3 Replies
      Latest reply on Jun 11, 2019 12:44 PM by semdac
      pradippradip Level 1 Level 1 (0 points)

        Hi,

         

        we have a KEXT-enabled Developer ID which we are using for code signing and I have verified that the certificate contains the 1.2.840.113635.100.6.1.18 extension required. However, kextutil -tn still shows:

         

        Untrusted kexts are not allowed
        Kext with invalid signature (-67050) denied: /Library/StagedExtensions/Library/Extensions/A0587A5A-52FC-46DC-832E-81919195902C.kext
        
        

        After signing, I also extracted the signature using the instructions here to verify that the correct kext-enabled Developer ID certificate was used during the signing process.

         

        I have "Apple Worldwide Developer Relations Certification Authority" and "Developer ID Certification Authority" certs in both the login and System keychains.

         

        Where do I go from here?

         

        Thanks!

        • Re: Kext with invalid signature (-67050) denied
          pradippradip Level 1 Level 1 (0 points)

          I've figured it out. Turns out kexts are now denied by default -- even those signed with a valid kex-enabled Dev. ID certificate (which we have). The solution is described in this tech note:

           

          https://developer.apple.com/library/archive/technotes/tn2459/_index.html

           

          The first time an attempt is made to load the kext, macOS should present the user with a popup informing them that it was blocked. The user then needs to go to System Preferences > Security & Privacy in order to approve the kext. Note that the approval needs to happen within 30 minutes of the load attempt or it will disappear. Subsequent load attempts will be rejected silently but will reactivate the prompt within "Security & Privacy" -- giving the user another chance to approve the kext.

           

          It would be helpful if the kextutil error message includes a hint to check for authorisation in "Security & Privacy" instead of just throwing an "invalid signature" error.  In fact, it's quite misleading in this instance as the signature itself is valid but it's system policy which prevents loading until authorisation is granted.

            • Re: Kext with invalid signature (-67050) denied
              eskimo Apple Staff Apple Staff (12,475 points)

              It’s good to hear that you got this sorted.

              You wrote:

              It would be helpful if the kextutil error message includes a hint to check for authorisation in "Security & Privacy" instead of just throwing an "invalid signature" error.

              Quite.  The best way to get this feedback to the folks who maintain this code is to file an enhancement request against kextutil.  Please post your bug number, just for the record.

              Share and Enjoy

              Quinn “The Eskimo!”
              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
              let myEmail = "eskimo" + "1" + "@apple.com"

                • Re: Kext with invalid signature (-67050) denied
                  semdac Level 1 Level 1 (0 points)

                  HI,

                  Since I'm experiencing the exact same issue, I thought it would be okay to tag onto this post...

                  So for berevity, 'ditto' on pradippradip original post.

                   

                  I'm also albe to reproduce this with a VM running 10.14.5.

                  The odd thing is, if the postinstall script fails because of this reason, then the user sees the yellow triangle warning that their installation failed.

                   

                  Running the kexutil -nt command, the results are a bit strange in that, the output mentions a different kext file other than the kext I'm inspecting. And by other, I don't mean the one copied to the staging folder. I'm referring to a kext on my machine dated back to 2014 that is for USB functionality (AX88179_178A.kext).

                   

                  The output is as follows: The bolded text is my confusion. Why would the kexutil -nt command try to stage a different kext file unrelated to my mykext.kext?

                  Has anyone else seen this?

                   

                  /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext does not appear in strict exception list for architecture: x86_64
                  Untrusted kexts are not allowed
                  Kext with invalid signature (-67007) denied: /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext
                  Bundle (/Library/Extensions/AX88179_178A.kext) failed to validate, deleting: /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext
                  Unable to stage kext (/Library/Extensions/AX88179_178A.kext)to secure location.
                  Kext rejected due to system policy: <OSKext 0x7fdf6e78c900 [0x7fffab3ee8e0]> { URL = "file:///Library/StagedExtensions/private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext/", ID = "com.my.company" }
                  Kext rejected due to system policy: <OSKext 0x7fdf6e78c900 [0x7fffab3ee8e0]> { URL = "file:///Library/StagedExtensions/private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext/", ID = "com.my.company" }
                  Diagnostics for /private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A Document Being Saved By XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext: