2

I have a ancient kext (last supported with 10.7.5). It works when disabling SIP and such. The question I'm having, is if you could sign that ancient text? I already tried]codesign -s "Developer ID Application:" --verbose Downloads/private/tmp/InstallerTemp/M-AudioFireWireBeBoB.kext/

pmdj
  • 22,018
  • 3
  • 52
  • 103
Niklas Arnitz
  • 21
  • 3

1 Answers1

1

You haven't given much detail. Does signing fail? If it succeeds, what does kextutil path/to/M-AudioFireWireBeBoB.kext say?

A few things I can think of that could be causing problems:

  • I don't think codesigning works for kexts with a 32-bit slice. So if it's a universal 32/64-bit kext (or if it still has a PPC slice ), extract the x86-64 binary using lipo and use only that instead.
  • The signing certificate must have the special kext signing feature associated with it. Apple only grants that upon special request, a regular Developer ID Application certificate is not sufficient for kexts.
  • On macOS 10.14.5+ and 10.15, the kext must additionally be notarised. Create a zipfile of the kext, and upload it to Apple using xcrun altool --notarize-app. Once approved, you can staple the notarisation to the kext using xcrun stapler staple path/to/your.kext. See Apple's documentation on notarisation and the output of xcrun altool --help for details.
pmdj
  • 22,018
  • 3
  • 52
  • 103
  • Kextutil outputs this: `Kext with invalid signature (-67062) allowed: { URL = "file:///Library/Extensions/M-AudioFireWireBeBoB.kext/", ID = "com.m-audio.driver.firewire" } Code Signing Failure: not code signed` – Niklas Arnitz Jan 21 '20 at 13:03
  • And yes, it still has a PPC slice :D – Niklas Arnitz Jan 21 '20 at 13:04
  • I think I cannot notarise it with apple, because I don't have any source code and the manufacturer isn't going to give it to me.. – Niklas Arnitz Jan 21 '20 at 13:04
  • When I run ` xcrun altool --notarize-app -u USER -p PASS -f M-AudioFireWireBeBoB.kext.zip --primary-bundle-id M-AudioFireWireBeBoB` I get `Error: Unable to validate your application. We are unable to create an authentication session.` – Niklas Arnitz Jan 21 '20 at 13:08
  • And when I try and use lipo it just gives me `can't map input file: M-AudioFireWireBeBoB.kext (Invalid argument)` – Niklas Arnitz Jan 21 '20 at 13:10
  • I don't have any clues about kexts btw. I only know how to use them xD Thank you for your help – Niklas Arnitz Jan 21 '20 at 13:10
  • @NiklasArnitz Do you have access to a Developer ID Application + Kext signing certificate? Without this, any further advice is going to be pointless. – pmdj Jan 21 '20 at 13:32
  • I have access to a full-paid Developer Account. – Niklas Arnitz Jan 22 '20 at 14:35
  • @NiklasArnitz Has this account successfully applied for a kext signing certificate? When issuing a Developer ID Certificate, the developer centre will specifically mention kexts if so. – pmdj Jan 22 '20 at 14:38
  • I did just apply. What should I do, if I get accepted? – Niklas Arnitz Jan 22 '20 at 21:42