9 Replies
      Latest reply on Apr 26, 2018 9:53 AM by avighnash
      ISL Korea Level 1 Level 1 (0 points)

        We have a certificate kext.

        Developer ID

        "Sign versions of your Mac application, Mac kernel extension and Mac Installer Package for distribution outside of the Mac App Store."

         

        but

        sudo kextutil BignoteHID.kext

        => Code Signing Failure: code signature is invalid

         

        How to code sign kext?

        • Re: kext code signature is invalid
          eskimo Apple Staff Apple Staff (13,905 points)

          Has you Developer ID been enabled for KEXT development?  To determine if that's the case, look in the certificate for a custom extension with OID 1.2.840.113635.100.6.1.18.  If it's present, you're all set.

          If not, you’ll have to apply for this.  You can find details for how to do that in the link on the Developer ID page.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: kext code signature is invalid
              bjb Level 1 Level 1 (0 points)

              Our signing certificate is Kext enabled, and our kext that is installed in /Library/Extensions (and has a vaild signature on all OSes 10.11.3 and older) is now failing on the 10.11.4 beta:

               

              $ sudo kextutil -n -t -v 6 -b com.mhlabs.driver.MobileIOAudioDriver.10.9

              Password:

              Kext user-space log filter changed from 0xff2 to 0xfff.

              Kext kernel-space log filter changed from 0xff2 to 0xfff.

              Kext library architecture set to x86_64.

              Can't stat /AppleInternal - No such file or directory.

              Defaulting to kernel file '/System/Library/Kernels/kernel'

              Kext library recording diagnostics for: validation authentication dependencies warnings.

              Diagnostics for /Library/Extensions/MobileIODriver_10_9.kext:

              Code Signing Failure: code signature is invalid

              /Library/Extensions/MobileIODriver_10_9.kext appears to be loadable (including linkage for on-disk libraries).

               

              Any ideas? Is this a simply a regression in the beta, or is this indicative of some problem in our signing process (we currently sign on 10.8.5).

                • Re: kext code signature is invalid
                  bjb Level 1 Level 1 (0 points)

                  FWIW, our customer filed a Radar about this: 24219684

                    • Re: kext code signature is invalid
                      eskimo Apple Staff Apple Staff (13,905 points)

                      FWIW, our customer filed a Radar about this: 24219684

                      That’s the correct response to issues like this.  The reason why we seed OS releases is so that folks can test on them and file bugs if we’ve broken something significant, which certainly looks to be the case here )-:

                      Share and Enjoy

                      Quinn “The Eskimo!”
                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                      let myEmail = "eskimo" + "1" + "@apple.com"

                        • Re: kext code signature is invalid
                          trolli Level 1 Level 1 (0 points)

                          Hi.

                          I have a similiar issue with Symantec Endpoint Protection, which I had to update for 10.11.4 Beta.

                           

                          Just to be sure its not an issue on my side, so I can wait for next beta version.

                           

                          19/01/16 16:03:20.084 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.internetSecurity, will not load

                          19/01/16 16:03:20.448 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.ips, will not load

                          19/01/16 16:03:20.966 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.ips, will not load

                          19/01/16 16:03:24.045 com.apple.xpc.launchd[1]: (com.symantec.uiagent.application) This service is defined to be constantly running and is inherently inefficient.

                          19/01/16 16:03:41.063 SymDaemon[80]: Loading Signed version of Kext in 10.9 OS X: /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext

                          19/01/16 16:03:42.749 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

                          19/01/16 16:03:42.776 SymDaemon[80]: Loading Signed version of Kext in 10.9 OS X: /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext

                          19/01/16 16:03:43.317 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

                          19/01/16 16:03:44.333 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.ips, will not load

                          19/01/16 16:03:44.953 SymDaemon[80]: Loading Signed version of Kext in 10.9 OS X: /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext

                          19/01/16 16:03:45.477 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

                          19/01/16 16:03:45.493 SymDaemon[80]: Loading Signed version of Kext in 10.9 OS X: /Library/Application Support/Symantec/AntiVirus/Signed/SymAPComm.kext

                          19/01/16 16:03:45.869 com.apple.kextd[47]: ERROR: invalid signature for com.symantec.kext.SymAPComm, will not load

                    • Re: kext code signature is invalid
                      avighnash Level 1 Level 1 (0 points)

                      Hi, is this (code signing) still required for 10.13.xx for kext being developed as a prototype/internal use? If so, how do I get it? The page doesn't allow the request to be submitted for testing/personal use.

                    • Re: kext code signature is invalid
                      jimw.ua Level 1 Level 1 (0 points)

                      We are seeing the same issue with our UAD-2 system driver.  I filed a bug about it, radar: 24270565.

                       

                      I looked into it, and the problem appears to be that we are code signing everything on our build machine which is running OS X 10.8.  Ideally we’d be running a later OS, but suffice it to say there are reasons we can’t do that right now.  Codesigning on 10.8 results in a “v1 resource envelope”, which is technically obsolete and results in "codesign --verify -vvvv <path to kext>” reporting it as such.  However, the kext has always actually loaded fine on all systems prior to this 10.11.4 beta, and "kextutil -nt” would not report any issues.  But on the 10.11.4 beta, "kextutil -nt” now reports that the code signature is invalid, and won’t load the kext.  I manually re-signed the kext on my 10.9.5 system, and now the kext loads fine on the 10.11.4 system (code signing on 10.9.5 results in the v2 resource envelope getting generated in the signature).

                       

                      The v1 resource envelope was an issue for apps distributed through the app store, but not for software distributed outside the store, and as mentioned the kext has continued to load fine in all previous OS releases.

                       

                      Problem is we can’t easily update our build system to 10.9.5 at this point.  Is there any chance of getting the old behavior back in 10.11.4?  Clearly this issue is affecting others as mentioned in this thread, and probably several others that haven't been reported yet.

                       

                      Even if there was some specific note that this is going to change in the next OS release, that would give us some time to properly update our build system.