El Capitain: kext code signature is invalid

Code Signing Certificates, Identifiers & Profiles
eleanor
eleanor OP
Created Apr ’16
Replies 2
Boosts 0
Views 5.9k
Participants 3

Hello,


We've applied for the kernel certificate in order to sign kext extensions and load them into the system - currently we're operating on El Capitan 10.11.3. We've applied the obtained certiticate to the system, which is available in the system's keychain. After that I've created a new generic kernel extension in XCode 7.3 and selected my certificate to be used for signing purposes.

After building the default simple kernel module (without modifying the code in any way), I've chowned to root:wheel and chmod to 755 in order to fix permission issues; I've also moved the certificate to /System/Library/Extensions/ directory. Afterwars, I wanted to load the kext into the kernel by using the kextload, which failed with the following error:



# kextload helloworld.kext/
/System/Library/Extensions/helloworld.kext failed to load - (libkern/kext) not loadable (reason unspecified); check the system/kernel logs for errors or try kextutil(8).


The system log reports the following:


Apr  1 10:05:00 Evangeline com.apple.kextd[45]: Untrusted kexts are not allowed
Apr  1 10:05:00 Evangeline com.apple.kextd[45]: ERROR: invalid signature for com.apple.driver.helloworld, will not load



The kextutil reports that code signature is invalid:


# kextutil -tn helloworld.kext/
helloworld.kext is invalid; can't resolve dependencies.
helloworld.kext is invalid; can't resolve dependencies.
helloworld.kext is invalid; can't resolve dependencies.
Diagnostics for helloworld.kext:
Validation Failures:
    Info dictionary property value is illegal:
        OSBundleLibraries
    Info dictionary missing required property/value:
        OSBundleLibraries
 
 
Code Signing Failure: code signature is invalid


The spctl rejects the kext:


Evangeline:Debug root# spctl -vat execute helloworld.kext
helloworld.kext: rejected


The certificate has the following extensions:


Key Usage ( 2.5.29.15 )
Basic Constraints ( 2.5.29.19 )
Extended Key Usage ( 2.5.29.37 )
Subject Key Identifier ( 2.5.29.14 )
Authority Key Identifier ( 2.5.29.35 )
Certificate Policies ( 2.5.29.32 )
( 1.2.840.113635.100.6.1.12 )
Certificate Authority Information Access ( 1.3.6.1.5.5.7.1.1 )


The certificate doesn't have the "1.2.840.113635.100.6.1.18" OID, which seems to be requred to sign kernel extensions, but I'm not sure how to proceed. The https://developer.apple.com/account/mac/certificate/ doesn't say anything about obtaining kext certificate - which we've requested in the past and it was granted to us by Apple.


Any ideas what is going on and how should we proceed?


Thank you

Replies  2
Boosts  0
Views  5.9k
Participants  3
0xfeedface
0xfeedface OP
Mar ’17

Because SIP (System Integrity Protection), so you need disable it.

reboot system and press command+R into press and hold the Command (⌘) key and the R key together. Once you see the Apple logo appear, release the keys. Select Command Line Tool into shell, run below command:

sudo nvram boot-args="kext-dev-mode=1"

As of OS X El Capitan, the 

kext-dev-mode
boot-arg is now obsolete. So you should run:

csrutil disable

reboot system. done!

0
lmy
lmy OP
Aug ’18

According to

https://developer.apple.com/account/mac/certificate/create

Developer ID

Sign versions of your Mac application, Mac kernel extension and Mac Installer Package for distribution outside of the Mac App Store.


I have already generated a Developer ID Certificate and sign my kext, but it still be rejected: Kext with invalid signature (-67050) denied.


But if i disable SIP, it works.


How do i make it works without disable SIP???

0
El Capitain: kext code signature is invalid
First post date Last post date
 
 
Q