Kext loads on OS X v10.11 but not on macOS Sierra

If you have a signed kernel extension that loads fine on El Capitan but not on Sierra, check if it has both 32-bit and 64-bit slices. The file command will return something like:


$ file MyKext.kext/Contents/MacOS/MyKext
MyKext.kext/Contents/MacOS/MyKext: Mach-O universal binary with 2 architectures
MyKext.kext/Contents/MacOS/MyKext (for architecture x86_64): Mach-O 64-bit kext bundle x86_64
MyKext.kext/Contents/MacOS/MyKext (for architecture i386): Mach-O object i386


When the 64-bit kernel was announced, the WWDC session pointed out that such kexts were not supported and two kexts should be shipped instead.


Now that strict code signing validation is being done on kexts, these unsupported kexts will fail signature verification.


The solution is to either remove the 32-bit slice, or, if you still need to support Macs that can only run the 32-bit kernel, split the kext into two separate kexts and sign the 64-bit version.


--gc

Up vote post of gc. Down vote post of gc.
5.5k views
Posted by
gc.
Reply
Add a Comment

Replies

FYI, I noticed a similar issue, but the problem was specifically due to the presence of additional files under Contents/_CodeSignature in the kext bundle:


CodeDirectory, CodeRequirements, and CodeSignature.


With these files under 10.12, kextutil -t reported a code-signing error. Earlier versions of OS X could load the kext without issue.


Removing these files such that only the CodeResources file remained allowed the kext to load on 10.12.

Posted by
scrod
Up vote reply of scrod Down vote reply of scrod
Add a Comment