Notarizing Kexts?

Code Signing General
MarkII OP
Created Dec ’18
Replies 14
Boosts 0
Views 7.4k
Participants 7

Is there a guide as to how to notarize kexts?


I am able to notarize application level code successfully, but I can not find any guidelines as to how to do this for kernel extensions (despite receiving an email suggesting that it is time to do this!). The UI in Xcode is unable to notarize archived kexts, and the (minimal!) documentation for the altool and stapler commands are all app specific...

Replies  14
Boosts  0
Views  7.4k
Participants  7
DTS Engineer OP
Apple
Dec ’18

Is there a guide as to how to notarize kexts?

My understanding is that there’s currently no provision for notarising KEXTs.

The above is wrong )-: See haikeeba’s post below.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Engineer OP
Apple
Jan ’19

Yes, you can notarize kexts, along with all the other software you distribute (apps, screensavers, nested pkgs, disk images, help bundles, etc.) You just upload the final archive that you plan to distribute to your users. The notary guide says:


You can notarize several different types of software deliverables, including:

  • macOS apps
  • Non-app bundles, such as kernel extensions
  • Disk images (UDIF format)
  • Flat installer packages


https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution


While there isn't a separate notarization guide for kexts (kernel extensions), the standard instructions for notarizing from the command line apply to kexts or other builds not created by Xcode.


https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution/customizing_the_notarization_workflow

0
tartempion OP
Apr ’19

"While you can notarize a ZIP archive, you can’t staple to it directly. Instead, run 

stapler
against each individual item that you originally added to the archive. Then create a new ZIP file containing the stapled items for distribution. Although tickets are created for standalone binaries, it’s not currently possible to staple tickets to them."


If you can't staple tickets to standalone binaries, archives (and so flat installer packages, disk images), why is the documentation claiming that notarization is possible for these items like for bundles?

0
DTS Engineer OP
Apple
Apr ’19

My interpretation of that comment is that “binaries” is intended to mean “executables”. You certainly can staple tickets to other binary file formats, although only ones that have specific affordance for it (like installer packages and disk images). However, my recommendation is that you file a bug against the doc requesting that this comment be clarified.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Wellington OP
Apr ’19

So for a collection of LaunchDaemons, LaunchAgents, End User apps and kexts that we distribute via a flat pkg file, am I right that the only thing that needs notorizing is the pkg file itself? Trying to do each individual component separately is too much of a burden on our release cycle.


Also, for the kexts, will notorization reject us if are using anything non-KPI internally. (Yes, we realise the dangers of going off piste into private kernel stuff.)

0
DTS Engineer OP
Apple
Apr ’19

Also, for the kexts, will notorization reject us if are using anything non-KPI internally.

Notarisation is not App Review; its goals are to detect known malware and check that everything is signed correctly, not to ensure that the code follows the rules of the road.

Having said that, DTS has recommended that developers stick with public APIs (or KPIs) since long before App Review existed. Apple does its best to maintain binary compatibility for our public APIs, but we make no such guarantees for unsupported techniques. This is especially important for KEXTs, because any problem in a KEXT will take down the entire system.

I’m not sure what type of KEXT you’re working on, but I’m most familiar with NKEs and so let’s look at that as an example. Apple has publicly announced that we intend to deprecate NKEs at some point in the future. We intend to provide a migration strategy for the use cases that are covered by the current NKE KPIs. However, we can’t prepare a migration strategy for unsupported techniques, so if you were an NKE developer relying on such techniques then you could be completely broken by this change.

Ultimately this is a business decision that you have to make, weighing the short-term benefits over the potential long-term costs. The one thing I will say categorically is that, if you decide to use an unsupported technique, make sure you file enhancement request for a supported alternative. That way there’s some hope of us being able to provide you with a migration strategy.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Wellington OP
Apr ’19

To answer my own question about notorizing a pkg file that includes a kext. It does indeed now seem to work in that my package file passes notorization. Stapling failed initially until I followed the instructions to use this on 10.13.6:

sudo killall -9 trustd; sudo rm /Library/Keychains/crls/valid.sqlite3
0
dparakh OP
Apr ’19

Where did you get this information about need to kill trustd and to remove the squlite3 db?


Is this safe to do? What impact would it have?


Thanks.
Devendra.

0
DTS Engineer OP
Apple
Apr ’19

The information about 

trustd
is from Resolving Common Notarization Issues. IMO the better option is to upgrade to macOS 10.14, but I realise that’s not an option for everyone.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
DTS Engineer OP
Apple
May ’19

Notarizing Kexts?

FYI, I’ve just created a new post, Notarising an Installer Package Containing a KEXT, that clarifies the relationship between KEXTs, installer packages, and notarisation.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Wellington OP
Jun ’19

Thanks for the extra info. From the 10.14.5 release notes, the preinstall script has an explicit test for 10.14.5 only:

if [[ `/usr/bin/sw_vers -productVersion` == 10.14.5 ]]; then
/usr/sbin/spctl -a -vvv -t install "$PACKAGE_PATH"; fi


So am I correct in assuming that the spctl call really won't be needed in Catalina, nor some possible future 10.14.6 release.

0
DTS Engineer OP
Apple
Jun ’19

So am I correct in assuming that the spctl call really won't be needed in … some possible future 10.14.6 release.

That certainly seems to be the case. I had a look at the bug mentioned in the release notes (r. 50205533) and it’s marked as fixed in the 10.14.6 beta 2 that we’re currently seeding.

Of course, the proof of the fixing is in the testing (-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
crdaviso OP
Aug ’19

Thank you for creating that document/post.


Is there a way to verify that a kext file has been notarized? Or command line executables for that matter?


It looks like `spctl -a -v` only works for app bundles, and `stapler validate` only works for pkg files.

0
DTS Engineer OP
Apple
Aug ’19

Is there a way to verify that a kext file has been notarized?

If you’re on 10.15 beta you can check anything ‘signable’ using:

$ codesign -vvvv -R="notarized" --check-notarization /path/to/your.kext

I’ve not tried this on KEXTs but it’s worth a shot.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Notarizing Kexts?
First post date Last post date
 
 
Q