Kext with invalid signature (-67050) denied

I've figured it out. Turns out kexts are now denied by default -- even those signed with a valid kex-enabled Dev. ID certificate (which we have). The solution is described in this tech note:

https://developer.apple.com/library/archive/technotes/tn2459/_index.html

The first time an attempt is made to load the kext, macOS should present the user with a popup informing them that it was blocked. The user then needs to go to System Preferences > Security & Privacy in order to approve the kext. Note that the approval needs to happen within 30 minutes of the load attempt or it will disappear. Subsequent load attempts will be rejected silently but will reactivate the prompt within "Security & Privacy" -- giving the user another chance to approve the kext.

It would be helpful if the kextutil error message includes a hint to check for authorisation in "Security & Privacy" instead of just throwing an "invalid signature" error. In fact, it's quite misleading in this instance as the signature itself is valid but it's system policy which prevents loading until authorisation is granted.

It’s good to hear that you got this sorted.

You wrote:

It would be helpful if the

kextutil

error message includes a hint to check for authorisation in "Security & Privacy" instead of just throwing an "invalid signature" error.

Quite. The best way to get this feedback to the folks who maintain this code is to file an enhancement request against

kextutil

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

HI,

Since I'm experiencing the exact same issue, I thought it would be okay to tag onto this post...

So for berevity, 'ditto' on pradippradip original post.

I'm also albe to reproduce this with a VM running 10.14.5.

The odd thing is, if the postinstall script fails because of this reason, then the user sees the yellow triangle warning that their installation failed.

Running the kexutil -nt command, the results are a bit strange in that, the output mentions a different kext file other than the kext I'm inspecting. And by other, I don't mean the one copied to the staging folder. I'm referring to a kext on my machine dated back to 2014 that is for USB functionality (AX88179_178A.kext).

The output is as follows: The bolded text is my confusion. Why would the kexutil -nt command try to stage a different kext file unrelated to my mykext.kext?

Has anyone else seen this?

/Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext does not appear in strict exception list for architecture: x86_64
Untrusted kexts are not allowed
Kext with invalid signature (-67007) denied: /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext
Bundle (/Library/Extensions/AX88179_178A.kext) failed to validate, deleting: /Library/StagedExtensions/Library/Extensions/69086123-45A7-4788-B687-6D1009D4EF9C.kext
Unable to stage kext (/Library/Extensions/AX88179_178A.kext)to secure location.
Kext rejected due to system policy: <OSKext 0x7fdf6e78c900 [0x7fffab3ee8e0]> { URL = "file:///Library/StagedExtensions/private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext/", ID = "com.my.company" }
Kext rejected due to system policy: <OSKext 0x7fdf6e78c900 [0x7fffab3ee8e0]> { URL = "file:///Library/StagedExtensions/private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A%20Document%20Being%20Saved%20By%20XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext/", ID = "com.my.company" }
Diagnostics for /private/var/folders/vq/hv4nc70n6lbbvd_f2zvsh5j5fy3ckn/T/TemporaryItems/(A Document Being Saved By XCBBuildService)/CleanBuildFolderInProgress/System/Library/Extensions/mykext.kext:

I have the same issue. I tried signing my Kext in different ways without success. When I try to load it I get:

$ % sudo kextutil HoRNDIS.kext                                  
Cache file /System/Library/Caches/com.apple.kext.caches/Directories/Library/Extensions/KextIdentifiers.plist.gz is out of date; not using.
Untrusted kexts are not allowed
Kext with invalid signature (-67050) denied: /private/var/db/KernelExtensionManagement/Staging/tmp.B2k1Xn/7E103599-AA3D-47F2-821A-B74BB1CEE61F.kext
Bundle (/Library/Extensions/HoRNDIS.kext) failed to validate, deleting: /private/var/db/KernelExtensionManagement/Staging/tmp.B2k1Xn/7E103599-AA3D-47F2-821A-B74BB1CEE61F.kext
Unable to stage kext (/Library/Extensions/HoRNDIS.kext) to secure location.

Nothing shows up on Security and Privacy in System Preferences.

The two most common issues here are:

• Not using a KEXT-enabled Developer ID (see KEXT Code Signing Problems)

• Not notarising your KEXT

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"