osx - Can't sign kext in Mavericks/Yosemite? -
goal: sign own packages, , own kernel extensions. "my own" in context means "that wrote, or picked elsewhere, recompiled myself sources, , want install on machine.
problem: mavericks not take signature code signing failure: code signature invalid (but loads kext), yosemite won't load it.
i have own ca, , code-signing certs. i've been able sign code , set policies allow code signed given certs installed , executed - both codesign , spctl it, see in output below. however, not seem apply kext (kernel extensions) - kextutil insists signature invalid. here's output i'm getting:
$ codesign --verify -vvvv /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext: valid on disk /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext: satisfies designated requirement $ spctl -a -vvv -t exec /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext: accepted source=xxxxxcode origin=xxxxxcoder $ spctl -a -vvv -t install /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext: accepted source=xxxxxinstall origin=xxxxxcoder $ kextutil -tn /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext diagnostics /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext: code signing failure: code signature invalid /opt/local/library/filesystems/osxfusefs.fs/support/osxfusefs.kext appears loadable (including linkage on-disk libraries). on mavericks kext loads warning message, on yosemite not.
i noticed here , in apple ca cps developer id cert must have next extension: ( 1.2.840.113635.100.6.1.18 ) designate kext-signing certificate. mine not have it. suspect cause of problem, don't know how resolve it. there not seem type alternative in spctl create policy designating given cert kext-signing one.
how add together extension (preferably within keychain certificate assist, though openssl-based solution fine too), short of paying apple annual "usage fee" of $100?
to request kext signing certificate apple, need utilize this form.
osx osx-mavericks code-signing kext
No comments:
Post a Comment