Unable to sign my KEXT

Hi, I'm struggling to sign a very basic KEXT for a USB device. It has not to be distributed through the App store. There are several things that doesn't seem ok to me. 1. In the XCode (Version 9.4 (9F1027a)) build settings of the project I set the Code Signing Identity, but when I build I get "object file format unrecognized, invalid, or unsuitable" (both with manual and automatic settings) 2. In my ADC account I can see the various certificates I created, but I cannot see all of them in the Xcode preferences. Moreover, when I try to add a ceritificate clicking on the "+" I get the following error: "You are not allowed to perform this operation. Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. https://developer.apple.com/support". Fact is, I'm the Team admins and the only team member... 3. Two of the last certificates I've created and loaded into my ADC account keep being in "pending" status... Can anyone help me in understanding what is going on? Many thanks

Accepted Reply

Hi, right after I've sent my previous post I fixed the build problem. For the record: there was a warning due to the fact that I was targeting both 32 & 64 bit archictectures (the project is rather old). 32 bit archs are not more supported so, once I removed that, it worked. I was so focused on the signing error and being the warning well...."just" a warning, I completely ignored it before. Cheers

Replies

It has not to be distributed through the App store.

That’s good to know, because KEXTs cannot be distributed via the App Store in any way shape or form (-:

1. In the XCode (Version 9.4 (9F1027a)) build settings of the project I set the Code Signing Identity, but when I build I get "object file format unrecognized, invalid, or unsuitable" (both with manual and automatic settings)

For KEXT development you should use the General tab of the target editor to:

  1. Disable manual signing

  2. Set the Team popup to your Team ID

  3. Select Developer ID Application from the Signing Certificate popup

I just tried this with Xcode 9.4 (creating a new KEXT from the Generic Kernel Extension template) and it’s working for me.

IMPORTANT This is not sufficient to get your KEXT running, as I’ll explain below.

  1. In my ADC account I can see the various certificates I created, but I cannot see all of them in the Xcode preferences. Moreover, when I try to add a ceritificate clicking on the "+" I get the following error: "You are not allowed to perform this operation. Please check with one of your Team Admins, or, if you need further assistance, please contact Apple Developer Program Support. https://developer.apple.com/support". Fact is, I'm the Team admins and the only team member...

  2. Two of the last certificates I've created and loaded into my ADC account keep being in "pending" status... Can anyone help me in understanding what is going on? Many thanks

It seems like your team isn’t set up the way you think it’s set up. I can’t help you with that because I don’t have insight into your team setup. You can escalate this issue via Developer Program Support, available via our Contact Us page.

You need to understand one key subtlety here. KEXTs must by signed by a Developer ID identity. Any paid Apple development team can create a Developer ID identity for use with normal applications. For more info on this, see our Developer ID page.

However, in order to ship a KEXT your Developer ID identity must be specifically approved for KEXT development by Apple. There is a link right at the bottom of that page (search for “kernel”) that you can use to apply for that approval.

Before doing that that you should make sure that Developer ID signing is working in general. Based on the above you’re clearly having problems with that, and applying for KEXT approval before sorting out those problems would be unwise.

Be aware that getting KEXT approval can take a while (think months)-:, and so you’ll want to do that long before you’re intended ship date.

Finally, if you want to get started on your KEXT’s code now, you can load an unsigned KEXT by disabling system integrity protection.

ps It was quite hard to read your post because of the formatting. I recommend that, in future, you maximise your chances of getting an answer by making your question easier to read.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi eskimo, thanks for your prompt and exhaustive reply.


Apologies for the formatting of my previous post, although I should say that it was well formatted until I did submit it. Once submitted, it appeared as it looks now. Don't know what happened, but it was not my intention to make it not so readable. Hopefully the same won't happen again this time.


Regarding the KEXT development: I've gone through the 3 steps exactly as you suggested (set automatic signing, my team, identity Developer ID Application) and yet I'm still not able to build the extension. The error reported says:


"MyKext has conflicting provisioning settings. MyKext is automatically signed for development, but a conflicting code signing identity Developer ID Application has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor."


However, if I choose "Mac Developer" instead of "Developer ID Application", as indicated by the message, I get again:


"MyKext.kext: object file format unrecognized, invalid, or unsuitable Command /usr/bin/codesign failed with exit code 1"


The same result if, on the other hand, I leave "Developer ID Application" as identity and set the signing to "manual".


So I've tried all the possible combinations with no success.

If you have any other suggestions, I'd be eager to try it out.

Best!

Hi, right after I've sent my previous post I fixed the build problem. For the record: there was a warning due to the fact that I was targeting both 32 & 64 bit archictectures (the project is rather old). 32 bit archs are not more supported so, once I removed that, it worked. I was so focused on the signing error and being the warning well...."just" a warning, I completely ignored it before. Cheers

I’m glad to hear that you got your KEXT signed properly.

I should say that it was well formatted until I did submit it.

Yeah, DevForums’s text editor presents some challenges )-: I avoid these problem by writing my post in Markdown, as explained in this post.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"