System Extension Signature Problem

Even after disabling SIP and while loading a DriverKit driver signed with a local certificate, I get the error

"Kext signature validation error code -67050"

The package is not notarized, which according to the docs is not necessary if SIP is disabled.

What could be going wrong?

I do not yet have the the driverkit entitlement and got around the build issues by following the suggestions in this post. The post suggests:

you just need to create an App ID with the "system extension" capability, create a corresponding development profile in your developer account, import that onto your dev & test machines and then sign using that profile.

While this gets around the build issue, unfortunately the driver cannot be loaded, in spite of SIP being disabled.

Thanks in advance.
Up vote post of harikvpy Down vote post of harikvpy
843 views
Posted by
harikvpy
Reply
Add a Comment

Replies

I think I have figured it out.

The reason the driver was not loading was because incorrect values in IOKitPersonalities. Without realizing this mistake, I was looking everywhere and inevitably looked at the System Information -> Software -> Extensions section from where I got the above error message.

That error message is still valid -- it means that the driver is not signed and therefore cannot be loaded by the default kernel which has the protections in place.

However, in a kernel with SIP disabled, and with systemextensionsctl developer on, the driver will be loaded by the kernel upon demand (But it'll still show the above message in System Information -> Software -> Extensions panel).

Posted by
harikvpy
Up vote reply of harikvpy Down vote reply of harikvpy
Add a Comment