The app I’m working on uses a kernel extension and whenever users install or update the app, the kernel cache must be rebuilt. This is done using `/usr/sbin/kextcache -v 6 -invalidate /` which has worked fine (-ish) for quite a few years. But starting with the macOS Catalina betas up to and including the public release of 10.15 (i.e. now) this doesn’t work anymore.
It appears that *triggering* a kext cache update does indeed work using either the above command or by using `touch /Library/Extensions` (as the man page for kextcache suggests). I know this because in Activity Monitor, `kextd` runs with high CPU usage for quite a while. But it seems that the actual result of that update is never written to the appropriate places on disk. The end result is that the previous stale kext cache is used when the computer starts up the next time.
In the case of the app I’m working on that means that a user space component complains about a version mismatch and instructs the user to get help from our support. And we see a lot of these reports.
Unfortunately, the only way to fix this seems to be to restart into Recovery Mode and convince the system to perform the kext cache update from there. This does indeed work, probably because System Integrity Protection is not active in Recovery Mode.
Has anybody else encountered this problem? Is there any solution for this?
(And yes, the kext is properly signed with an appropriate certificate. And yes, this was reported to Apple: FB7340720)
Edit: Here’s a blog post that details our findings about how updating the kernel works and where it breaks down on macOS Catalina: https://blog.obdev.at/how-kernel-prelininkg-works-on-macos-catalina/