About kext notarizing

I have a installer package with a kernel extension. I've got both of them notarized successfully. I verify that by using this command "spctl -a -vv -t install bundle-name".

I also add this preinstall script to my package.

#!/bin/sh
if [[ `/usr/bin/sw_vers -productVersion` == 10.14.5 ]]; then
  /usr/sbin/spctl -a -vvv -t install "$PACKAGE_PATH"; fi


When I run the installer package on a clean intallation of 10.14.6, I still receive the message box stating my kext is blocked. I need to go to System Preference to click the "Allow" button. How come does this happen even though my package has passed notarization? I'm totally got confused.


BTW, is there a way to clear some local cache to remove previously approved kext for testing purpose? Thanks!

Replies

I have the problem similar to you.I also have no "Allow" button.

Can you contact me by 952643@qq.com,may be we can help each other?

How come does this happen even though my package has passed notarization?

Notarisation does not remove the requirement for user approval, a policy that seems pretty reasonable for something as far-reaching as a KEXT.

BTW, is there a way to clear some local cache to remove previously approved kext for testing purpose?

Nothing that we support. I do this using a VM, as described in this post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thank you for clarifying.

Thank you .I have sloved the problem about kext notarization

I have one additional question. Upon first installation of my package, I want to wait for user to click the "Allow" button in System Preferences because I need to load a launch daemon which depends on my kext after installation is completed. I think I can create a installer plugin and show some instructions on the pane. In the meantime, I will run a background script from postinstall script, which just wait there for installer process quiting and start the daemon. When user clicks the "Continue" button, I will call KextManagerCopyLoadedKextInfo() to check kext status. If it's been started, I will continue the installation process.

I have two questions:

  1. Is there a better way to check whether kext is blocked and when user click the "Allow" button?
  2. In my background script, I just check if there is any installer process alive. I cannot handle the situation where two or more installer processes exist at the same time. Is it possible that I can identify my installer instance process in the script?

Thanks!

Have you looked at xpc_events (see man xpc_events)? It will allow you to launch a daemon on-demand when your kext is loaded. This might yield a cleaner solution than what you've outlined above.

mdobro wrote:

Have you looked at xpcevents (see man xpcevents)?

Indeed. Even if you don’t use this specific mechanism, I agree with mdobro’s advice in general: Rather than try to block installation, allow it to complete and have your launchd daemon deal with the KEXT coming and going.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I found another problem with my installer. On my test machine(10.14.6 on VMWare), I approved the kext loading upon first installation. During my testing, after several re-installations, Gatekeeper showed the following message:


A program tried to load one or more system extensions that are incompatible with this version of macOS. Please contact <company name> for support.


There is not "Allow" button in System Preferences.


But I had not changed the installer at all. After that, I cannot install my package successfully any longer, even though I restored VM to a clean install snapshot.