0

I have macOS 10.14.5 (18F132) installed and having three different builds of my product as below :

Case 1. Kernel extensions signed on macOS 10.9.5 in Oct 2018 (with —timestamp=none) These extensions were loaded successfully on macOS 10.14.5.

Case 2. Kernel extensions signed on macOS 10.9.5 in Feb 2019 (with —timestamp=none) These extensions were unable to load on macOS 10.14.5.

Case 3. Kernel extensions signed on macOS 10.13.6 in June 2019 (with —timestamp) These extensions are notarized using Apple notary service and loads successfully on macOS 10.14.5

My Query is : As per macOS 14.5 release notes : Kernel extension signed after Apr 7, 2019 has to be notarized in order to load on macOS 10.14.5 but in mentioned case#2 extension signed in Feb 2019 is unable to load.

If we consider this due to missing timestamp, then how come in case#1 kernel extension is loaded successfully?

Somewhere our observations do not match the release notes of macOS 10.14.5, but we are unable to understand the reason behind it.

Brinda
  • 31
  • 4

1 Answers1

0

If we consider this due to missing timestamp, then how come in case#1 kernel extension is loaded successfully?

macOS contains a large whitelist of kernel extensions which it allows to load despite not being signed or improperly signed. This can be found in the file /System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist, under the keys OSKextSigExceptionHashList and OSKextStrictExceptionHashList.

Perhaps the older kext was explicitly listed there by Apple?

pmdj
  • 22,018
  • 3
  • 52
  • 103
  • Yes , my kernel extensions are listed at AppleKextExcludeList.kext , but if it so then in Case#2 why extensions are not able to load on same macOS 10.14.5 ? In my kext codesign, there is no Timestamp, then how macOS 10.14.5 validate timestamp ? – Brinda Jun 10 '19 at 13:45
  • @Brinda Are you sure case 2 matches the whitelist exactly? It will only load if the hash matches. Time stamps don’t matter if it’s in the whitelist. What does kextutil say? – pmdj Jun 10 '19 at 14:26
  • I have some queries, how to calculate hash of kext ? Who will modify kernel extension list in AppleKextExcludeList.kext : macOS itself ? How to remove kext entry form that list ? How frequent extension list in AppleKextExcludeList.kext will modify ? – Brinda Jul 05 '19 at 05:40
  • @Brinda I’m only on my phone at the moment, so I can’t check, but I think one of the `codesign` subcommands should be able to generate and print the hash. You can’t edit the list, Apple maintains it and updates it with OS updates. If your kext is listed and you want it removed, I suggest getting in touch with Apple. – pmdj Jul 05 '19 at 10:51