KEXT Code Signing Problems

This thread has been locked by a moderator.

On modern systems all KEXTs must be code signed with a Developer ID. Additionally, the Developer ID must be specifically enabled for KEXT development. You can learn more about that process on the Developer ID page.

If your KEXT is having code signing problems, check that it’s signed with a KEXT-enabled Developer ID. Do this by looking at the certificate used to sign the KEXT. First, extract the certificates from the signed KEXT:

% codesign -d --extract-certificates MyKEXT.kext
Executable=/Users/quinn/Desktop/MyKEXT/build/Debug/MyKEXT.kext/Contents/MacOS/MyKEXT

This creates a bunch of certificates of the form codesignNNN, where NNN is a number in the range from 0 (the leaf) to N (the root). For example:

% ls -lh codesign*
-rw-r--r--+ 1 quinn  staff   1.4K 20 Jul 10:23 codesign0
-rw-r--r--+ 1 quinn  staff   1.0K 20 Jul 10:23 codesign1
-rw-r--r--+ 1 quinn  staff   1.2K 20 Jul 10:23 codesign2

Next, rename each of those certificates to include the .cer extension:

% for i in codesign*; do mv $i $i.cer; done

Finally, look at the leaf certificate (codesign0.cer) to see if it has an extension with the OID 1.2.840.113635.100.6.1.18. The easiest way to view the certificate is to use Quick Look in Finder.

Note If you’re curious where these Apple-specific OIDs comes from, check out the documents on the Apple PKI page. In this specific case, look at section 4.11.3 Application and Kernel Extension Code Signing Certificates of the Developer ID CPS.

If the certificate does have this extension, there’s some other problems with your KEXT’s code signing. In that case, feel free to create a new thread here on DevForums with your details.

If the certificate does not have this extension, there are two possible causes:

  • Xcode might be using an out-of-date signing certificate. Re-create your Developer ID signing certificate using the developer site and see if the extension shows up there. If so, you’ll have to investigate why Xcode is not using the most up-to-date signing certificate.

  • If a freshly-created Developer ID signing certificate does not have this extension, you need to apply to get your Developer ID enabled for KEXT development per the instructions on the Developer ID page.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Change history:

  • 20 Jul 2016 — First published.

  • 28 Mar 2019 — Added a link to the Apple PKI site. Other, minor changes.

  • 15 Mar 2022 — Fixed the formatting. Updated the section number in the Developer ID CPS. Made other minor editorial changes.

Up vote post of eskimo
5.7k views
Posted by
eskimo
Reply
Add a Comment