0

This is the first time I have ever tried to sign a kernel extension, so I am open to the possibility that I'm doing it wrong.

I requested a kernel signing certificate from Apple. I was required to fill out a form that demonstrated that I really needed to create an in-kernel driver, rather than a user space driver that talked to an IOUserClient.

$ sudo kextutil FL2000.kext/
Password:
Notice: /Library/Extensions/FL2000.kext has debug properties set.
Diagnostics for /Library/Extensions/FL2000.kext:
Code Signing Failure: code signature is invalid
Untrusted kexts are not allowed
ERROR: invalid signature for com.frescologic.FL2000, will not load

It doesn't load at boot - it needs to because it is a graphics driver.

$ codesign --verify -vvvv FL2000.kext/
FL2000.kext/: valid on disk
FL2000.kext/: satisfies its Designated Requirement

$ codesign --display -vvvv FL2000.kext/
Executable=/Library/Extensions/FL2000.kext/Contents/MacOS/FL2000
Identifier=com.frescologic.FL2000
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=1590 flags=0x0(none) hashes=44+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=83a0328f9af971484b7e30c8d04e68a96dee72c1
CandidateCDHash sha256=cd6c72d17f00d2eed36078eece6a5b536c482772
Hash choices=sha1,sha256
Page size=4096
CDHash=cd6c72d17f00d2eed36078eece6a5b536c482772
Signature size=4693
Authority=Mac Developer: Michael Crawford (YU8CSARZFD)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 10, 2017, 1:10:07 PM
Info.plist entries=20
TeamIdentifier=444JK52Q93
Sealed Resources version=2 rules=13 files=2
Internal requirements count=1 size=184

Help me O Stackoverflow-Wan. You're my only hope!

Mike Crawford
  • 2,232
  • 2
  • 18
  • 28
  • After your kext signing was approved, did you generate a new Developer ID certificate with that developer account? Any certificates issued before that point won’t have the correct certificate extension. The required extension is ["( 1.2.840.113635.100.6.1.18 )"](https://stackoverflow.com/a/26302040/48660). – pmdj Nov 11 '17 at 07:20
  • I don't have that extension. It's not clear to me how to generate a new developer ID certificate. I want one for production but the page only offers them for development. – Mike Crawford Nov 15 '17 at 23:48
  • I have two Mac Developer certificate, one with my email and the other my name. I think the one with my name was issued by my client. In any case neither cert contains that extension. – Mike Crawford Nov 15 '17 at 23:52
  • My team admin requested a new Developer ID Application certificate. It definitely has that extension now. But my signatures are still invalid. – Mike Crawford Nov 16 '17 at 01:01
  • I got it to work! I'll write up a proper answer tomorrow, unless some hired assassin rubs me out for threatening to post a rational explanation. – Mike Crawford Nov 16 '17 at 01:33
  • Cool. I've done a basic write-up in an answer below that should explain the problem and solution, but feel free to add anything else that would have helped you solve it quicker! – pmdj Nov 16 '17 at 11:22

1 Answers1

2

I should have spotted this in your codesign output, but your comments make it clear: the problem is with the certificate you are using. Apple issues 4 kinds of Mac codesigning certificates:

  1. "Mac Developer" certificates are for signing apps destined for the Mac App Store during the development phase. This is the type of certificate you appeared to be trying to use for signing a kext. This won't work. It will sign it OK, but kextd etc. won't accept the signature.
  2. "Developer ID Application" certificates are for signing apps which will be distributed outside the App Store. A special variant of this type of certificate includes the certificate extension "( 1.2.840.113635.100.6.1.18 )" - only with this extension, it becomes possible to sign kexts such that they are accepted by macOS.
  3. "Developer ID Installer" certificates are for signing Installer .pkg files/bundles. If you are distributing an app via a DMG or ZIP file, you shouldn't need this, but if you need an installer, possibly because what you're distributing isn't an app, but a kext or system service, then you should create an installer package and sign that with such a certificate.
  4. "Mac Distribution" certificates are what you use to sign the build of an app before submitting it to the Mac App Store. These are also irrelevant to kext signing.

Presumably for security reasons, certificate types 2-4 are only issued to Team Agents in an Apple Developer account. Lowly developers are only given "Mac Developer" certificates, which are intended to be purely temporary, so they're not very security-relevant.

So to summarise, your problem is that you're using a "Mac Developer" certificate to sign a kext. You need to use a "Developer ID Application" certificate instead, specifically one that was issued after the development team was granted kext signing privileges by Apple. If you haven't applied for kext signing privileges, you can do so using this form. (It sounds like you have done so previously, but I'm pointing it out for the benefit of people in the same situation who might stumble across this in the future.)

pmdj
  • 22,018
  • 3
  • 52
  • 103