1 Reply
      Latest reply on Mar 29, 2019 1:16 AM by eskimo
      kokkuan Level 1 Level 1 (0 points)

        Hi all,

        We requested for a developer ID certificate for distribution on 15th January and finally gotten a "3rd Party Mac Developer Application: Ixia (6H42WAM355)" certificate on March.

        I managed to create the Developer ID certificate using team account and successfully signed my pcie kext in xcode when it compiles. However, i found that the signed kext doesn't load when I install it into /Library/Extensions/ or /System/Library/Extensions/. When i tried to use kextutil to load it, I found that it is reporting this error -67050 like below.

        Macbooks-MBP:Release lvltuser$ sudo kextutil -v KeysightKauaiPCI.kext

        Password:

        Defaulting to kernel file '/System/Library/Kernels/kernel'

        Untrusted kexts are not allowed

        Kext with invalid signature (-67050) denied: /Library/StagedExtensions/System/Library/Extensions/0AE681EE-2C83-43F1-BDF0-F02093A7980C.kext

        Bundle (/System/Library/Extensions/KeysightKauaiPCI.kext) failed to validate, deleting: /Library/StagedExtensions/System/Library/Extensions/0AE681EE-2C83-43F1-BDF0-F02093A7980C.kext

        Unable to stage kext (/System/Library/Extensions/KeysightKauaiPCI.kext) to secure location.

        ...

         

        I found that the Developer ID certificate ID is 1.2.840.113635.100.6.1.13. What I read from the following 2 links is that the Developer ID Application certificate must be 1.2.840.113635.100.6.1.18.

        https://forums.developer.apple.com/thread/112320

        https://stackoverflow.com/questions/47231738/kextutil-says-my-kernel-extension-signature-is-invalid-but-code-sign-says-it-is

        My question is:

        1) Is it true that I am having the wrong certificate from Apple?

        2) What can I do to move forward?

         

        I have submitted many support cases to "Äpple Developer Program Support" and finally they told me that they are not able to help me. They say I need to submit Developer ID certificate again to get to kext team or ask in developer forum. Please let me know how to move forward. Desperately needing help. I am already late to submit my kext for Thunderbolt certification.

         

        regds,

        kok kuan

        • Re: kext signing result in -67050 invalid signature
          eskimo Apple Staff Apple Staff (11,265 points)

          What I read from the following 2 links is that the Developer ID Application certificate must be 1.2.840.113635.100.6.1.18.

          That’s correct.  A while back I discovered where these wacky OIDs are officially documented, and I just added that info to my KEXT Code Signing Problems post.

          If your Developer ID certificate is missing this OID then there’s three possibilities:

          • You’re using a certificate that predates the OID being added to your team.

          • You’re using the wrong team.

          • There’s been some sort of mixup at our end.

          I recommend that you re-create your Developer ID certificate to rule out the first possibility.  If that doesn’t get the OID to show up, drop me a line via email (my address is in my signature) and we can discuss this privately (I can’t conduct official DTS business here on DevForums).

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"