Kext with invalid signature (-67050) denied

Hi,


we have a KEXT-enabled Developer ID which we are using for code signing and I have verified that the certificate contains the 1.2.840.113635.100.6.1.18 extension required. However, kextutil -tn still shows:


Untrusted kexts are not allowed
Kext with invalid signature (-67050) denied: /Library/StagedExtensions/Library/Extensions/A0587A5A-52FC-46DC-832E-81919195902C.kext

After signing, I also extracted the signature using the instructions here to verify that the correct kext-enabled Developer ID certificate was used during the signing process.


I have "Apple Worldwide Developer Relations Certification Authority" and "Developer ID Certification Authority" certs in both the login and System keychains.


Where do I go from here?


Thanks!

Accepted Reply

I've figured it out. Turns out kexts are now denied by default -- even those signed with a valid kex-enabled Dev. ID certificate (which we have). The solution is described in this tech note:


https://developer.apple.com/library/archive/technotes/tn2459/_index.html


The first time an attempt is made to load the kext, macOS should present the user with a popup informing them that it was blocked. The user then needs to go to System Preferences > Security & Privacy in order to approve the kext. Note that the approval needs to happen within 30 minutes of the load attempt or it will disappear. Subsequent load attempts will be rejected silently but will reactivate the prompt within "Security & Privacy" -- giving the user another chance to approve the kext.


It would be helpful if the kextutil error message includes a hint to check for authorisation in "Security & Privacy" instead of just throwing an "invalid signature" error. In fact, it's quite misleading in this instance as the signature itself is valid but it's system policy which prevents loading until authorisation is granted.

Replies

I've figured it out. Turns out kexts are now denied by default -- even those signed with a valid kex-enabled Dev. ID certificate (which we have). The solution is described in this tech note:


https://developer.apple.com/library/archive/technotes/tn2459/_index.html


The first time an attempt is made to load the kext, macOS should present the user with a popup informing them that it was blocked. The user then needs to go to System Preferences > Security & Privacy in order to approve the kext. Note that the approval needs to happen within 30 minutes of the load attempt or it will disappear. Subsequent load attempts will be rejected silently but will reactivate the prompt within "Security & Privacy" -- giving the user another chance to approve the kext.


It would be helpful if the kextutil error message includes a hint to check for authorisation in "Security & Privacy" instead of just throwing an "invalid signature" error. In fact, it's quite misleading in this instance as the signature itself is valid but it's system policy which prevents loading until authorisation is granted.

It’s good to hear that you got this sorted.

You wrote:

It would be helpful if the

kextutil
error message includes a hint to check for authorisation in "Security & Privacy" instead of just throwing an "invalid signature" error.

Quite. The best way to get this feedback to the folks who maintain this code is to file an enhancement request against

kextutil
. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

HI,

Since I'm experiencing the exact same issue, I thought it would be okay to tag onto this post...

So for berevity, 'ditto' on pradippradip original post.


I'm also albe to reproduce this with a VM running 10.14.5.

The odd thing is, if the postinstall script fails because of this reason, then the user sees the yellow triangle warning that their installation failed.


Running the kexutil -nt command, the results are a bit strange in that, the output mentions a different kext file other than the kext I'm inspecting. And by other, I don't mean the one copied to the staging folder. I'm referring to a kext on my machine dated back to 2014 that is for USB functionality (AX88179_178A.kext).


The output is as follows: The bolded text is my confusion. Why would the kexutil -nt command try to stage a different kext file unrelated to my mykext.kext?

Has anyone else seen this?


/Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext does not appear in strict exception list for architecture: x86_64
Untrusted kexts are not allowed
Kext with invalid signature (-67007) denied: /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext
Bundle (/Library/Extensions/AX88179_178A.kext) failed to validate, deleting: /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext
Unable to stage kext (/Library/Extensions/AX88179_178A.kext)to secure location.
Kext rejected due to system policy: <OSKext 0x7fdf6e78c900 [0x7fffab3ee8e0]> { URL = "file:///Library/StagedExtensions/private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext/", ID = "com.my.company" }
Kext rejected due to system policy: <OSKext 0x7fdf6e78c900 [0x7fffab3ee8e0]> { URL = "file:///Library/StagedExtensions/private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext/", ID = "com.my.company" }
Diagnostics for /private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A Document Being Saved By XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext:

I have the same issue. I tried signing my Kext in different ways without success. When I try to load it I get:

$ % sudo kextutil HoRNDIS.kext                                  
Cache file /System/Library/Caches/com.apple.kext.caches/Directories/Library/Extensions/KextIdentifiers.plist.gz is out of date; not using.
Untrusted kexts are not allowed
Kext with invalid signature (-67050) denied: /private/var/db/KernelExtensionManagement/Staging/tmp.B2k1Xn/7E103599-AA3D-47F2-821A-B74BB1CEE61F.kext
Bundle (/Library/Extensions/HoRNDIS.kext) failed to validate, deleting: /private/var/db/KernelExtensionManagement/Staging/tmp.B2k1Xn/7E103599-AA3D-47F2-821A-B74BB1CEE61F.kext
Unable to stage kext (/Library/Extensions/HoRNDIS.kext) to secure location.

Nothing shows up on Security and Privacy in System Preferences.

The two most common issues here are:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"