Make signing and verification use stricter checks

Closes brave#5
bkero · Jul 3, 2018 · db66263 · db66263
1 parent c0759cc
commit db66263
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Sparkle/SUCodeSigningVerifier.m b/Sparkle/SUCodeSigningVerifier.m
@@ -48,7 +48,7 @@ + (BOOL)codeSignatureAtBundleURL:(NSURL *)oldBundleURL matchesSignatureAtBundleU
     // See https://github.com/sparkle-project/Sparkle/issues/376#issuecomment-48824267 and https://developer.apple.com/library/mac/technotes/tn2206
     // Aditionally, there are several reasons to stay away from deep verification and to prefer DSA signing the download archive instead.
     // See https://github.com/sparkle-project/Sparkle/pull/523#commitcomment-17549302 and https://github.com/sparkle-project/Sparkle/issues/543
-    SecCSFlags flags = (SecCSFlags) (kSecCSDefaultFlags | kSecCSCheckAllArchitectures);
+    SecCSFlags flags = (SecCSFlags) (kSecCSDefaultFlags | | kSecCSCheckNestedCode | kSecCSCheckAllArchitectures | kSecCSEnforceRevocationChecks | kSecCSCheckNestedCode | kSecCSStrictValidate );
     result = SecStaticCodeCheckValidityWithErrors(staticCode, flags, requirement, &cfError);
 
     if (cfError) {