KEXT Notarization problems

Question

I'm having trouble with Notarization for a Kext.

I am using Xcode 10.2.1.

The Kext is properly signed and works properly up through 10.14.4. When the update for 10.14.5 became available, I updated my primary Mac and the kext that was already installed continued to work.

I used a clean VMWare image that was running 10.14 and upgraded it to 10.14.5 and I saved a clean snapshot of the image. This way I can test installing the KEXT over and over and to see the errors that pop up on first install.

When I install the KEXT on my test image, I see an error, "System Extension Blocked" "A program tried to load one or more system extensions that are incompatbile with this version of macOS. Please Contact Silicon Laboratories, Inc for support." My understanding is that I am seeing this message due to my Kext not being Notarized. When I try to load the KEXT using kextutil, I see a message that says "Kext rejected due to system policy" and some other specific information. It says "Diagnostics for /Library/Extensions/<mykext>.kext:" and then there is nothing after that. I would expect it to say something like the kext isn't notarized.

The KEXT is installed by a .pkg file that is shipped on a .dmg. I tried the following steps:

crun altool --notarize-app --primary-bundle-id "" --file .dmg --username "" --password "@keychain:AC_PASSWORD"

This resulted in a message that said "No errors uploading <mydmgname>.dmg".

A few minutes later, I got an email that said "You can now distribute your Mac software." in the subject line. It said "Your Mac software has been notarized. You can now export this software and distribute it directly to users."

What does it mean to "export this software"?

I tried to install the .dmg onto my VMWare image. I received thes same result.

I then tried mounting the .dmg and notarizing the .pkg. I did the same command, but notarized the .pkg this time. I got the same result from altool and then the same email saying my software was notarized. I tried installing again on a fresh restore of my VMWare image. Same result - won't install. So for good measure, I tried taking the raw kext that works on my workstation, zipping it, and notarizing it with altool. Again, same steps - same results. Won't install.

I must be skipping a step or two. Ideas?

2.7k

Posted by

brantatsilabs

Reply

Add a Comment

Answer 1

So, to be clear, you have a disk image (

.dmg

) that contains an installer package (

.pkg

) that contains a KEXT?

What does it mean to "export this software"?

Many developers using Xcode’s Organizer for notarisation, and that UI has an explicit export step. See Notarizing Your App Before Distribution. If you’re notarising using

altool

, there is no export per se, but you should staple the notarisation ticket to your product before distributing it. See Customizing the Notarization Workflow.

I’m not entirely sure where things are going wrong here, but I have some suggestions:

Make sure your KEXT is signed correctly — As I’m sure you’re aware, the Developer ID you use to sign your KEXT must be explicitly enabled for KEXT development. Install your KEXT on your VM and then check its signing certificate using the instructions from KEXT Code Signing Problems.
Check that your ticket covers your KEXT — [This post][post] explains how to get the cdhash values covered by the ticket and compare them to the cdhash values in your code signature.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

Answer 2

FYI, I’ve just created a new post, Notarising an Installer Package Containing a KEXT, that clarifies the relationship between KEXTs, installer packages, and notarisation.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Posted by

eskimo

Add a Comment

KEXT Notarization problems

Replies