9
votes

I had a code signing on kext in Yosemite. But kextload is failed.
It was version2 codesign. codesign --verify is true.
But kextload is failed. Why not load in Yosemite?

Here is my log.

I have checked with codesign -dvvv ./myKext.kext And It's all right.

codesign -dvvv ./myKext.kext returned following:

Executable=/Path/to/myKext
Identifier=com.myKext.kext.Firewall
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=317 flags=0x0(none) hashes=9+3 location=embedded
Hash type=sha1 size=20
CDHash=d0ff68bd8b49c650f45349c2d1570d45a8c1f148
Signature size=8544
Authority=Developer ID Application: My Kext Co., Ltd. (R2PBZJ465V)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=2014. 10. 31. 오전 11:09:35
Info.plist entries=18
TeamIdentifier=not set
Sealed Resources version=2 rules=12 files=1
Internal requirements count=1 size=188

It shows that the version 2.
But sudo kextload ./myKext.kext is returning the following:

/Path/to/myKext.kext failed to load - (libkern/kext) not loadable (reason unspecified); check the system/kernel logs for errors or try kextutil(8).

cat /var/log/system.log returns:

com.apple.kextd[19]: ERROR: invalid signature for com.myKext.kext.Firewall, will not load

sudo kextutil -l ./myKext.kext returns:

Diagnostics for ./myKext.kext:
Code Signing Failure: code signature is invalid
ERROR: invalid signature for com.myKext.kext.Firewall, will not load

Why are invalid signature?!
I have signed with version2 codesign in Yosemite.
What I did wrong sign? Somebody teach me please.

3
I'm just guessing, but won't Apple need to be involved in the code signing in order to make it valid?trojanfoe
Have you requested from Apple that your DeveloperID has the kext codesign attribute added to it?TheDarkKnight
This looks like the same problem as this: stackoverflow.com/questions/26283158/…pmdj

3 Answers

8
votes

I had the same problem too. And I got the solution sharing with you.

Apple changed the Mac Developer Program, and removed certification for kext from it. So even you are member of Mac Developer Program, you will not get certification for kext development unless you request it at Developer ID and Gatekeeper.

BTW, Apples says,

"KEXT signing is intended for signing commercially shipping kexts or projects broadly distributed in a large organization."

So what we can do is run our Kext on the KEXT Development Mode by adding the "kext-dev- mode=1" boot-arg. Like,

sudo nvram boot-args="debug=0x146 kext-dev-mode=1"

And reboot.

I wish this will be helpful for you.

0
votes

I agree with ParaDevil answer.
For OS X Yosemite you can do the following:

  1. Download "Kernel Debug Kit";
  2. Run installer package;
  3. Continue to "Read Me" step;
  4. The "Read Me" says:

In order to load unsigned kexts, the system must have "KEXT Developer Mode" enabled by adding the "kext-dev-mode=1" boot-arg. The following command (followed by a reboot) would be suitable to prepare a system for testing non-production kexts:     

sudo nvram boot-args="debug=0x146 kext-dev-mode=1"

Once this is done, the machine will be able to load any valid kext; signatures will still be checked, but a failed verification will just result in a log message. Note: This applies to kexts that contain a binary, as well as codeless (plist-only) kexts. The system will remain in developer mode until you manually remove the boot-arg or clear nvram and reboot. You can exit developer mode by redefining the boot-arg to your previous settings, or clear your boot-args as follows:

    

sudo nvram -d boot-args

Apple recommends that you make use of KEXT Developer Mode rather than use your Developer ID certificate to sign drivers while they are under development. Ideally you should sign a driver using a Developer ID certificate only when it reaches its final stages of testing and is being evaluated for release to customers.


For OS X El Captain 10.11 the command:

sudo nvram boot-args="debug=0x146 kext-dev-mode=1"

has no effect.

Read System Integrity Protection Guide/Kernel Extensions for more information.

0
votes

As of December 2016:

This is due to the System Integrity Protection feature that was introduced in El Capitan (10.11). As of El Capitan, the kext-dev-mode boot option has no effect, so ParaDevil's answer does not work. Instead, you must disable SIP by following the instructions from this page:

  1. Boot to Recovery OS by restarting your machine and holding down the Command and R keys at startup.

  2. Launch Terminal from the Utilities menu.

  3. Run the following command:

    csrutil disable
    

When you restart, System Integrity Protection should be disabled.