"Kext rejected due to system policy" when use kextutil to check kext

Hi all,


when I use below steps to check my kext file on MacOS 10.15, it returns errors:

Execute below commands on terminal:

sudo chown -R root:wheel kextname.kext

sudo chmod -R 755 kextname.kext


sudo kextload kextname.kext

Terminal shows below message:

/path/kextname.kext failed to load - (libkern/kext) not found; check the system/kernel logs for errors or try kextutil(8).


sudo kextutil kextname.kext

Terminal shows below message:

Kext rejected due to system policy: <OSKext 0x7fec84d68e80 [0x7fff8ddbfb00]> { URL = "file:///Library/StagedExtensions/Library/Extensions/kextname.kext/", ID = "com.myname.driver.***" }

/Library/StagedExtensions/Library/Extensions/kextname.kext does not authenticate; omitting.

Kext rejected due to system policy: <OSKext 0x7fa2514d9f80 [0x7fff8ddbfb00]> { URL = "file:///Library/StagedExtensions/Library/Extensions/kextname.kext/", ID = "com.myname.driver.***" }


I've tried to execute command:

codesign -vvv --deep --strict kextname.kext on terminal

Terminal shows below message:

kextname.kext: valid on disk

kextname.kext: satisfies its Designated Requirement


My step to generate kext:

1. Generate my certificate and upload it by my developer ID, and then download the certificate

2. Use Xcode 11.1 to build kext successfully:

Signing & Capabilities:

- Automatically mange signing: unchecked

- Signing Certificate: select Developer iD Application which I downloaded

Build Settings:

- Signing:

Code Signing Identity: Developer ID Application

Code Signing Inject Base Entitlements: No

Development Team: my team name

Enable Hardened Runtime: Yes

Resources/Info.plist:

- OSBundleLibraries

com.apple.kpi.iokit: 19.0.0

com.apple.kpi.libkern: 19.0.0


Is there a way to known the detail for "Kext rejected due to system policy" error? Or to solve it?


Thanks.

Sean

Accepted Reply

Did you notarise this KEXT?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Is your Developer ID enabled for KEXT development? If you’re not sure, you can check using the instructions in KEXT Code Signing Problems.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Dear eskimo,


Thanks for your reply,

After I check codesign0.cer, it has the extension with OID=1.2.840.113635.100.6.1.18, my certificate is in correct OID.


Please see my further actions and result as below:

Action 1.

Execute command: spctl -a -v --type install /path/kextname.kext

(kextname.kext is builded by Xcode 11.1)

Terminal shows below message:

/path/kextname.kext: accepted

source=Unnotarized Developer ID

override=security disabled


Action 2.

Step1: There is two Partition 10_15 and 10_15_1 on my Mac

Step2: Boot on 10_15

Step3: Build kext with Xcode11.1 on MacOS 10.15

Step4: Use Packages to set to /System/Library/Extensions/kextname.kext on Payload setting and build a pkg

Step5: Open and install pkg on 10_15_1

Step6: Reboot on 10_15_1

Step7: kext can be loaded normally.

Although it can work, but I hope it can be installed and work well on my current partition 10_15


Action 3.

Step1: Build kext with Xcode10 on MacOS 10.14.4

Step2: Use Packages to set path to /System/Library/Extensions/kextname.kext on Payload setting and build a pkg

Step3: install it on MacOS 10.14.4, It works well

Step4: Upgrade MacOS 10.14.5, it works well

Step5: Upgrade MacOS 10.14.6, it works well

Step6: Upgrade MacOS 10.15, it is removed

I know MacOS 10.15 will auto remove it, but my kext is normal loaded on previous Mac OS version


Can you kindly provide another way to check or debug this issue?


Thanks

Sean

Did you notarise this KEXT?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo,


When I try to load kext file on macOS 10.15, it always failed with the message "Kext rejected due to system policy”. And show this alert in the first time: (System Extension Blocked | A program tried to load new system extension(s) signed by *** that need to be updated by the developer.)


I have generated the kext file with Xcode 11 kext project without add any codes, changed the OSBundleLibraries in plist file and signed it.


No idea about how to fix it. Is there any sample codes about the kext project which can be loaded in macOS 10.15?


Any help will be appreciated.


Regards,
Lin Jian

OK, I’m going to ask you the same question I asked JMicron on 22 Oct: Did you notarise this KEXT?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo,


Yes, that's the problem. I apologize for my carelessness.


Thank you for you help.


Regards,

Lin Jian

Hi eskimo,


I misunderstood the notarization, I only do the change of Xcode signing setting before

And It works after I notarized my kernal extension,


Thanks for your support.


Sean