Hey all,
I have an unusual Kext signing issue,
it might actually be very simple, but i'm not sure.
I create applications and installers for distribution outside of the App store,
including a Kext driver for PCI-E device that my company makes.
So a while back i signed up for all the appropriate provisioning profiles etc.
Including contacting apple to get certified as a proper kernel developer so we
can get our Kext Signed appropriately.
Everything was working fine.
I recently noticed that Xcode was indicating that the status of my signing identities
was "Revoked" I was a bit concerned about this and proceeded to refresh them from within
Xcode.
Now Xcode lists the following Signing identities: ( Mac only)
Mac Development
Mac App Distribution
Mac Installer Distribution
Developer ID application
Developer ID Installer
And a single Provisioning Profile:
Mac Team Provisioning Profile: *
Building and signing Apps and installers all seems to be fine, but it appears that when I sign my kext driver it is no good?
I am signing the Kext project via the following mechanism:
Specifying a:
Code Siging Identity: Devloper ID Application: blah blah company name and (signing_ID_String_goes_here)
provisioning profile: Automatic
In the code signing section of the build settings for the Kext project in XCode.
using the codesign command appears to indicate it is signed...
Ivan-Mini:Release james$ codesign -d -v myVideoIO.kext
Executable=/Volumes/Data/511_10dot2_branch/Blue511/drivers/mac/build/Release/myVideoIO.kext/Contents/MacOS/myVideoIO
Identifier=com.Blah.driver.myVideoIO
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=2937 flags=0x0(none) hashes=139+3 location=embedded
Signature size=4383
Signed Time=20 Apr 2016 2:29:37 pm
Info.plist entries=19
TeamIdentifier=(signing_ID_String_goes_here)
Sealed Resources version=2 rules=12 files=0
Internal requirements count=1 size=232
but when i load this kext on my test machine it says
"This kext is not from an identified developer" in the GUI
The command gives more info, such as these lines:
Code Signature Failure: code signature is invalid
WARNING - Invalid signature -67050 0xFFFFFFFFFFFFFFEFA16 for kext "myVideoIO.kext"
1. Do i simply need to contact apple again to get developerID certified for
Kext devlopment since i did the "renew" within XCode?
- everything i have read indicates that the Kext cert should be good so long as i maintain my Devloper account?
2. Am i doing the Singing process incorrectly?
- I have tried a number of different things and they all apear to yeild the same result...
build from command line with -codesign option,
build and then code sign
3. Did i really need to update all my signing profiles etc?
I didn't notice that it was causing any problem with the apps we were distributing
Hopefully this is just some stupid mistake on my behalf, and somone can point it out nice n quick,
James.
Building under XCode 6.4 on OSX 10.10 ( linking the project against 10.9 SDK)
Testing the resulting kext in OSX 10.9.5
HI Quinn,
Yeah i have done that, and the certificate does not appear to have an extension with that OID listed.
It has plenty of other extensions listed, some with very similar begginings to the string of numbers, but nothing that is an exact match for what you posted.
Eg. I have the Devloper ID extension 1.2.840.113635.100.6.1.13, but not the KEXT enabled one.
So how do i go about restoring the KEXT 'magic' as you put it?
AAAAAAnd it's fixed!
It appears that i somehow had multiple certificates in my keychain, and that 1 of those Developer ID certificates did not have the KEXT OID listed!
I have deleted the cert without the KEXT, and now i cabn build a properly certified version of my KEXT driver.
Exporting the specific key my kext was using and comparing it to my installed certs, def helped debug the process.
So thank you, your information was good enough to get me to the fix!
Cheers,
James
Not sure if i should mark your post as "Correct Answer" or not, it def helped, but the real problme was the duplicate certs in my keychain.