1 Reply
      Latest reply on Sep 19, 2016 11:14 AM by scrod
      gc. Apple Staff Apple Staff (255 points)

        If you have a signed kernel extension that loads fine on El Capitan but not on Sierra, check if it has both 32-bit and 64-bit slices. The file command will return something like:


        $ file MyKext.kext/Contents/MacOS/MyKext
        MyKext.kext/Contents/MacOS/MyKext: Mach-O universal binary with 2 architectures
        MyKext.kext/Contents/MacOS/MyKext (for architecture x86_64): Mach-O 64-bit kext bundle x86_64
        MyKext.kext/Contents/MacOS/MyKext (for architecture i386): Mach-O object i386


        When the 64-bit kernel was announced, the WWDC session pointed out that such kexts were not supported and two kexts should be shipped instead.


        Now that strict code signing validation is being done on kexts, these unsupported kexts will fail signature verification.


        The solution is to either remove the 32-bit slice, or, if you still need to support Macs that can only run the 32-bit kernel, split the kext into two separate kexts and sign the 64-bit version.



        • Re: Kext loads on OS X v10.11 but not on macOS Sierra
          scrod Level 1 Level 1 (0 points)

          FYI, I noticed a similar issue, but the problem was specifically due to the presence of additional files under Contents/_CodeSignature in the kext bundle:


          CodeDirectory, CodeRequirements, and CodeSignature.


          With these files under 10.12, kextutil -t reported a code-signing error. Earlier versions of OS X could load the kext without issue.


          Removing these files such that only the CodeResources file remained allowed the kext to load on 10.12.