Kext signing - commandline tools

Hi,


Some help is needed, will appreshiate any help on the topics below:

1. How can i verify that the certificate i am using / includes the "kext-enabled" flag by Apple (we have already file the request)?

2. Is there a defined process for signing the .kext, it seams according to this post the signuture do not include the OID 1.2.840.113635.100.6.1.18 ?

3. I have read several post regarding the deprecation of kext loading and destribution however i am comfused regarding the preformance of Xcode 11.x and macOS Catalina, is loading can be achived even with the price of the user aproval on the Security & Privacy ?

Thanks a lot in advance,

Reuven

Replies

1. How can i verify that the certificate i am using / includes the "kext-enabled" flag by Apple (we have already file the request)?

Using the steps you’ve already found.

2. Is there a defined process for signing the

.kext

No. Once you have a KEXT-enabled Developer ID, there’s no extra magic required [1].

I have read several post regarding the deprecation of kext loading and destribution however i am comfused regarding the preformance of Xcode 11.x and macOS Catalina, is loading can be achived even with the price of the user aproval on the Security & Privacy ?

10.15 supports KEXTs in exactly the same way as later variants of 10.14:

  • They must be signed with a KEXT-enabled Developer ID.

  • They must be notarised.

  • Their loading is subject to user approval.

The main difference is that some KEXT use cases have user space replacements and, in those cases, using a KEXT has been officially deprecated. See Deprecated Kernel Extensions and System Extension Alternatives for the details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] For a summary of the standard process, see my Signing a Mac Product For Distribution post.

Hi, and thanks for the detailed answer.
I have descovered way i do not see the "kext-enabled" flag on my signings, it seams that only sertificate that is created by the account holder can include the kext-enabled flag.

In any case i did lots of reading and experments and currently i have the following issue:
% sudo kextload /Library/Extensions/***.kext
/Library/Extensions/***.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions)...
Done all that i know that is needed:

1. Signing (validated that i have the kext-enabled flag (1.2.840.113635.100.6.1.18)

2. Notarize: % xcrun altool --notarize-app --primary-bundle-id ...... and validate using % xcrun altool --notarization-info (no errors - sucsses)

3. Stample % sudo xcrun stapler staple -q ***.kext & validate using % sudo xcrun stapler validate ***.kext (The validate action worked!)
However, when i try to load i get the above failure
When execute the % sudo kextutil ***.kext get the folowing responce:

Kext rejected due to improper filesystem permissions: <OSKext 0x7f98fb623100 [0x7fff86f26690]>


Any i dea what i am missing, what to check how to overcome this?


Thanks in advance,

Reuven

Kext rejected due to improper filesystem permissions

Given that security-sensitive nature, the system checks that KEXTs have appropriate file system permissions before loading them. I don’t remember the exact details but the general idea is that the KEXT must not be writable by anyone other than root. The system checks both the top-level

.kext
directory and all the directories and files nested in that.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

KEXTs have to be root:wheel and 755 or tighter.


sudo chown -R root:wheel kextPath
sudo chmod -R 755 kextPath

Thanks for this info!
However i did try to set that on the .kext bundle and got the same resoult "Kext rejected due to improper filesystem permissions".
Any idea what i am missing what to try?
Thanks a lot in advance,

Reuven

Try doing something like this:

% find /System/Library/Extensions/pthread.kext -print0 | xargs -0 ls -ld
drwxr-xr-x@ 3 root  wheel     96  9 Nov 12:06 /System/Library/Extensions/pthread.kext
drwxr-xr-x  6 root  wheel    192 10 Feb 00:31 /System/Library/Extensions/pthread.kext/Contents
-rw-r--r--  1 root  wheel   2060 10 Jan 05:27 /System/Library/Extensions/pthread.kext/Contents/Info.plist
drwxr-xr-x  3 root  wheel     96 10 Feb 00:31 /System/Library/Extensions/pthread.kext/Contents/MacOS
-rwxr-xr-x  1 root  wheel  62880 23 Jan 14:02 /System/Library/Extensions/pthread.kext/Contents/MacOS/pthread
drwxr-xr-x  3 root  wheel     96 10 Feb 00:31 /System/Library/Extensions/pthread.kext/Contents/_CodeSignature
-rw-r--r--  1 root  wheel   2428 23 Jan 14:02 /System/Library/Extensions/pthread.kext/Contents/_CodeSignature/CodeResources
-rw-r--r--  1 root  wheel    517 10 Jan 05:27 /System/Library/Extensions/pthread.kext/Contents/version.plist

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Check if there is a copy of your kext in /Library/StagedExtensions/Library/Extensions and what permissions it has. Last time I work with kernel extensions the system would load a copy of the kext into that folder but would not modify the permission on that copy if you changed the permissions on the kext in /Library/Extensions. Incorrect permissions on that copy would result in permission errors loading the kext. If I recall correctly changing the permission on the copy in StagedExtensions was a pain since that folder was protected by SIP (You need to boot into recovery mode and delete the copy in StagedExentions from there).

Thanks! Will check.

Did check that, the reasoults are the same as you prese nted.