kext code signature is invalid

Has you Developer ID been enabled for KEXT development? To determine if that's the case, look in the certificate for a custom extension with OID 1.2.840.113635.100.6.1.18. If it's present, you're all set.

If not, you’ll have to apply for this. You can find details for how to do that in the link on the Developer ID page.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Our signing certificate is Kext enabled, and our kext that is installed in /Library/Extensions (and has a vaild signature on all OSes 10.11.3 and older) is now failing on the 10.11.4 beta:

$ sudo kextutil -n -t -v 6 -b com.mhlabs.driver.MobileIOAudioDriver.10.9

Password:

Kext user-space log filter changed from 0xff2 to 0xfff.

Kext kernel-space log filter changed from 0xff2 to 0xfff.

Kext library architecture set to x86_64.

Can't stat /AppleInternal - No such file or directory.

Defaulting to kernel file '/System/Library/Kernels/kernel'

Kext library recording diagnostics for: validation authentication dependencies warnings.

Diagnostics for /Library/Extensions/MobileIODriver_10_9.kext:

Code Signing Failure: code signature is invalid

/Library/Extensions/MobileIODriver_10_9.kext appears to be loadable (including linkage for on-disk libraries).

Any ideas? Is this a simply a regression in the beta, or is this indicative of some problem in our signing process (we currently sign on 10.8.5).

FWIW, our customer filed a Radar about this: 24219684

FWIW, our customer filed a Radar about this: 24219684

That’s the correct response to issues like this. The reason why we seed OS releases is so that folks can test on them and file bugs if we’ve broken something significant, which certainly looks to be the case here )-:

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi.

I have a similiar issue with Symantec Endpoint Protection, which I had to update for 10.11.4 Beta.

Just to be sure its not an issue on my side, so I can wait for next beta version.

19/01/16 16:03:20.084 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.internetSecurity, will not load

19/01/16 16:03:20.448 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.ips, will not load

19/01/16 16:03:20.966 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.ips, will not load

19/01/16 16:03:24.045 com.apple.xpc.launchd[1]: (com.symantec.uiagent.application) This service is defined to be constantly running and is inherently inefficient.

19/01/16 16:03:41.063 SymDaemon[80]: Loading Signed version of Kext in 10.9 OS X: /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext

19/01/16 16:03:42.749 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

19/01/16 16:03:42.776 SymDaemon[80]: Loading Signed version of Kext in 10.9 OS X: /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext

19/01/16 16:03:43.317 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

19/01/16 16:03:44.333 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.ips, will not load

19/01/16 16:03:44.953 SymDaemon[80]: Loading Signed version of Kext in 10.9 OS X: /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext

19/01/16 16:03:45.477 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

19/01/16 16:03:45.493 SymDaemon[80]: Loading Signed version of Kext in 10.9 OS X: /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext

19/01/16 16:03:45.869 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

We are seeing the same issue with our UAD-2 system driver. I filed a bug about it, radar: 24270565.

I looked into it, and the problem appears to be that we are code signing everything on our build machine which is running OS X 10.8. Ideally we’d be running a later OS, but suffice it to say there are reasons we can’t do that right now. Codesigning on 10.8 results in a “v1 resource envelope”, which is technically obsolete and results in "codesign --verify -vvvv <path to kext>” reporting it as such. However, the kext has always actually loaded fine on all systems prior to this 10.11.4 beta, and "kextutil -nt” would not report any issues. But on the 10.11.4 beta, "kextutil -nt” now reports that the code signature is invalid, and won’t load the kext. I manually re-signed the kext on my 10.9.5 system, and now the kext loads fine on the 10.11.4 system (code signing on 10.9.5 results in the v2 resource envelope getting generated in the signature).

The v1 resource envelope was an issue for apps distributed through the app store, but not for software distributed outside the store, and as mentioned the kext has continued to load fine in all previous OS releases.

Problem is we can’t easily update our build system to 10.9.5 at this point. Is there any chance of getting the old behavior back in 10.11.4? Clearly this issue is affecting others as mentioned in this thread, and probably several others that haven't been reported yet.

Even if there was some specific note that this is going to change in the next OS release, that would give us some time to properly update our build system.

Hi jimw.ua,

Is there any possibility that you can put the manually signed driver out somewhere? 🙂 I think that there are several people on the UADForum and on the beta 10.11.4 group that cannot use their UAD devices due to this change.

Thanks!

This issue appears to be fixed in the latest 10.11.4 beta. Thanks!

Hi, is this (code signing) still required for 10.13.xx for kext being developed as a prototype/internal use? If so, how do I get it? The page doesn't allow the request to be submitted for testing/personal use.