TrustKit

What's Changed

• Add a Privacy Manifest declaring TrustKit's usage of the NSUserDefaults API. https://github.com/datatheorem/TrustKit/pull/326

Full Changelog: https://github.com/datatheorem/TrustKit/compare/3.0.3...3.0.4

• fixed a crash on iOS 17beta

• Fix warnings when building with Xcode 14.3

• Enabled multipath service type handover on iOS for all NSURLSessions
• Removed use of IDFV on iOS and tvOS
• Restored minimum OS versions to v3.0.1 to iOS 12+, macOS 10.13+, tvOS 12+ or watchOS 4+ App

• Replaced usage of deprecated methods SecTrustCopyPublicKey(), SecTrustGetCertificateAtIndex() and SecTrustEvaluate()
• Updated minimum OS versions to iOS 14+, macOS 11+, tvOS 14+ and watchOS 7+
  • Restored minimum OS versions in TrustKit v3.0.1 to iOS 12+, macOS 10.13+, tvOS 12+ or watchOS 4+ App

• Fixed a crash when running into a cache failure (#261).

• Fixed crashes when encountering an unsupported public key algorithm (#250, #252).
• Dropped support for iOS 11 and tvOS 11.

• Fixed crash when encountering an invalid domain name (#210).
• Fixed crash when encountering an unsupported public key algorithm (#211).
• Fixed support for Carthage and the Swift Package Manager (#222).
• Added "Dynamic" and "Static" products to the Swift Package Manager configuration to allow choosing the linking style (#234).
• Dropped support for iOS 10, macOS 10.12, tvOS 10 and watchOS 3 (#232).

• Bug fix for supporting the Swift package manager (#220).

• Added support for the Swift package manager (#214).

• Fixed minor security warnings (#213, #212).

• Fixed handling of overlapping pin sets when using kTSKIncludeSubdomains (#200).
• Enabled Modules in the CocoaPods spec file so that TrustKit can be packaged in a static Swift library (#205).

• Fixed a bug with the kTSKExcludeSubdomainFromParentPolicy setting (#187).
• Fixed static analysis warnings in Xcode 10.

• Dropped support for iOS 8 and iOS 9.
• Fixed build errors on iOS 12 (#172) and when using Objective-C++ (#160)
• Added support for SSL reporting from app extensions (#168)
• The TSKPublicKeyAlgorithms configuration key is now deprecated; the algorithm of the public key to pin no longer needs to be provided in the TrustKit configuration.
• The TSKAdditionalTrustAnchors configuration key is now deprecated because its intended functionality no longer works on iOS (#154).
• Fixed the expiration date logic to always use the UTC time zone (#166)

• Fixed issue with TSKIncludeSubdomains applying the pinning policy to the wrong domains when parsing the TrustKit configuration (#156).

• Fixed header name conflict with other SDKs such as Mopub (#150).
• Fixed TSKSPKIHashCache's API by requiring the identifier to not be nil (#147).

• Fixed umbrella header and project targets for linking without CocoaPods.
• Fixed a bug when using kTSKIncludeSubdomains with domains that have a TLD with the same length.
• Fixed a crash when using a pinning validation callback to read the server's trust.
• Fixed a crash when enabling kTSKSwizzleNetworkDelegates for connection delegates swizzling.

• Implemented major changes to support the usage of multiple instances of TrustKit, instead of being forced to use a singleton.
  • This is useful for larger Apps that have split some of their functionality into multiple frameworks/SDKs. Each framework can initialize its own instance of TrustKit and use it for pinning validation independently of the App's other components. See the -initWithConfig: method for more information.
  • The singleton approach should still be used by most Apps as it is simpler. A few minor code changes are required for Apps migrating from previous versions, detailed at the end of this page.
• Pinning validation notifications have been removed and replaced by a callback that can be set in order to receive information about any pinning validation performed by TrustKit. See the pinningValidatorCallback property of the TrustKit class for more information.
• The default value for the kTSKSwizzleNetworkDelegates setting has been changed to NO.
• Support for iOS 7 and macOS 10.9 has been dropped.

Migrating from 1.4.2

For initializing TrustKit, switch from:

[TrustKit initializeWithConfiguration:trustKitConfig];

to:

[TrustKit initSharedInstanceWithConfiguration:trustKitConfig];

For any code using the TSKPinningValidator class, switch from:

[TSKPinningValidator handleChallenge:challenge completionHandler:completionHandler];

to:

[TrustKit.sharedInstance.pinningValidator handleChallenge:challenge completionHandler:completionHandler];

• New TSKExcludeSubdomainFromParentPolicy domain configuration key. If set to YES, TrustKit will not pin this specific domain if TSKIncludeSubdomains was set for this domain’s parent domain. This allows excluding specific subdomains from a pinning policy that was applied to a parent domain.
• Switched from the build number (CFBundleVersion) to the release version number (CFBundleShortVersionString) for the app-version field within reports.
• Various bug fixes:
  • Switch from the deprecated OSSpinLock to os_unfair_lock when running on an iOS 10+ / macOS 10.12+ device.
  • Fixed serialization warning during initialization.
  • Added support for newer gTLDs (such as .team).

• Added support for secp384r1 certificates (kTSKAlgorithmEcDsaSecp384r1).
• Added the ability to specify an expiration date for a domain's pinning policy (kTSKExpirationDate). This will help prevent connectivity issues in Apps which do not get updates to their pins, such as when the user disables App updates.
• A backup pin is no longer required when pinning validation is not enforced (ie. when kTSKEnforcePinning is set to NO).
• Fixed a bug causing random unicode characters to be displayed in the date-time field of pinning failure reports sent by devices with non-standard time settings.
• Improved the documentation and switched to jazzy for generating it.