9 Replies
      Latest reply on Apr 1, 2020 1:26 PM by Reuven8e14
      Reuven8e14 Level 1 Level 1 (0 points)

        Hi,

         

        Some help is needed, will appreshiate any help on the topics below:

        1. How can i verify that the certificate i am using / includes the "kext-enabled" flag by Apple (we have already file the request)?

        2. Is there a defined process for signing the .kext, it seams according to this post the signuture do not include the OID 1.2.840.113635.100.6.1.18 ?

        3. I have read several post regarding the deprecation of kext loading and destribution however i am comfused regarding the preformance of Xcode 11.x and macOS Catalina, is loading can be achived even with the price of the user aproval on the Security & Privacy ?

        Thanks a lot in advance,

        Reuven

        • Re: Kext signing - commandline tools
          eskimo Apple Staff Apple Staff (13,905 points)

          1. How can i verify that the certificate i am using / includes the "kext-enabled" flag by Apple (we have already file the request)?

          Using the steps you’ve already found.

          2. Is there a defined process for signing the .kext

          No.  Once you have a KEXT-enabled Developer ID, there’s no extra magic required [1].

          1. I have read several post regarding the deprecation of kext loading and destribution however i am comfused regarding the preformance of Xcode 11.x and macOS Catalina, is loading can be achived even with the price of the user aproval on the Security & Privacy ?

          10.15 supports KEXTs in exactly the same way as later variants of 10.14:

          • They must be signed with a KEXT-enabled Developer ID.

          • They must be notarised.

          • Their loading is subject to user approval.

          The main difference is that some KEXT use cases have user space replacements and, in those cases, using a KEXT has been officially deprecated.  See Deprecated Kernel Extensions and System Extension Alternatives for the details.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          [1] For a summary of the standard process, see my Signing a Mac Product For Distribution post.

            • Re: Kext signing - commandline tools
              Reuven8e14 Level 1 Level 1 (0 points)

              Hi, and thanks for the detailed answer.
              I have descovered way i do not see the "kext-enabled" flag on my signings, it seams that only sertificate that is created by the account holder can include the kext-enabled flag.

              In any case i did lots of reading and experments and currently i have the following issue:
              % sudo kextload /Library/Extensions/xxx.kext
              /Library/Extensions/xxx.kext failed to load - (libkern/kext) authentication failure (file ownership/permissions)...

              Done all that i know that is needed:

              1. Signing (validated that i have the kext-enabled flag (1.2.840.113635.100.6.1.18)

              2. Notarize: % xcrun altool --notarize-app --primary-bundle-id ...... and validate using % xcrun altool --notarization-info (no errors - sucsses)

              3. Stample % sudo xcrun stapler staple -q xxx.kext & validate using % sudo xcrun stapler validate xxx.kext (The validate action worked!)

              However, when i try to load i get the above failure

              When execute the % sudo kextutil xxx.kext get the folowing responce:

              Kext rejected due to improper filesystem permissions: <OSKext 0x7f98fb623100 [0x7fff86f26690]>

               

              Any i dea what i am missing, what to check how to overcome this?

               

              Thanks in advance,

              Reuven

                • Re: Kext signing - commandline tools
                  eskimo Apple Staff Apple Staff (13,905 points)

                  Kext rejected due to improper filesystem permissions

                  Given that security-sensitive nature, the system checks that KEXTs have appropriate file system permissions before loading them.  I don’t remember the exact details but the general idea is that the KEXT must not be writable by anyone other than root.  The system checks both the top-level .kext directory and all the directories and files nested in that.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Kext signing - commandline tools
                      joconnor Level 1 Level 1 (10 points)

                      KEXTs have to be root:wheel and 755 or tighter.

                       

                      sudo chown -R root:wheel kextPath
                      sudo chmod -R 755 kextPath

                        • Re: Kext signing - commandline tools
                          Reuven8e14 Level 1 Level 1 (0 points)

                          Thanks for this info!
                          However i did try to set that on the .kext bundle and got the same resoult "Kext rejected due to improper filesystem permissions".

                          Any idea what i am missing what to try?
                          Thanks a lot in advance,

                          Reuven

                            • Re: Kext signing - commandline tools
                              eskimo Apple Staff Apple Staff (13,905 points)

                              Try doing something like this:

                              % find /System/Library/Extensions/pthread.kext -print0 | xargs -0 ls -ld
                              drwxr-xr-x@ 3 root  wheel     96  9 Nov 12:06 /System/Library/Extensions/pthread.kext
                              drwxr-xr-x  6 root  wheel    192 10 Feb 00:31 /System/Library/Extensions/pthread.kext/Contents
                              -rw-r--r--  1 root  wheel   2060 10 Jan 05:27 /System/Library/Extensions/pthread.kext/Contents/Info.plist
                              drwxr-xr-x  3 root  wheel     96 10 Feb 00:31 /System/Library/Extensions/pthread.kext/Contents/MacOS
                              -rwxr-xr-x  1 root  wheel  62880 23 Jan 14:02 /System/Library/Extensions/pthread.kext/Contents/MacOS/pthread
                              drwxr-xr-x  3 root  wheel     96 10 Feb 00:31 /System/Library/Extensions/pthread.kext/Contents/_CodeSignature
                              -rw-r--r--  1 root  wheel   2428 23 Jan 14:02 /System/Library/Extensions/pthread.kext/Contents/_CodeSignature/CodeResources
                              -rw-r--r--  1 root  wheel    517 10 Jan 05:27 /System/Library/Extensions/pthread.kext/Contents/version.plist

                              Share and Enjoy

                              Quinn “The Eskimo!”
                              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                              let myEmail = "eskimo" + "1" + "@apple.com"

                              • Re: Kext signing - commandline tools
                                mdobro Level 2 Level 2 (40 points)

                                Check if there is a copy of your kext in /Library/StagedExtensions/Library/Extensions and what permissions it has. Last time I work with kernel extensions the system would load a copy of the kext into that folder but would not modify the permission on that copy if you changed the permissions on the kext in /Library/Extensions. Incorrect permissions on that copy would result in permission errors loading the kext. If I recall correctly changing the permission on the copy in StagedExtensions was a pain since that folder was protected by SIP (You need to boot into recovery mode and delete the copy in StagedExentions from there).