Problem getting kext signing activated

I've never developed a kext before, but we have some developers who are working on one, and I put in a request for kext signing on behalf of my company. The original request went in in early January. We got our first reply from Apple on January 25, asking for more information, which we provided. We heard nothing back, despite repeated inquiries, until we were approved on March 17.


Unfortunately, our developers are finding that they still cannot sign our kext, and our inquiries with Apple have led to only one response, directing us here. Subsequent inquiries have received no response.


Here's the message Apple sent us on approval:


Your request for a developer ID for kext signing has been processed and the kext signing attribute has been added to your Developer ID. If you have previously obtained a Developer ID for application signing, you will need to re-download your Developer ID to have the updated certificate.

The Team Agents for your teams can download the cert from the following page: <https://developer.apple.com/account/mac/certificate/distribution>

Apple recommends that you make use of KEXT Developer Mode rather than use your Developer ID certificate to sign drivers while they are under development. Ideally you should sign a driver using a Developer ID certificate only when it reaches its final stages of testing and is being evaluated for release to customers.

Thank you


We have followed these instructions, but are still unable to sign the kext. We are seeing the following error:


Diagnostics for FSObserver.kext:
Code Signing Failure: code signature is invalid


Is there any way that we can, in fact, verify whether our certificate actually has the kext signing attribute or not? And if it does not have that attribute, how can we escalate this issue with Apple? It's been 3 months, and we're going to need this very soon.

Replies

Is there any way that we can, in fact, verify whether our certificate actually has the kext signing attribute or not?

Yes. There’s actually a pinned post here on Core OS > Kernel that explains how to tell whether a KEXT is signed with a KEXT-enabled Developer ID.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Quinn,


The problem isn't that we aren't sure whether our kext is signed properly, the problem is that we're not able to sign our kext at all, despite having been told that the kext-signing attribute was added to our developer ID. Is there some way that we can independently verify whether our developer ID has that attribute? And if it doesn't, how do we escalate, since we're not getting any responses?

Is there some way that we can independently verify whether our developer ID has that attribute?

You need to view the Developer ID’s certificate and look for a certificate extension whose OID is 1.2.840.113635.100.6.1.18.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Nope, we definitely don't have one with that OID. This is in a freshly-downloaded copy of our developer ID certificate. The closest that I see is one with an OID of 1.2.840.113635.100.6.1.13.


I assume that that means that, despite apparently getting approved, our certificate has not been properly assigned the correct attribute.


How can we escalate this?

How can we escalate this?

You should escalate this by replying to the email that you got notifying you that your KEXT access was granted. Please Cc my individual account (it’s shown in my signature).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Okay, I'll try that again and copy you.


BTW, I've been around long enough to remember your name from the old days. Didn't know you'd found your way into the "mother ship!" 🙂


Thanks for your help!

Hi, eskimo

We have the same issue as above.

We have received the Apple's approval from the email, just like: "Your request for a developer ID for kext signing has been processed and the kext signing attribute has been added to your Developer ID..."

Then our Team Agent created a new Developer ID Application certificate,

but the new Developer ID Application certificate does not have certificate extension whose OID is 1.2.840.113635.100.6.1.18.

and the closest that we see is one with an OID of 1.2.840.113635.100.6.1.13.

Could you help us to get the right certification with the OID (1.2.840.113635.100.6.1.18).

Thanks.

Have done.

We have got the righ certification.

And I have test it works well.

Hi, eskimo


We have the same issue as above.

Could you help us to get the right certification with the OID (1.2.840.113635.100.6.1.18).


Thanks.

We have the same issue as above.

Then my advice is the same as above (specifically, my 9 Apr 2017 post).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Ok, I have send email to developer program support team and copy you at 2019-03-23 15:22 (UTF+8).


Thanks for your help!

Apparently, I never followed up here. The issue was more one of unclear documentation than anything, which I believe may (should) have been fixed by now.


We were expecting to see that our existing cert was updated, as the e-mail from Apple seemed to suggest would happen, and that we would just have to re-download the cert. However, in reality, we had to create a new signing cert, and that new cert had the new entitlement. (This is all "IIRC," and I can't guarantee nothing has changed, as it's been nearly two years at this point.)

Hello, eskimo!

I made request to create kext-signing enabled Developer ID certificate, but still don’t have answer. I would know how long does it takes? And what status has my request at this moment?


My follow-up number for this request: 712854188


Thank you!

I would know how long does it takes? And what status has my request at this moment?

I’m not able to conduct official DTS business here DevForums. I’ll respond to the email you sent me when I’m back in the office.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"