We have a audio kernel extension, which installs in /Library/Extensions.
According apple new guidelines(WWDC video 707) we should code sign kext which installs /Library/Extensions.
We requested apple to enable kext code signing attribute to our developer id and now it is enabled. As per the mail reply that we got from apple says like this
If you have previously obtained a Developer ID for application signing, you need to re-download your Developer ID to have the updated certificate.
Hence we redownloded certificate and codesigned the kext. Code compiles fine However when we try to verify the code sign using below command
sudo kextutil -tn KEXTPATH
it gives following error-
Code Signing Failure: code signature is invalid
KEXT_PATH appears to be loadable (including linkage for on-disk libraries).
Can any one help me to resolve this error.
Apart from the developer ID certificate for the code signing of kexts to work you need to code sign kernel extensions on 10.9 and above.
You cannot sign it on 10.8, install it on 10.9 -> /Library/Extensions
I am not sure if this helps solve your problem.
Related
How to run un-signed System Extensions in OSX catalina?
I'm trying to load SimpleFirewall which is a system extension given by apple, ment to demonstrate packet filtering capabilities.
The project compiles, but I get this error during run:
OSSystemExtensionErrorDomain error 8
Looked it up, it means -
Invalid code signature or missing entitlements
I have SIP disabled, and turned off code signing in the xcode project.. what else can I do to have this run? I dont have a developer ID.. just testing the code..
As per Eskimo answer on Apple Developer Forums you might additionally to
disabling SIP and
enabling SYSX developer mode (systemextensionsctl developer on)
need to disable AMFI:
nvram boot-args="amfi_get_out_of_my_way=0x1”
This has to be done in the cmd from the Recovery Mode.
AFAIK you only need to do it, if you don't have a developer provisioning profile with com.apple.developer.endpoint-security.client entitlement.
Apple's Documentation on 'Debugging and Testing System Extensions' has some information on this subject.
In theory, disabling SIP should take care of the signing requirements. You may still need to sign the extension with a free Mac Developer certificate so that the entitlements can be embedded.
Are you trying to use the extension from outside an app? If so, the command
systemextensionsctl developer on
Should help.
I have a same issue with #tuti.
I am testing a hello world System Extension base on Driver Kit. I am using free developer account, Mac mini Catatila, Xcode 11 to development.
In my Xcode, I setting to don't sign my code for both application and system extension. I am also disable SIP and run command "systemextensionsctl developer on".
But when I load my system extension from Swift application, it still show me the log "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 8.)". When I look up the error 8, it means invalid signature. But in my computer, I can load an unsigned Kernel extension normally.
So, I don't know why? I think the OS still check code signing for system extension regardless I disable SIP.
I have a ancient kext (last supported with 10.7.5). It works when disabling SIP and such.
The question I'm having, is if you could sign that ancient text? I already tried]codesign -s "Developer ID Application:" --verbose Downloads/private/tmp/InstallerTemp/M-AudioFireWireBeBoB.kext/
You haven't given much detail. Does signing fail? If it succeeds, what does kextutil path/to/M-AudioFireWireBeBoB.kext say?
A few things I can think of that could be causing problems:
I don't think codesigning works for kexts with a 32-bit slice. So if it's a universal 32/64-bit kext (or if it still has a PPC slice 😱), extract the x86-64 binary using lipo and use only that instead.
The signing certificate must have the special kext signing feature associated with it. Apple only grants that upon special request, a regular Developer ID Application certificate is not sufficient for kexts.
On macOS 10.14.5+ and 10.15, the kext must additionally be notarised. Create a zipfile of the kext, and upload it to Apple using xcrun altool --notarize-app. Once approved, you can staple the notarisation to the kext using xcrun stapler staple path/to/your.kext. See Apple's documentation on notarisation and the output of xcrun altool --help for details.
This is the first time I have ever tried to sign a kernel extension, so I am open to the possibility that I'm doing it wrong.
I requested a kernel signing certificate from Apple. I was required to fill out a form that demonstrated that I really needed to create an in-kernel driver, rather than a user space driver that talked to an IOUserClient.
$ sudo kextutil FL2000.kext/
Password:
Notice: /Library/Extensions/FL2000.kext has debug properties set.
Diagnostics for /Library/Extensions/FL2000.kext:
Code Signing Failure: code signature is invalid
Untrusted kexts are not allowed
ERROR: invalid signature for com.frescologic.FL2000, will not load
It doesn't load at boot - it needs to because it is a graphics driver.
$ codesign --verify -vvvv FL2000.kext/
FL2000.kext/: valid on disk
FL2000.kext/: satisfies its Designated Requirement
$ codesign --display -vvvv FL2000.kext/
Executable=/Library/Extensions/FL2000.kext/Contents/MacOS/FL2000
Identifier=com.frescologic.FL2000
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=1590 flags=0x0(none) hashes=44+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=83a0328f9af971484b7e30c8d04e68a96dee72c1
CandidateCDHash sha256=cd6c72d17f00d2eed36078eece6a5b536c482772
Hash choices=sha1,sha256
Page size=4096
CDHash=cd6c72d17f00d2eed36078eece6a5b536c482772
Signature size=4693
Authority=Mac Developer: Michael Crawford (YU8CSARZFD)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 10, 2017, 1:10:07 PM
Info.plist entries=20
TeamIdentifier=444JK52Q93
Sealed Resources version=2 rules=13 files=2
Internal requirements count=1 size=184
Help me O Stackoverflow-Wan. You're my only hope!
I should have spotted this in your codesign output, but your comments make it clear: the problem is with the certificate you are using. Apple issues 4 kinds of Mac codesigning certificates:
"Mac Developer" certificates are for signing apps destined for the Mac App Store during the development phase. This is the type of certificate you appeared to be trying to use for signing a kext. This won't work. It will sign it OK, but kextd etc. won't accept the signature.
"Developer ID Application" certificates are for signing apps which will be distributed outside the App Store. A special variant of this type of certificate includes the certificate extension "( 1.2.840.113635.100.6.1.18 )" - only with this extension, it becomes possible to sign kexts such that they are accepted by macOS.
"Developer ID Installer" certificates are for signing Installer .pkg files/bundles. If you are distributing an app via a DMG or ZIP file, you shouldn't need this, but if you need an installer, possibly because what you're distributing isn't an app, but a kext or system service, then you should create an installer package and sign that with such a certificate.
"Mac Distribution" certificates are what you use to sign the build of an app before submitting it to the Mac App Store. These are also irrelevant to kext signing.
Presumably for security reasons, certificate types 2-4 are only issued to Team Agents in an Apple Developer account. Lowly developers are only given "Mac Developer" certificates, which are intended to be purely temporary, so they're not very security-relevant.
So to summarise, your problem is that you're using a "Mac Developer" certificate to sign a kext. You need to use a "Developer ID Application" certificate instead, specifically one that was issued after the development team was granted kext signing privileges by Apple. If you haven't applied for kext signing privileges, you can do so using this form. (It sounds like you have done so previously, but I'm pointing it out for the benefit of people in the same situation who might stumble across this in the future.)
I have developed a qt mac app (not using xcode, soi do not have any xcode project) that will be distributed outside the app store.
I have successfully signed it with my developer ID certificate and if i use the following commands:
spctl --assess MyAppBundle.app
and
codesign -d -vvvvvv MyAppBundle.app
I get fine results.
The problem is that if i download it from internet (e.g. DropBox) i get the warning "the file was downloaded from internet are you sure you want to open it"
Is there a way to avoid this warning? from what i gathered from the forum it should be possible.
Btw please note that the application passes the GateKeeper on the target computer so the actual signing seems to be working and being accepted (Gatekeeper is on default configuration: mac store and identified developers)
I have built an OSX application, it builds and runs using Xcode no problem, I have signed the code and done all the pre-submission things required by Apple. However, when I try to Validate my application in Organizer (or Submit), I get this nasty error: "The operation could not be completed. No other information is available about the problem."
The Bundle Identifier was registered on Apple's website and it matches the one I provide in the applications .plist file. I can't even think of a way to find a problem.
I ran the installer check on the bundle, and this is what I got. Perhaps the problem is with the bundle? However, according to the apple instructions, I can't add Installer Signing Certificate until I am in the submission process.
installer: Warning: PMBundle.pkg is not signed for store submission
installer: Installation Check: Passed
installer: Volume Check: Passed
installer: Bundle com.xxx.yyy will be relocated to /Users/xxx/Library/Application Support/Developer/Shared/Archived Applications/4612642F-468C-49B8-9331-A148DF9E20E6.apparchive/yyy.app
installer: Starting install
installer: Install 0.0% complete
installer: Install 9.1% complete
installer: Install 100.0% complete
installer: Finished install
(I shortened bundle id to 'com.xxx.yyy' and app name to 'yyy' in the example)
Any ideas would greatly help.
I had this error because i didn't have both the code signing certificates; 3rd Party Mac Developer Application and 3rd Party Mac Developer Installer.
Open keychain, click certificates in the left panel and check you have both certificates, if you don't download them both form the Mac Dev Center, if you do then check that in your release configuration in Xcode that the code sign field is set to 3rd Party Mac Developer Application.
You then need to open organiser, find your app and when you share it to test it code sign it with the 3rd Party Mac Developer Installer certificate. Make sure you manually click the drop down menu and choose the certificate because there's a bug which doesn't register your code signing value and then doesn't sign your code.
Should solve your problem.
All the best, Sami.
I ran into a different cause, which I'll tack on for posterity: you have to have the iOS development tools installed in order to submit to the Mac App Store, even if you aren't doing any iOS development.
I was trying to save a little disk space in my 10.6 support partition by leaving them out. Didn't work.