Hold My Hand While I Sign My Kext?
Mike Crawford
--display seem to indicate that the signature is correct, but it
doesn't load:
$ sudo kextutil -v -t IOProxyVideoCard.kext
Defaulting to kernel file '/System/Library/Kernels/kernel'
Diagnostics for IOProxyVideoCard.kext:
Code Signing Failure: code signature is invalid
IOProxyVideoCard.kext appears to be loadable (not including linkage
for on-disk libraries).
Untrusted kexts are not allowed
ERROR: invalid signature for
com.doequalsglory.driver.IOProxyVideoCard, will not load
I applied for a kernel signing cert, then was requested to answer a
questionnaire to demonstrate that I was really qualified to receive
one.
I downloaded _something_ with Xcode but I'm not convinced it was my kext cert.
If I enable automatic signing, I'm given a choice between "Fresco
Logic" and "Personal Team". When I choose Fresco Logic, the signing
certificate is "Mac Developer: Michael Crawford".
When I choose Personal Team, the signing cert is "Mac Developer:
mdcra...@gmail.com".
I think what I want is a team of Fresco Logic and a cert of
mdcra...@gmail.com, because that's my developer ID. Fresco's team
admin said he used my gmail address when he added me to the team.
The mail informing up my signing ID instructed me:
The next step is to request a new Developer ID Application signing
identity via your developer
account. You need to do this because any existing Developer ID
Application identities that were
generated before your kext signing request was approved are not
enabled for kext signing.
Maybe this is my problem but I don't see anywhere where I can request
a new Developer ID Application signing identify.
I Am Eternally In Your Debt,
Mike
Mike Crawford mdcra...@gmail.com
The Global Computer Employer Index: http://soggy.jobs/computer
(It's not very global yet.)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-drivers mailing list (Darwin-...@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/darwin-drivers/darwin-drivers-garchive-96018%40googlegroups.com
This email sent to darwin-drivers...@googlegroups.com
B.J. Buchalter
So, first you need to determine if you actually have a kext codesign cert.
Your kext codesign cert should have a custom OID key in it : 1.2.840.113635.100.6.1.18
You can check this by using keychain access to look at your certs; my cert is a Developer ID Application cert (which is different than "Mac Developer” — that’s for the Mac App Store), and if I get the info on the cert in keychain access, near the bottom of list, it has something that says:
Extension ( 1.2.840.113635.100.6.1.18 )
Critical Yes
Data 05 00
If you don’t have that, you can’t sign a kext.
So look through your certs and see if you can find the one with that.
If you don’t find that cert:
1) log in to your account on developer.apple.com
2) Go to “Certificates IDs & Profiles”
3) Select macOS from the popup
4) Click on Production
5) Click the + button in the top right
6) Select “Developer ID” under production
7) Next page: select “DeveloperID Application and Kernel Extension”
8) follow the rest of the instructions.
You may be able to do this from Xcode, but I have always found the automatic cert download to be super confusing for the "Developer ID” certs.
If you got the Kext approval in your account, then you need to use your account to get the cert. If you got it for Fresco logic, you need to use their account to get the cert. If it is Fresco’s account, you probably need admin access to make a new cert. So you might need to have them do it for you.
Finally, w.r.t. the owner of the cert, as of 10.13, that name is presented to the user to allow activation of the kext, so, for the shipping driver, it probably should be signed by the entity that is shipping the kext rather than you as the contract developer...
In any case, once you have this Developer ID cert, you should be able to use it to sign your kext.
If you can’t, get in touch with DTS for help (this is not a code-level support thing; it is a membership support thing).
Once you have found/got the correct cert, use that for the code signing.
And here is an important thing that I have seen: Absolutely do a clean build of your kext. It is really easy to get some weird cruft in the kext that invalidates the code signature, and it is basically impossible to figure out why it is going wrong. So a clean build just avoids many problems.
If you still have problems, read:
https://developer.apple.com/library/content/technotes/tn2206/_index.html
carefully, and make sure that everything matches the requirements described in that TN; especially with the newer OSes, everything needs to match the requirements, and when something is off, it just fails to validate, but it doesn’t tell you why…
Hope this helps,
B.J. Buchalter
Metric Halo
Mike Crawford
There were a couple problems. One was that I was assuming that the
Team Name being Fresco Logic would select the Fresco Logic signing
cert. No. That's done by selecting "Developer ID" just below.
Real Soon Now I'll write some better instructions for my website.
That's sure to draw lots of google juice.
I'll write some more details tomorrow.