14 Replies
      Latest reply on May 6, 2019 1:41 AM by eskimo
      thomasareed Level 1 Level 1 (0 points)

        I've never developed a kext before, but we have some developers who are working on one, and I put in a request for kext signing on behalf of my company. The original request went in in early January. We got our first reply from Apple on January 25, asking for more information, which we provided. We heard nothing back, despite repeated inquiries, until we were approved on March 17.

         

        Unfortunately, our developers are finding that they still cannot sign our kext, and our inquiries with Apple have led to only one response, directing us here. Subsequent inquiries have received no response.

         

        Here's the message Apple sent us on approval:

         

        Your request for a developer ID for kext signing has been processed and the kext signing attribute has been added to your Developer ID.  If you have previously obtained a Developer ID for application signing, you will need to re-download your Developer ID to have the updated certificate.

        The Team Agents for your teams can download the cert from the following page: <https://developer.apple.com/account/mac/certificate/distribution>

        Apple recommends that you make use of KEXT Developer Mode rather than use your Developer ID certificate to sign drivers while they are under development. Ideally you should sign a driver using a Developer ID certificate only when it reaches its final stages of testing and is being evaluated for release to customers.

        Thank you

         

        We have followed these instructions, but are still unable to sign the kext. We are seeing the following error:

         

        Diagnostics for FSObserver.kext:
        Code Signing Failure: code signature is invalid

         

        Is there any way that we can, in fact, verify whether our certificate actually has the kext signing attribute or not? And if it does not have that attribute, how can we escalate this issue with Apple? It's been 3 months, and we're going to need this very soon.

        • Re: Problem getting kext signing activated
          eskimo Apple Staff Apple Staff (11,325 points)

          Is there any way that we can, in fact, verify whether our certificate actually has the kext signing attribute or not?

          Yes. There’s actually a pinned post here on Core OS > Kernel that explains how to tell whether a KEXT is signed with a KEXT-enabled Developer ID.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Problem getting kext signing activated
              thomasareed Level 1 Level 1 (0 points)

              Quinn,

               

              The problem isn't that we aren't sure whether our kext is signed properly, the problem is that we're not able to sign our kext at all, despite having been told that the kext-signing attribute was added to our developer ID. Is there some way that we can independently verify whether our developer ID has that attribute? And if it doesn't, how do we escalate, since we're not getting any responses?

                • Re: Problem getting kext signing activated
                  eskimo Apple Staff Apple Staff (11,325 points)

                  Is there some way that we can independently verify whether our developer ID has that attribute?

                  You need to view the Developer ID’s certificate and look for a certificate extension whose OID is 1.2.840.113635.100.6.1.18.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                    • Re: Problem getting kext signing activated
                      thomasareed Level 1 Level 1 (0 points)

                      Nope, we definitely don't have one with that OID. This is in a freshly-downloaded copy of our developer ID certificate. The closest that I see is one with an OID of 1.2.840.113635.100.6.1.13.

                       

                      I assume that that means that, despite apparently getting approved, our certificate has not been properly assigned the correct attribute.

                       

                      How can we escalate this?

                        • Re: Problem getting kext signing activated
                          eskimo Apple Staff Apple Staff (11,325 points)

                          How can we escalate this?

                          You should escalate this by replying to the email that you got notifying you that your KEXT access was granted. Please Cc my individual account (it’s shown in my signature).

                          Share and Enjoy

                          Quinn “The Eskimo!”
                          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                          let myEmail = "eskimo" + "1" + "@apple.com"

                        • Re: Problem getting kext signing activated
                          goodmao Level 1 Level 1 (0 points)

                          Hi, eskimo

                          We have the same issue as  above.

                          We have received the Apple's approval from the email, just like: "Your request for a developer ID for kext signing has been processed and the kext signing attribute has been added to your Developer ID..."

                          Then our Team Agent created a new Developer ID Application certificate,

                          but the new Developer ID Application certificate does not have certificate extension whose OID is 1.2.840.113635.100.6.1.18.

                          and the closest that we see is one with an OID of 1.2.840.113635.100.6.1.13.

                          Could you help us to get the right certification with the OID (1.2.840.113635.100.6.1.18).

                          Thanks.