kext signing result in -67050 invalid signature

Hi all,

We requested for a developer ID certificate for distribution on 15th January and finally gotten a "3rd Party Mac Developer Application: Ixia (6H42WAM355)" certificate on March.

I managed to create the Developer ID certificate using team account and successfully signed my pcie kext in xcode when it compiles. However, i found that the signed kext doesn't load when I install it into /Library/Extensions/ or /System/Library/Extensions/. When i tried to use kextutil to load it, I found that it is reporting this error -67050 like below.

Macbooks-MBP:Release lvltuser$ sudo kextutil -v KeysightKauaiPCI.kext

Password:

Defaulting to kernel file '/System/Library/Kernels/kernel'

Untrusted kexts are not allowed

Kext with invalid signature (-67050) denied: /Library/StagedExtensions/System/Library/Extensions/0AE681EE-2C83-43F1-BDF0-F02093A7980C.kext

Bundle (/System/Library/Extensions/KeysightKauaiPCI.kext) failed to validate, deleting: /Library/StagedExtensions/System/Library/Extensions/0AE681EE-2C83-43F1-BDF0-F02093A7980C.kext

Unable to stage kext (/System/Library/Extensions/KeysightKauaiPCI.kext) to secure location.

...


I found that the Developer ID certificate ID is 1.2.840.113635.100.6.1.13. What I read from the following 2 links is that the Developer ID Application certificate must be 1.2.840.113635.100.6.1.18.

https://forums.developer.apple.com/thread/112320

https://stackoverflow.com/questions/47231738/kextutil-says-my-kernel-extension-signature-is-invalid-but-code-sign-says-it-is

My question is:

1) Is it true that I am having the wrong certificate from Apple?

2) What can I do to move forward?


I have submitted many support cases to "Äpple Developer Program Support" and finally they told me that they are not able to help me. They say I need to submit Developer ID certificate again to get to kext team or ask in developer forum. Please let me know how to move forward. Desperately needing help. I am already late to submit my kext for Thunderbolt certification.


regds,

kok kuan

Replies

What I read from the following 2 links is that the Developer ID Application certificate must be 1.2.840.113635.100.6.1.18.

That’s correct. A while back I discovered where these wacky OIDs are officially documented, and I just added that info to my KEXT Code Signing Problems post.

If your Developer ID certificate is missing this OID then there’s three possibilities:

  • You’re using a certificate that predates the OID being added to your team.

  • You’re using the wrong team.

  • There’s been some sort of mixup at our end.

I recommend that you re-create your Developer ID certificate to rule out the first possibility. If that doesn’t get the OID to show up, drop me a line via email (my address is in my signature) and we can discuss this privately (I can’t conduct official DTS business here on DevForums).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"