SystemExtension is not getting activated - OSSystemExtensionErrorCodeSignatureInvalid = 8

Question

MohmadVasim OP

Created Jul ’22

Replies 3

Boosts 0

Views 1.3k

Participants 2

Hi, Greetings for the day,

We would like to update you that we have started facing one strange problem in macOS Monterey 12.4(M1&Intel) where our system extension is not getting activated, we are getting below error:

OSSystemExtensionErrorCodeSignatureInvalid = 8

However I would like to update you that same build is working in other Mac system without any error.

We have checked the code sign and notarisation of our system extension container app and found its code signed and notarised too.

/Applications/*.app: accepted

source=Notarized Developer ID

we would request to please help us to know why its getting triggered and how we can resolve it.

Thanks & Regards,

Mohmad Vasim

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’22

I’d like to clarify what’s going on here. Reading your post it seems like:

You have built and notarised an app containing an Endpoint Security system extension.
On some macOS 12.4 systems your ES sysex fails to load with OSSystemExtensionErrorCodeSignatureInvalid.
On other systems it loads just fine.

Is that right? If so, how do the failing systems differ from the working systems? You’ve already said that the failing systems include both Intel and Apple silicon machines. Are these other differences? Are the working systems also running macOS 12.4? Do all the systems have SIP enabled?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

MohmadVasim OP

Jul ’22

Thanks for your quick response, Eskimo!

Is that right? If so, how do the failing systems differ from the working systems? You’ve already said that the failing systems include both Intel and Apple silicon machines. Are these other differences?

Yes, you are correct. There is no other difference we found. we just know that its fresh partition where its failing.

Are the working systems also running macOS 12.4?

yes. its correct.

Do all the systems have SIP enabled?

Yes, SIP is enabled in all system.

We are trying to find the problem but we don't know how to proceed.

I hope when we are trying to install System Extension, OS internally checks notarisation status of extension using Apple Server and if it gets failed then it returns

OSSystemExtensionErrorCodeSignatureInvalid

so is there any server that we can check its ping-able/reachable or not in affected machine or there is any log that will help us to know the problem.

Thanks & Regards,

Mohmad Vasim

0

Answer 3

DTS Engineer OP

Apple

Jul ’22

There is no other difference we found. we just know that its fresh partition where its failing.

OK. My advice on this front is that you test on a VM. You can then restore you VM to a ‘clean’ snapshot between each test. That ensures that you’re always starting from a fresh Mac, one that’s never seen your product before.

I go into this more in Testing a Notarised Product.

OS internally checks notarisation status of extension using Apple Server

Hitting the network is only necessary if you haven’t stapled the notarised ticket onto your product.

IMPORTANT I recommend that you notarise your outmost container and then staple to the outmost container that supports stapling. For specific advice, see Packaging Mac Software for Distribution.

so is there any server that we can check its ping-able/reachable

You can use stapler to do this, with the validate subcommand. If you add the -v option, stapler will show details about what it’s doing behind the scenes. See the stapler man page for more details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0