I thought some folks on this forum might find it useful, so I'm sharing that I've just open sourced a Swift package called Required which parses and evaluates requirements written in Apple's Code Signing Requirement Language.
Amongst other uses, this package can be quite useful in debugging security requirements used to secure XPC communications.
This package only uses public APIs and supports OS X 10.10 and later. (The parser itself has no platform dependencies at all and could in theory be run on any platform Swift supports.)
As an example of how the package works, to see whether and how an application satisfies its designated requirement:
// Retrieve the designated requirement for Numbers
let url = URL(fileURLWithPath: "/Applications/Numbers.app")
var code: SecStaticCode?
SecStaticCodeCreateWithPath(url as CFURL, [], &code)
var requirement: SecRequirement?
SecCodeCopyDesignatedRequirement(code!, [], &requirement)
// See whether and how Numbers satisifies its designated requirement
let abstractRequirement = try Parser.parse(requirement: requirement!)
let evaluation = try abstractRequirement.evaluateForStaticCode(code!)
print("Does \(url.lastPathComponent) satisfy its designated requirement?")
print(evaluation.isSatisfied ? "Yes" : "No")
print("\nEvaluation tree:")
print(evaluation.prettyDescription)
Which outputs:
Does Numbers.app satisfy its designated requirement?
Yes
Evaluation tree:
and {true}
|--() {true}
| \--or {true}
| |--and {true}
| | |--anchor apple generic {true}
| | \--certificate leaf[field.1.2.840.113635.100.6.1.9] {true}
| \--and {false}
| |--and {false}
| | |--and {false}
| | | |--anchor apple generic {true}
| | | \--certificate 1[field.1.2.840.113635.100.6.2.6] {false}¹
| | \--certificate leaf[field.1.2.840.113635.100.6.1.13] {false}²
| \--certificate leaf[subject.OU] = K36BKF7T3D {false}³
\--identifier "com.apple.iWork.Numbers" {true}
Constraints not satisfied:
1. The certificate <Apple Worldwide Developer Relations Certification Authority> does not contain OID 1.2.840.113635.100.6.2.6
2. The certificate <Apple Mac OS Application Signing> does not contain OID 1.2.840.113635.100.6.1.13
3. The certificate <Apple Mac OS Application Signing> does not contain element subject.OU