HI,Since I'm experiencing the exact same issue, I thought it would be okay to tag onto this post...So for berevity, 'ditto' on pradippradip original post.I'm also albe to reproduce this with a VM running 10.14.5.The odd thing is, if the postinstall script fails because of this reason, then the user sees the yellow triangle warning that their installation failed.Running the kexutil -nt command, the results are a bit strange in that, the output mentions a different kext file other than the kext I'm inspecting. And by other, I don't mean the one copied to the staging folder. I'm referring to a kext on my machine dated back to 2014 that is for USB functionality (AX88179_178A.kext). The output is as follows: The bolded text is my confusion. Why would the kexutil -nt command try to stage a different kext file unrelated to my mykext.kext?Has anyone else seen this?/Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext does not appear in strict exception list for architecture: x86_64Untrusted kexts are not allowedKext with invalid signature (-67007) denied: /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kextBundle (/Library/Extensions/AX88179_178A.kext) failed to validate, deleting: /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kextUnable to stage kext (/Library/Extensions/AX88179_178A.kext)to secure location.Kext rejected due to system policy: <OSKext 0x7fdf6e78c900 [0x7fffab3ee8e0]> { URL = "file:///Library/StagedExtensions/private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext/", ID = "com.my.company" }Kext rejected due to system policy: <OSKext 0x7fdf6e78c900 [0x7fffab3ee8e0]> { URL = "file:///Library/StagedExtensions/private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext/", ID = "com.my.company" }Diagnostics for /private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A Document Being Saved By XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext:
Post not yet marked as solved
On this page, in the Stapler section near the bottom of the page, it states,"While you can notarize a ZIP archive, you can’t staple to it directly. Instead, run stapleragainst each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution. Although tickets are created for standalone binaries, it’s not currently possible to staple tickets to them."Does that also apply to a flat PKG installer? I was under the impression that simply stapling the notarized .PKG would also take care of the .app bundle located inside the Payload as well as other items packaged inside (kext for example).Or, will I need to:unpack the .PKGunpack the Payloadstaple the .app bundlestaple the kextre-pack the Payloadre-pack the PKG?re-notarize the PKG (because the hash changed)then finally, staple the PKGPlease tell me this is not the case.I notoarized and stapled our PKG. Tested it on a machine running 10.14.4, and shortly after a successful installation, we see the "System Extension Blocked" dialog, with a choice of "Open Security Preferences" or "OK". Is this the correct behavior, or is this a product of not notarizing and stapling the internals of the PKG? And by behavior, I mean is the user required to click, "Allow" on the Security section, or are they not even supposed to be challanged by installing a properly signed kext, notarized and stapled?[EDIT]This thread (the orginal thread you referred me in my first post), which I think (according to the accepte answer) means that I do not have to manually notarize and staple the internals of the pkg installer. However, other posts suggest as of only two days ago, that I may indeed need to unpack to manually notarize and staple pkg internals. This one too.Please advise.Thank you kindly
Post not yet marked as solved
Same here...Following for a workaround.
Post not yet marked as solved
Another question please:For an app distributed outside the app store via pkg, do I have to re-notarize and re-staple for each new release, no matter how small the change?
Post not yet marked as solved
Referring to my original statement, "...crash on launch with an error, 'code signature invalid'."eskimo said, "Is this when you install it from the .pkg? Or after doing the whole unzip-staple-rezip thing?"This only happens when I install it from the .pkg. I've not yet tried zip.A little more informaiton regarding the crash on launch, after I enable hardened runtime, sign kext and .app, launch the .app before creating the pkg, the app crashes. Natually installing the app via the pkg then launching also crashes.I am signing the kext and .app with the same Deverloper ID Certificate (kext). That should work, correct?
Post not yet marked as solved
From the first post to the last, this info has helped me greatly. Thank you.Few more questions please:If I notarize a pkg, does the notary service handle notarizing all internal tools and frameworks?When I staple the .pkg, does all internal tools and frameworks also get stapled?If I notarize (upload via xcrun altool) a compressed .zip containing my kext and .app, do I staple the items inside the .zip or can I staple the original items prior to compressing so long as their precisly the same hash?I'm simply wondering if using a .zip file for sending items to the notary is a better choice than sending the pkg installer. That way I can staple the kext and .app individually. I mention this because after hardening the .app and kext, (Developer ID Cert with Kext), notarizing, stapling, the app crashes on launch with an error, 'code signature invalid'.Any insight will be greatly appreciated.Thank you!
