diff --git a/security-framework-sys/src/item.rs b/security-framework-sys/src/item.rs
index 97dc14b7..9fbfc128 100644
--- a/security-framework-sys/src/item.rs
+++ b/security-framework-sys/src/item.rs
@@ -11,6 +11,8 @@ extern "C" {
     pub static kSecMatchLimit: CFStringRef;
     pub static kSecMatchLimitAll: CFStringRef;
 
+    pub static kSecMatchTrustedOnly: CFStringRef;
+
     pub static kSecReturnData: CFStringRef;
     pub static kSecReturnAttributes: CFStringRef;
     pub static kSecReturnRef: CFStringRef;
diff --git a/security-framework/src/item.rs b/security-framework/src/item.rs
index 8a240719..ba1e1589 100644
--- a/security-framework/src/item.rs
+++ b/security-framework/src/item.rs
@@ -137,6 +137,7 @@ pub struct ItemSearchOptions {
     load_attributes: bool,
     load_data: bool,
     limit: Option<Limit>,
+    trusted_only: Option<bool>,
     label: Option<CFString>,
     service: Option<CFString>,
     account: Option<CFString>,
@@ -218,6 +219,13 @@ impl ItemSearchOptions {
         self
     }
 
+    /// Whether untrusted certificates should be returned.
+    #[inline(always)]
+    pub fn trusted_only(&mut self, trusted_only: Option<bool>) -> &mut Self {
+        self.trusted_only = trusted_only;
+        self
+    }
+
     /// Search for an item with the given service.
     #[inline(always)]
     pub fn service(&mut self, service: &str) -> &mut Self {
@@ -316,6 +324,13 @@ impl ItemSearchOptions {
                 ));
             }
 
+            if let Some(ref trusted_only) = self.trusted_only {
+                params.push((
+                    CFString::wrap_under_get_rule(kSecMatchTrustedOnly),
+                    if *trusted_only { CFBoolean::true_value().into_CFType() } else { CFBoolean::false_value().into_CFType() },
+                ));
+            }
+
             if let Some(ref service) = self.service {
                 params.push((
                     CFString::wrap_under_get_rule(kSecAttrService),