I just updated the version of Xcode I was using to build a KEXT project. I needed to run kextlibs on the Kext in order to update the OSBundleLibraries key in the Info.plist for the KEXT. When I do this, I get the following output:For all architectures:
com.apple.iokit.IOSerialFamily = 11.0
com.apple.iokit.IOUSBHostFamily = 1.2
com.apple.kpi.iokit = 18.7
com.apple.kpi.libkern = 18.7
For x86_64:
2 symbols not found in any library kext:
__ZN9IOService8DispatchE5IORPC
__ZN15OSMetaClassBase8DispatchE5IORPCWhen I run the two symbols that were not found through the demangler, it is telling me they are:IOService::Dispatch(IORPC)andOSMetaClassBase::Dispatch(IORPC)I double checked to make sure that I had not made any code changes - the only change is moving to Xcode Version 11.2.1 (11B500).I would appreciate any ideas as to how I can solve this issue.
Post
Replies
Boosts
Views
Activity
Hi. I need some help with a Notarization error.In this situation, I have a Jenkins job (Jenkins is a continuous integration system that builds software) that produces a signed dmg disk image containing an app and a kernel extension.The Jenkins job that produces this was working correctly until today. No changes were made to the build machine or to the source code that it builds.The error that I am seeing is Error 65, "record not found" which happens when the Staple operation is attempted. I also receive an email with a subject line: "Your Mac software was not notarized."The software is being built using Xcode 10.3. The reason why I am not using Xcode 11 is because I am building a KEXT.I checked the signature using codesign -vvv --deep --strict on my disk image. It says "valid on disk" and "satisfies its Designated Requirement". I also verified that the system clock is correct within about a second on the build machine.I also tried building it on a second machine using the same script and received the same error.When the script uploads the disk image, I see a message saying "No errors uploading". Both machines I built on are running MacOS 10.14.6.
Hi. I have a customer who is unable to load a KEXT under MacOS 10.15.3 that they were previously able to load under 10.15.1.I asked them to try to load it from the command line using kextutil. This is the error they received:MacBook-Pro:Extensions user$ sudo kextutil SiLabsUSBDriver.kext
Password:
Kext rejected due to system policy:
{ URL = "file:///Library/StagedExtensions/Library/Extensions/SiLabsUSBDriver.kext/", ID = "com.silabs.driver.CP210xVCPDriver" }
Kext rejected due to system policy:
{ URL = "file:///Library/StagedExtensions/Library/Extensions/SiLabsUSBDriver.kext/", ID = "com.silabs.driver.CP210xVCPDriver" }
Diagnostics for /Library/Extensions/SiLabsUSBDriver.kext:
MacBook-Pro:Extensions user$The installer for this KEXT calls KextManagerLoadKextWithURL() and is getting a return code of kOSKextReturnSystemPolicy. I usually take this return code to mean that the user needs to approve the kernel extension in the Security & Privacy pane of the System Preferenes. However, in this case they do not see a message about this kext in that preference pane. I tried formatting the drive on a test system in my office and reinstalling MacOS 10.15.3 and I was able to install the kext and everything worked the way I expected. The installer called KextManagerLoadKextWithURL() and got kOSKextReturnSystemPolicy and when I opened the Security & Privacy control panel, I saw the "Allow" button for this kernel extension and I clicked it and it loaded properly. But this cutomer has tried the same steps and those steps are all working the same except the Allow button does not appear.The only difference I am aware of is that their systems are set to Japanese. Their GateKeeper settings are the same ("App Store & Identified Developers") and they are using an admin account for the installation. Of course, you could not authorize the privileged helper tool that the installer uses to install the kext if you did not have an admin account.When I create the .dmg that this is distributed on, I sign and notarize the .dmg and staple it afterwards and this all is successful. I do not currently notarize the kext itself nor the installer application - I merely sign these.Would it be worthwhile to try separately notarizing the KEXT? Could this be the reason why it is not loading or showing the "Allow" button when they run kextutil on the command line?
Hi. I have a question about the Info.plist in DriverKit.I currently have a KEXT project that uses VID/PID matching for a large number of customized VID/PID pairs that all map to the same family of USB to Serial bridge chips my company makes. As we migrate this KEXT to DriverKit, do the IOKitPersonality records stay pretty much the same? Specifically, do we continue to use idProduct, idVendor, and bInterfaceNumber the same way?I would just try it out, but I don't yet have the com.apple.developer.driverkit entitlement.Thanks!Brant
I asked the account holder of my company's developer account to request an entitlement for building with DriverKit. Then later I received an email saying the entitlement had been granted.I am trying to build a driverkit project but it fails for Code Signing. The errors I am getting are two things: first the provisioning profile doesn't contain my development certificate. I actually did add it when I created it in the developer portal. The second error is that the provisioning profile doesn't contain the entitlement.One of the things I did was revoke my development certificate and create a certificate request and make a new development certificate. Then I created a provisioning profile for Mac development adding my new developer certificate and my device (i.e. my Mac I use for development) for the wildcard identifier. Then I downloaded and installed the provisioning profile. Then I restarted Xcode and opened my driverkit project. I had to import the provisioning profile wtihin Xcode in order for it to appear as an option for manual signing.I'm on MacOS 10.14.6 and Xcode Version 11.3.1 (11C504).Is the problem that I am on Mojave or that I need to revoke and re-create my Developer ID: Application certificate? I don't want to have to do either of these things because the former would be a real pain for me and the second would be a real pain for other people at my company using the certificate.
I use Jenkins to build and notarize a device driver on a .dmg. The problem I am now getting a new notarization error:
altool[1980:21149] *** Error: The operation couldn’t be completed. ( error -1.)
when a bash script is trying to run the following command:
xcrun altool --notarize-app --primary-bundle-id "com.xxxxxxxxxxx" --username "$AC_USERNAME" --password "@keychain:AC_PASSWORD" --file ./build/xxxxxxxxx.dmg
This happens after the driver is signed and the installer is signed and a bunch of things have already worked that involve accessing the keychain and code signing working correctly. The command to perform the notarization is in a bash script. The bash script that is failing was working recently and still works just fine if I run it from a local terminal session on the build machine. The .dmg gets notarized successfully.
When I interactively log in to that computer using ssh and attempt to run the command (copied right out of the script), I get an error that says:
2020-07-17 15:16:07.499 altool[2082:27150] *** Error: User interaction is not allowed.
In the past when I have seen this it is because the tool isn't able to pull something out of the keychain. So I would assume the problem would have to do with pulling AC_PASSWORD out of the keychain. The access control for this item was set to allow "security" and "altool" in Keychain Access. Sometimes in the past I have seen this fail because of a system update caused the access control to no longer recognize the app that is trying to access the item. So I went into Keychain Access and set the Access Control settings to allow any application to access the item. I know this is insecure, but it would have confirmed that I had the correct item and also that it was the access control settings that were causing the problem. Unfortunately when I rerun the "xcrun altool --notarize-app" command from my ssh session, I get the same error ("User interaction is not allowed.")
What can I do to fix this?