SystemExtension is not getting activated - OSSystemExtensionErrorCodeSignatureInvalid = 8

Hi, Greetings for the day,

We would like to update you that we have started facing one strange problem in macOS Monterey 12.4(M1&Intel) where our system extension is not getting activated, we are getting below error:

OSSystemExtensionErrorCodeSignatureInvalid = 8

However I would like to update you that same build is working in other Mac system without any error.

We have checked the code sign and notarisation of our system extension container app and found its code signed and notarised too.

/Applications/*.app: accepted

source=Notarized Developer ID

we would request to please help us to know why its getting triggered and how we can resolve it.

Thanks & Regards,

Mohmad Vasim

Up vote post of MohmadVasim Down vote post of MohmadVasim
1.1k views
Posted by
MohmadVasim
Reply
Add a Comment

Replies

I’d like to clarify what’s going on here. Reading your post it seems like:

  • You have built and notarised an app containing an Endpoint Security system extension.

  • On some macOS 12.4 systems your ES sysex fails to load with OSSystemExtensionErrorCodeSignatureInvalid.

  • On other systems it loads just fine.

Is that right? If so, how do the failing systems differ from the working systems? You’ve already said that the failing systems include both Intel and Apple silicon machines. Are these other differences? Are the working systems also running macOS 12.4? Do all the systems have SIP enabled?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for your quick response, Eskimo!

Is that right? If so, how do the failing systems differ from the working systems? You’ve already said that the failing systems include both Intel and Apple silicon machines. Are these other differences?

Yes, you are correct. There is no other difference we found. we just know that its fresh partition where its failing.

Are the working systems also running macOS 12.4?

yes. its correct.

Do all the systems have SIP enabled?

Yes, SIP is enabled in all system.

We are trying to find the problem but we don't know how to proceed.

I hope when we are trying to install System Extension, OS internally checks notarisation status of extension using Apple Server and if it gets failed then it returns

OSSystemExtensionErrorCodeSignatureInvalid

so is there any server that we can check its ping-able/reachable or not in affected machine or there is any log that will help us to know the problem.

Thanks & Regards,

Mohmad Vasim

Posted by
MohmadVasim
Up vote reply of MohmadVasim Down vote reply of MohmadVasim
Add a Comment

There is no other difference we found. we just know that its fresh partition where its failing.

OK. My advice on this front is that you test on a VM. You can then restore you VM to a ‘clean’ snapshot between each test. That ensures that you’re always starting from a fresh Mac, one that’s never seen your product before.

I go into this more in Testing a Notarised Product.

OS internally checks notarisation status of extension using Apple Server

Hitting the network is only necessary if you haven’t stapled the notarised ticket onto your product.

IMPORTANT I recommend that you notarise your outmost container and then staple to the outmost container that supports stapling. For specific advice, see Packaging Mac Software for Distribution.

so is there any server that we can check its ping-able/reachable

You can use stapler to do this, with the validate subcommand. If you add the -v option, stapler will show details about what it’s doing behind the scenes. See the stapler man page for more details.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment