macOS Mojave, kextload, 18215

Is there a new bug/feature in macOS Mojave when it comes to loading signed kernel extensions?


I'm getting a 18215 error when kextloading a signed kernel extension. Yes, the Developer ID is enabled for Kext. And the same kext loads fine on OS X 10.10.5 for instance.


When I run a kextutil -l -v 6 on this kernel extensio, I'm being told that:


"/blah/blah/blah.kext does not appear in strict exception list for architecture: x86_64"

"Untrusted kexts are not allowed"

"Kext with invalid signature (-67007) denied: /blah/blah/blah.kext


Question:


Is this a bug in macOS Mojave WWDC seed? Or has something changed?

Up vote post of tartempion Down vote post of tartempion
4.5k views
Posted by
tartempion
Reply
Add a Comment

Accepted Reply

Error -670007 is 

errSecCSWeakResourceEnvelope
, which translates to “resource envelope is obsolete (version 1 signature)”. Technote 2206 macOS Code Signing In Depth discusses this code signing version change, albeit in the context of user space code rather than KEXTs.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Maybe this is related to the problems others are having with VirtualBox in macOS 10.14: https://forums.developer.apple.com/thread/104184

Posted by
TheCD
Up vote reply of TheCD Down vote reply of TheCD
Add a Comment

Error -670007 is 

errSecCSWeakResourceEnvelope
, which translates to “resource envelope is obsolete (version 1 signature)”. Technote 2206 macOS Code Signing In Depth discusses this code signing version change, albeit in the context of user space code rather than KEXTs.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

The kext was built on 10.8.5. So yes, the envelope was probably obsolete.

Posted by
tartempion
Up vote reply of tartempion Down vote reply of tartempion
Add a Comment

It's not. Its a different issue with similar symptoms, but a different error message altogether. That said, a working fix has been written for Virtualbox and is in testing now.

Posted by
IPv6Freely
Up vote reply of IPv6Freely Down vote reply of IPv6Freely
Add a Comment