Stapling a flat pkg that installs a kext

I think I understand notarization:

  • It sends binary to Apple
  • Apple performs automatic verification
  • If verification succeeds, (and perhaps this is the wrong terminology) a Notarization Ticket is stored on Apple's servers
  • When an end user goes to use the Notarized Binary, macOS requests a Notarization Ticket for the binary, and if this succeeds, then all is good. This, of course, requires a network connection on the end user's machine when the binary is (first?, always?) accessed. It seems pretty clear from the staple tool that the ticket is cached locally, so while it may be verified every time, it only needs to be downloaded once.
  • Stapling is a post-process step that downloads the Notarization Ticket and attaches it to the binary (before distribution) so that the end user's machine can verify the Notarization without a network connection back to Apple being available at all.


As of 10.14.5, kexts MUST be notarized in order to be loaded. Again, it is not clear if this verification is on every load, or only the first load.


Now, you can staple binaries, and you can also staple the flat .pkg that is used to distribute them.


The question that I am unclear on is:


If I package my kext in a flat installer .pkg, and then submit the .pkg for Notarization, the Notarization service notarizes both the .pkg and the kext.


If I staple the .pkg, does the Notarization Ticket that is stapled to the .pkg include the Notarization Ticket for the kext, or does the kext need to be stapled seperately?

If it does need to be stapled seperately, then I would need to rebuild the .pkg after stapling, which would invalidate the Notarization ticket for the .pkg. So that would imply that I would have to re-notarize the pkg, and then staple the pkg.


TLDR:


Is the process (option 1):


  1. Create kext
  2. Create pkg
  3. Notarize pkg
  4. Staple pkg


or does it have to be (option 2):


  1. Create kext
  2. Notarize kext
  3. Staple kext
  4. Create pkg
  5. Notarize pkg
  6. Staple pkg


Obviously, option 1 is more appealing if it works.

Up vote post of bjb Down vote post of bjb
4.9k views
Posted by
bjb
Reply
Add a Comment

Accepted Reply

TLDR:

Assuming that you’re distributing your KEXT solely via that

.pkg
, option 1 is fine.

That’s not right; see my clarification below.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

TLDR:

Assuming that you’re distributing your KEXT solely via that

.pkg
, option 1 is fine.

That’s not right; see my clarification below.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Ok - thank you for the confirmation; that definitely simplifies the deployment process.

Posted by
bjb
Up vote reply of bjb Down vote reply of bjb
Add a Comment

According to the release notes for Beta 5, this does not work because of problem ID: 50205533


The description is a bit opaque in the release notes:


"The system fails to register tickets stapled to installer packages not scanned by Gatekeeper, which causes newly installed kernel extensions to fail to load if Internet access isn’t available. This can occur if a user launches installation from a local folder or an enterprise uses automated tools to deploy an installer. This issue doesn’t affect stapled disk images, apps, or kext bundles."


- What difference is there between a kext extension and a kext bundle?


- Is there an official documentation that states that you only need to notarize and staple a package (flat or distribution) to propagate the notatization to the components inside the payload(s)?

Posted by
tartempion
Up vote reply of tartempion Down vote reply of tartempion
Add a Comment

According to the release notes for Beta 5, this does not work …

Indeed. Option 1 is the way things are supposed to work, and it works for most items, but not for KEXTs )-: For a KEXT, for the moment, you can use option 2. Sorry about the misinformation.

Note that you don’t have to notarise everything inside your package, just the KEXT and then the package itself.

What difference is there between a kext extension and a kext bundle?

I don’t think there is one. KEXTs use a bundle format, and thus it’s not uncommon to refer to them as a KEXT bundle.

Is there an official documentation that states that you only need to notarize and staple a package (flat or distribution) to propagate the notatization to the components inside the payload(s)?

No, but please do file a bug against the documentation requesting that it cover this point.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Suggestion filed via bugreporter.

Posted by
tartempion
Up vote reply of tartempion Down vote reply of tartempion
Add a Comment

Option 1 is the way things are supposed to work, and it works for most items, but not for KEXTs )-:

It turns out there is a way to use option 1 for KEXTs. I’ve just created a new post, Notarising an Installer Package Containing a KEXT, that clarifies the relationship between KEXTs, installer packages, and notarisation.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment