398 Views 8 Replies
      Latest reply on Sep 27, 2019 3:11 AM by liang.zhou
      liang.zhou Level 1 Level 1 (0 points)
      liang.zhou Sep 3, 2019 2:54 AM

        I have a installer package with a kernel extension. I've got both of them notarized successfully. I verify that by using this command "spctl -a -vv -t install bundle-name".

        I also add this preinstall script to my package.

        #!/bin/sh
if [[ `/usr/bin/sw_vers -productVersion` == 10.14.5 ]]; then
  /usr/sbin/spctl -a -vvv -t install "$PACKAGE_PATH"; fi

         

        When I run the installer package on a clean intallation of 10.14.6, I still receive the message box stating my kext is blocked. I need to go to System Preference to click the "Allow" button. How come does this happen even though my package has passed notarization? I'm totally got confused.

         

        BTW, is there a way to clear some local cache to remove previously approved kext for testing purpose? Thanks!

        • Re: About kext notarizing
          tanhuang614 Level 1 Level 1 (0 points)
          tanhuang614 Sep 3, 2019 5:47 PM (in response to liang.zhou)

          I have the problem similar to you.I also have no "Allow" button.

          Can you contact me by 952643@qq.com,may be we can help each other?

          • Re: About kext notarizing
            eskimo Apple Staff Apple Staff (12,425 points)
            eskimo Sep 4, 2019 12:23 AM (in response to liang.zhou)

            How come does this happen even though my package has passed notarization?

            Notarisation does not remove the requirement for user approval, a policy that seems pretty reasonable for something as far-reaching as a KEXT.

            BTW, is there a way to clear some local cache to remove previously approved kext for testing purpose?

            Nothing that we support.  I do this using a VM, as described in this post.

            Share and Enjoy

            Quinn “The Eskimo!”
            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
            let myEmail = "eskimo" + "1" + "@apple.com"

              • Re: About kext notarizing
                liang.zhou Level 1 Level 1 (0 points)
                liang.zhou Sep 4, 2019 7:02 PM (in response to eskimo)

                Thank you for clarifying.

                • Re: About kext notarizing
                  tanhuang614 Level 1 Level 1 (0 points)
                  tanhuang614 Sep 4, 2019 7:05 PM (in response to eskimo)

                  Thank you .I have sloved the problem about kext notarization

                  • Re: About kext notarizing
                    liang.zhou Level 1 Level 1 (0 points)
                    liang.zhou Sep 18, 2019 7:21 AM (in response to eskimo)

                    I have one additional question. Upon first installation of my package, I want to wait for user to click the "Allow" button in System Preferences because I need to load a launch daemon which depends on my kext  after installation is completed. I think I can create a installer plugin and show some instructions on the pane. In the meantime, I will run a background script from postinstall script, which just wait there for installer process quiting and start the daemon. When user clicks the "Continue" button, I will call KextManagerCopyLoadedKextInfo() to check kext status. If it's been started, I will continue the installation process.

                    I have two questions:

                    1. Is there a better way to check whether kext is blocked and when user click the "Allow" button?
                    2. In my background script, I just check if there is any installer process alive. I cannot handle the situation where two or more installer processes exist at the same time.  Is it possible that I can identify my installer instance process in the script?

                    Thanks!

                      • Re: About kext notarizing
                        mdobro Level 2 Level 2 (40 points)
                        mdobro Sep 18, 2019 11:11 AM (in response to liang.zhou)

                        Have you looked at xpc_events (see man xpc_events)? It will allow you to launch a daemon on-demand when your kext is loaded. This might yield a cleaner solution than what you've outlined above.

                        • Re: About kext notarizing
                          eskimo Apple Staff Apple Staff (12,425 points)
                          eskimo Sep 19, 2019 12:55 AM (in response to liang.zhou)

                          mdobro wrote:

                          Have you looked at xpcevents (see man xpcevents)?

                          Indeed.  Even if you don’t use this specific mechanism, I agree with mdobro’s advice in general: Rather than try to block installation, allow it to complete and have your launchd daemon deal with the KEXT coming and going.

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                      • Re: About kext notarizing
                        liang.zhou Level 1 Level 1 (0 points)
                        liang.zhou Sep 27, 2019 3:11 AM (in response to liang.zhou)

                        I found another problem with my installer. On my test machine(10.14.6 on VMWare), I approved the kext loading upon first installation. During my testing, after several re-installations, Gatekeeper showed the following message:

                         

                        A program tried to load one or more system extensions that are incompatible with this version of macOS. Please contact <company name> for support.

                         

                        There is not "Allow" button in System Preferences.

                         

                        But I had not changed the installer at all. After that, I cannot install my package successfully any longer, even though I restored VM to a clean install snapshot.