0 Replies
      Latest reply on Mar 28, 2019 3:52 AM by eskimo
      eskimo Apple Staff Apple Staff (11,655 points)

        On modern systems all KEXTs must be code signed with a Developer ID.  Additionally, the Developer ID must be specifically enabled for KEXT development.  You can learn more about that process on the Developer ID page.

        If your KEXT is having code signing problems, you should check that it’s signed with a KEXT-enabled Developer ID.  You can do this by looking at the certificate used to sign the KEXT.  First, extract the certificates from the signed KEXT:

        $ codesign -d --extract-certificates MyKEXT.kext
        Executable=/Users/quinn/Desktop/MyKEXT/build/Debug/MyKEXT.kext/Contents/MacOS/MyKEXT

        This creates a bunch of certificates of the form codesignXXX, where XXX is a number in the range from 0 (the leaf) to N (the root).  For example:

        $ ls -lh codesign*
        -rw-r--r--+ 1 quinn  staff   1.4K 20 Jul 10:23 codesign0
        -rw-r--r--+ 1 quinn  staff   1.0K 20 Jul 10:23 codesign1
        -rw-r--r--+ 1 quinn  staff   1.2K 20 Jul 10:23 codesign2

        Next, rename each of those certificates to include the .cer extension:

        $ for i in codesign*; do mv $i $i.cer; done

        Finally, you can look at the leaf certificate (codesign0.cer) to see if it has an extension with the OID 1.2.840.113635.100.6.1.18.  The easiest way to view the certificate is to use Quick Look in Finder.

        Note If you’re curious where these Apple-specific OIDs comes from, check out the documents on the Apple PKI page.  In this specific case, look at section 4.12.3 of the Developer ID CPS.

        If the certificate does have this extension, there’s some other problems with your KEXT’s code signing.  In that case, feel free to create a new thread here on DevForums with your details.

        If the certificate does not have this extension, there are two possible causes:

        • Xcode might be using an out-of-date signing certificate.  You should re-create your Developer ID signing certificate using the developer site and then see if the extension shows up there.  If so, you’ll have to investigate why Xcode is not using the most up-to-date signing certificate.

        • If a freshly-created Developer ID signing certificate does not have this extension, then you need to apply to get your Developer ID enabled for KEXT development per the instructions on the Developer ID page.

        Share and Enjoy

        Quinn “The Eskimo!”
        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
        let myEmail = "eskimo" + "1" + "@apple.com"

        Change history:

        • 20 Jul 2016 — First published.

        • 28 Mar 2019 — Added a link to the Apple PKI site.  Other, minor changes.