to an anyOf(requirement:) operator are themselves anyOf(requirement:) operators, the arguments to both are merged into a single set of constraints evaluated by the top-level anyOf(requirement:) operator. If any of the arguments to an allOf(requirement:) operator are themselves allOf(requirement:) operators, the arguments to both are merged into a single set of constraints evaluated by the top-level allOf(requirement:) operator. Both allOf(requirement:) and anyOf(requirement:) throw an error if the simplification results in the same constraint appearing twice in the arguments for one operator, for example, if an anyOf(requirement:) operator contains two tests of InfoPlistHash constraints. The exception to this simplification rule is that multiple EntitlementsQuery tests can appear in the arguments for one operator. Test whether a running process satisfies a lightweight code requirement Create a ProcessCodeRequirement using the DSL and pass it to SecTaskValidateForRequirement(task:requirement:), along with a SecTask representing the running process. If the task’s code satisfies the lightweight code requirement, then the function returns true; otherwise, it returns false. Test whether code on disk satisfies a lightweight code requirement Create an OnDiskCodeRequirement using the DSL and pass it to SecStaticCodeCheckValidityWithOnDiskRequirement(code:flags:requirement:) or SecCodeCheckValidityWithOnDiskRequirement(code:flags:requirement:), depending on whether you construct a SecStaticCode or SecCode to represent the code. Both functions return a ValidationResult indicating whether the code has a valid signature, whether it satisfies the requirement, and any error that occurred. Restrict the executables you launch as new processes Create a LaunchCodeRequirement using the DSL and set it as the launchRequirement on a Process instance, before you call run(). If the executable specified in the process’s executableURL satisfies the launch requirement, the kernel launches the process; otherwise, run() throws an error. You can also encode your requirements as launch constraints in property list files that you embed in your executable’s code signature to restrict which processes can launch your executable and which dynamic libraries your process can load. For more information, see Applying launch environment and library constraints. ## Topics ### Checking code requirements for running processes - [SecTaskValidateForRequirement(task:requirement:)](lightweightcoderequirements/sectaskvalidateforrequirement(task:requirement:).md) - [ProcessCodeRequirement](lightweightcoderequirements/processcoderequirement.md) - [allOf(requirement:)](lightweightcoderequirements/allof(requirement:)-4k3ay.md) - [anyOf(requirement:)](lightweightcoderequirements/anyof(requirement:)-vwhn.md) - [ProcessConstraint](lightweightcoderequirements/processconstraint.md) - [ProcessCodeSigningFlags](lightweightcoderequirements/processcodesigningflags.md) - [ProcessConstraintBuilder](lightweightcoderequirements/processconstraintbuilder.md) - [TeamIdentifierMatchesCurrentProcess](lightweightcoderequirements/teamidentifiermatchescurrentprocess.md) ### Checking code requirements for launching processes - [SecCodeCheckValidityWithProcessRequirement(code:flags:requirement:)](lightweightcoderequirements/seccodecheckvaliditywithprocessrequirement(code:flags:requirement:).md) - [launchRequirement](foundation/process/launchrequirement.md) - [LaunchCodeRequirement](lightweightcoderequirements/launchcoderequirement.md) - [allOf(requirement:)](lightweightcoderequirements/allof(requirement:)-4gf5f.md) - [anyOf(requirement:)](lightweightcoderequirements/anyof(requirement:)-6nicx.md) - [LaunchConstraint](lightweightcoderequirements/launchconstraint.md) - [LaunchConstraintBuilder](lightweightcoderequirements/launchconstraintbuilder.md) ### Checking code requirements for code files on disk - [SecStaticCodeCheckValidityWithOnDiskRequirement(code:flags:requirement:)](lightweightcoderequirements/secstaticcodecheckvaliditywithondiskrequirement(code:flags:requirement:).md) - [SecCodeCheckValidityWithOnDiskRequirement(code:flags:requirement:)](lightweightcoderequirements/seccodecheckvaliditywithondiskrequirement(code:flags:requirement:).md) - [ValidationResult](lightweightcoderequirements/validationresult.md) - [OnDiskCodeRequirement](lightweightcoderequirements/ondiskcoderequirement.md) - [allOf(requirement:)](lightweightcoderequirements/allof(requirement:)-2ocwl.md) - [anyOf(requirement:)](lightweightcoderequirements/anyof(requirement:)-71pff.md) - [OnDiskConstraint](lightweightcoderequirements/ondiskconstraint.md) - [OnDiskCodeSigningFlags](lightweightcoderequirements/ondiskcodesigningflags.md) - [OnDiskConstraintBuilder](lightweightcoderequirements/ondiskconstraintbuilder.md) ### Testing properties of executable code - [CodeDirectoryHash](lightweightcoderequirements/codedirectoryhash.md) - [EntitlementsQuery](lightweightcoderequirements/entitlementsquery.md) - [InfoPlistHash](lightweightcoderequirements/infoplisthash.md) - [IsInitProcess](lightweightcoderequirements/isinitprocess.md) - [IsMainBinary](lightweightcoderequirements/ismainbinary.md) - [IsSIPProtected](lightweightcoderequirements/issipprotected.md) - [PlatformType](lightweightcoderequirements/platformtype.md) - [SigningIdentifier](lightweightcoderequirements/signingidentifier.md) - [TeamIdentifier](lightweightcoderequirements/teamidentifier.md) - [ValidationCategory](lightweightcoderequirements/validationcategory.md) ### Handling errors - [ConstraintError](lightweightcoderequirements/constrainterror.md)